Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: ciack043.htm

Buffer Overrun Vulnerabilities in Kerberos



Buffer Overrun Vulnerabilities in Kerberos Privacy and Legal Notice

CIAC

K-043b: Buffer Overrun Vulnerabilities in Kerberos

May 30, 2000 22:00 GMT
[Revision A 5/25/2000 Added Red Hat Linux RHSA-2000:025-08]
[Revision B 5/30/2000 Added FreeBSD FreeBSD-SA-00:20]


PROBLEM:       Security vulnerabilities were found in the krb_rd_req()
               function, the Kerberized Berkeley remote shell daemon (krshd),
               and the v4rcp and ksu programs.
PLATFORM:      Those running any of the following:
               (1) Systems running services authenticated via Kerberos 4.
               (2) Some systems running services authenticated via Kerberos 5.
               (3) Systems running the Kerberized remote shell daemon (krshd).
               (4) Systems with the Kerberos 5 ksu utility installed.
               (5) Systems with the Kerberos 5 v4rcp utility installed.
DAMAGE:        These vulnerabilities may allow users to gain root access.
SOLUTION:      Apply the patches as directed by the advisory.


VULNERABILITY The risk is HIGH. There is at least one known exploit that will ASSESSMENT: lead to a root compromise. These vulnerabilities have been discussed in public forums.


[ Start of CERT Advisory ]

CERT Advisory CA-2000-06 Multiple Buffer Overflows in Kerberos
Authenticated Services

   Original release date: May 17, 2000
   Last revised: --
   Source: The MIT Kerberos Team, CERT/CC

   A complete revision history is at the end of this file.

Systems Affected

     * Systems running services authenticated via Kerberos 4
     * Some systems running services authenticated via Kerberos 5
     * Systems running the Kerberized remote shell daemon (krshd)
     * Systems with the Kerberos 5 ksu utility installed
     * Systems with the Kerberos 5 v4rcp utility installed

Overview

   The CERT Coordination Center has recently been notified of several
   buffer overflow vulnerabilities in the Kerberos authentication
   software. The most severe vulnerability allows remote intruders to
   gain root privileges on systems running services using Kerberos
   authentication. If vulnerable services are enabled on the Key
   Distribution Center (KDC) system, the entire Kerberos domain may be
   compromised.

I. Description

   There are at least four distinct vulnerabilities in various versions
   and implementations of the Kerberos software. All of these
   vulnerabilities may be exploited to obtain root privileges.

Buffer overflow in krb_rd_req() library function

   This vulnerability is present in version 4 of Kerberos. It is also
   present in version 5 (in the version 4 compatibility code). This
   vulnerability can be exploited in services using version 4 or 5 when
   they perform version 4 authentication. This vulnerability may also be
   exploited locally via the v4rcp setuid root program of Kerberos 5.

   This vulnerability may be exploitable in version 4. This vulnerability
   is exploitable in version 5 in conjunction with the
   krb425_conv_principal() vulnerability, described below.

Buffer overflow in krb425_conv_principal() library function

   This vulnerability is present in version 5's backward compatibility
   code. This vulnerability is known to be exploitable in version 5 in
   conjunction with an exploit of the krb_rd_req() vulnerability.

Buffer overflow in krshd

   This vulnerability is only present in version 5. This vulnerability is
   not related to the previous two vulnerabilities.

Buffer overflow in ksu

   This vulnerability is only present in version 5, and is corrected in
   krb5-1.1.1 and krb5-1.0.7-beta1. The ksu vulnerability is unrelated to
   the other vulnerabilities.

The MIT Kerberos Team Advisory

   The MIT Kerberos Team described these vulnerabilities in detail in an
   advisory they recently issued. The text of this advisory is included
   below.

   |

SUMMARY

   Serious buffer overrun vulnerabilities exist in many implementations
   of Kerberos 4, including implementations included for backwards
   compatibility in Kerberos 5 implementations. Other less serious buffer
   overrun vulnerabilities have also been discovered. ALL KNOWN KERBEROS
   4 IMPLEMENTATIONS derived from MIT sources are believed to be
   vulnerable.

IMPACT

     * A remote user may gain unauthorized root access to a machine
       running services authenticated with Kerberos 4.
     * A remote user may gain unauthorized root access to a machine
       running krshd, regardless of whether the program is configured to
       accept Kerberos 4 authentication.
     * A local user may gain unauthorized root access by exploiting v4rcp
       or ksu.

DETAILS

   The MIT Kerberos Team has been made aware of a security vulnerability
   in the Kerberos 4 compatibility code contained within the MIT Kerberos
   5 source distributions. This vulnerability consists of a buffer
   overrun in the krb_rd_req() function, which is used by essentially all
   Kerberos-authenticated services that use Kerberos 4 for
   authentication. It is possible for an attacker to gain root access
   over the network by exploiting this vulnerability.

   An exploit is known to exist for the Kerberized Berkeley remote shell
   daemon (krshd) for at least the i386-Linux platform, and possibly
   others. The extent of distribution of this exploit is unknown at this
   time.

   Other buffer overruns have been discovered as well, though with less
   far-reaching impact.

   The existing exploit does not directly use the buffer overrun in
   krb_rd_req(); rather, it uses the buffer that was overrun by
   krb_rd_req() to exploit a second overrun in krb425_conv_principal().
   The krb_rd_req() code itself might not be exploitable once the overrun
   in krb425_conv_principal() is repaired, though it is likely that some
   other method of exploit may be found that does not require that an
   overrun exist in krb425_conv_principal().

VULNERABLE DISTRIBUTIONS AND PROGRAMS

   Source distributions which may contain vulnerable code include:
     * MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
     * MIT Kerberos 4 patch 10, and likely earlier releases as well
     * KerbNet (Cygnus implementation of Kerberos 5)
     * Cygnus Network Security (CNS -- Cygnus implementation of Kerberos
       4)

   Daemons or services that may call krb_rd_req() and are thus vulnerable
   to remote exploit include:

   krshd
          klogind (if accepting Kerberos 4 authentication)
          telnetd (if accepting Kerberos 4 authentication)
          ftpd (if accepting Kerberos 4 authentication)
          rkinitd
          kpopd

   In addition, it is possible that the v4rcp program, which is usually
   installed setuid to root, may be exploited by a local user to gain
   root access by means of exploiting the krb_rd_req vulnerability.

   The ksu program in some MIT Kerberos 5 releases has a vulnerability
   that may result in unauthorized local root access. This bug was fixed
   in krb5-1.1.1, as well as in krb5-1.0.7-beta1. Release krb5-1.1, as
   well as krb5-1.0.6 and earlier, are believed to be vulnerable.

   There is an unrelated buffer overrun in the krshd that is distributed
   with at least the MIT Kerberos 5 source distributions. It is not known
   whether an exploit exists for this buffer overrun. It is also not
   known whether this buffer overrun is actually exploitable.

WORKAROUNDS

   Certain daemons that are called from inetd may be safe from
   exploitation if their command line invocation is modified to exclude
   the use of Kerberos 4 for authentication. Please consult the manpages
   or other documentation for your Kerberos distribution in order to
   determine the correct command line for disabling Kerberos 4
   authentication. Daemons for which this approach may work include:

   krshd (*)
          klogind
          telnetd

   (*) The krshd program may still be vulnerable to remote attack if
   Kerberos 4 authentication is disabled, due to the unrelated buffer
   overrun mentioned above. It is best to disable the krshd program
   completely until a patched version can be installed.

   The v4rcp program should have its setuid permission removed, since it
   may be possible to perform a local exploit against it.

   The krb5 ksu program should have its setuid permission removed, if it
   was not compiled from krb5-1.1.1, krb5-1.0.7-beta1, or later code.
   Merely replacing the ksu binary with one compiled from krb5-1.1.1 or
   krb5-1.0.7-beta1 should be safe, provided that it is not compiled with
   shared libraries (the vulnerability is related to some library bugs).
   If ksu was compiled with shared libraries, it may be best to install a
   new release that has the library bug fixed.

   In the MIT Kerberos 5 releases, it may not be possible to disable
   Kerberos 4 authentication in the ftpd program. Note that only releases
   krb5-1.1 and later will have the ability to receive Kerberos 4
   authentication.

FIXES

   The best course of action is to patch the code in the krb4 library, in
   addition to patching the code in the krshd program. The following
   patches include some less essential patches that also affect buffer
   overruns in potentially vulnerable code, but for which exploits are
   somewhat more difficult to construct.

   Please note that there are two sets of patches in this file that apply
   against identically named files in two different releases. You should
   separate out the patch set that is relevant to you prior to applying
   them; otherwise, you may inadvertently patch some files twice.

   MIT will soon release krb5-1.2, which will have these changes
   incorporated.

PATCHES AGAINST krb5-1.0.x

   The following are patches against 1.0.7-beta1 (roughly). The most
   critical ones are:

   appl/bsd/krshd.c
          lib/krb4/rd_req.c
          lib/krb5/krb/conv_princ.c

   The rest are not as important but you may wish to apply them anyway
   out of paranoia. These patches may apply with a little bit of fuzz
   against releases prior to krb5-1.0.7-beta1, but there likely have not
   been significant changes in the affected code. These patches may also
   apply against KerbNet. The lib/krb4/rd_req.c patch may also apply
   against CNS and MIT Kerberos 4.

   [Patches to correct this issue in Kerberos version 5-1.0.x were
   included at this point in the MIT advisory. The CERT Coordination
   Center has made these patches available at the following link:

   http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt

   -- CERT/CC]
   |

PATCHES AGAINST krb5-1.1.1

   The following are patches against 1.1.1. The most critical ones are:

   appl/bsd/krshd.c
          lib/krb4/rd_req.c
          lib/krb5/krb/conv_princ.c

   IMPORTANT NOTE: If you are upgrading to krb5-1.1.1 (or krb5-1.1, but
   we recommend krb5-1.1.1 if you are going to upgrade at all) and
   compile the source tree with the --without-krb4 option, then you will
   also want to install the patch to login.c that is also provided below.

   The rest are not as important but you may wish to apply them anyway
   out of paranoia.

   [Patches to correct this issue in Kerberos version 5-1.1.1 were
   included at this point in the MIT advisory. The CERT Coordination
   Center has made these patches available at the following link:

   http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt

   -- CERT/CC]
   |

ACKNOWLEDGMENTS

   Thanks to Jim Paris (MIT class of 2003) for pointing out the
   krb_rd_req() vulnerability.

   Thanks to Nalin Dahyabhai of Redhat for pointing out some other buffer
   overruns and coming up with patches.

   The full text of the MIT Kerberos Team advisory is also available
   from:

   http://web.mit.edu/kerberos/www/advisories/krb4buf.txt

II. Impact

   The most significant impact of these vulnerabilities may allow a
   remote intruder to gain root access to systems running vulnerable
   services, including the KDC for the domain.

Buffer overflow in krb_rd_req() library function

   This vulnerability may be exploited by remote users to gain root
   privileges on systems running services linked against the vulnerable
   library. As MIT indicated, these services include (but may not be
   limited to):

   krshd
          klogind (if accepting Kerberos 4 authentication)
          telnetd (if accepting Kerberos 4 authentication)
          ftpd (if accepting Kerberos 4 authentication)
          rkinitd
          kpopd

   Local users can execute arbitrary code as root on systems where v4rcp
   is installed setuid root.

Buffer overflow in krb425_conv_principal() library function

   This vulnerability can be exploited by remote users in conjunction
   with the krb_rd_req vulnerability to gain root privileges on systems
   running services linked against the vulnerable library.

Buffer overflow in krshd

   Remote users may be able to execute arbitrary code as root on systems
   running a vulnerable version of krshd.

Buffer overflow in ksu

   Local users can can gain root privileges by exploiting the buffer
   overflow in ksu.

III. Solution

Apply a patch from your vendor

   Appendix A contains information provided by vendors for this advisory.
   We will update the appendix as we receive more information. If you do
   not see your vendor's name, the CERT/CC did not hear from that vendor.
   Please contact your vendor directly.

Apply the MIT patches

   If you are running the Kerberos 5 distribution from MIT, and can
   rebuild your binaries from source, you can apply the source code
   patches from MIT to correct these problems.

   If you are running Kerberos version 4, you may be able to patch your
   source code based on the version 5 patch provided by MIT. Only the
   patches for the krb_rd_req() vulnerability need to be applied to
   version 4 to address the issues described in this advisory.

   With either version, you will need to recompile the libraries and the
   vulnerable programs (krshd and ksu). You will also need to recompile
   any programs that have been statically linked with the vulnerable
   libraries. In version 4, you should also recompile the KDC server
   software.

   These patches are available at:

   http://www.cert.org/advisories/CA-2000-06/mit_10x_patch.txt
          http://www.cert.org/advisories/CA-2000-06/mit_111_patch.txt

Disable version 4 authentication in version 5 if possible

   As suggested by MIT, version 4 authentication in some daemons can be
   disabled at run time by supplying command line options to these
   programs when started by inetd. This approach may work for the
   following daemons:

   krshd
          klogind
          telnetd

   This addresses the krb_rd_req() and krb425_conv_principal()
   vulnerabilities. Note that krshd may still be vulnerable to the krshd
   specific vulnerability described in this document.

Upgrade to MIT Kerberos 5 version 1.2

   The vulnerabilities described in this advisory will be addressed in
   Kerberos 5 version 1.2. This version will be available from the MIT
   Kerberos web site:

   http://web.mit.edu/kerberos/www/

Appendix A. Vendor Information

Microsoft Corporation

   No Microsoft products are affected by this vulnerability.

MIT Kerberos

   The MIT Kerberos Team advisory on this topic is available from:

   http://web.mit.edu/kerberos/www/advisories/krb4buf.txt

NetBSD

   NetBSD has two codebases for crypto software, a legacy of the US's
   export laws until recently (and also some patent issues).

   The crypto-intl tree intended for use by those outside the US was not
   affected.

   For the crypto-us tree,
     * krb5 was not affected
     * krb4 was affected, and has been fixed in NetBSD-current since
       Jeff's announcement; this fix is making it's way into the 1.4.x
       release branch. We will release an advisory and patches shortly.

   In summary, users of NetBSD releases 1.4.2 and earlier or -current up
   until yesterday, who have installed the crypto-us "secr" set and who
   have enabled kerberos4, are vulnerable.

OpenBSD

   OpenBSD uses the KTH Kerberos distribution, which has been reported to
   be not vulnerable.

Washington University

   We do not distribute any "default" binaries which uses Kerberos. In
   order to get Kerberos support, you must rebuild the software
   specifically to use Kerberos (the default build will not use
   Kerberos).

   We believe that the University of Washington IMAP and POP3 servers are
   not vulnerable. The message from MIT specifically stated that the
   problem was in the Kerberos 4 routines from MIT.

   Kerberos support in these servers is based upon Kerberos 5, not
   Kerberos 4. UW imapd/ipop3d only uses GSSAPI and Kerberos 5 calls;
   Kerberos 4 routines are never called.

   There is an unsupported, contributed code, module for Kerberos 4
   available in our software, but that is client only. We are not aware
   of the existence of any Kerberos 4 server code for UW imapd/ipop3d.
     _________________________________________________________________

   The CERT Coordination Center thanks Jeff Schiller and the MIT Kerberos
   Team for notifying us about this problem and their help in developing
   this advisory.
     _________________________________________________________________

   Cory Cohen and Jeff Havrilla were the primary authors of the CERT/CC
   portions of this document.
   ______________________________________________________________________

   This document is available from:
   http://www.cert.org/advisories/CA-2000-06.html
   ______________________________________________________________________

CERT/CC Contact Information

   Email: cert@cert.org
          Phone: +1 412-268-7090 (24-hour hotline)
          Fax: +1 412-268-6989
          Postal address:
          CERT Coordination Center
          Software Engineering Institute
          Carnegie Mellon University
          Pittsburgh PA 15213-3890
          U.S.A.

   CERT personnel answer the hotline 08:00-20:00 EST(GMT-5) / EDT(GMT-4)
   Monday through Friday; they are on call for emergencies during other
   hours, on U.S. holidays, and on weekends.

Using encryption

   We strongly urge you to encrypt sensitive information sent by email.
   Our public PGP key is available from

   http://www.cert.org/CERT_PGP.key

   If you prefer to use DES, please call the CERT hotline for more
   information.

Getting security information

   CERT publications and other security information are available from
   our web site

   http://www.cert.org/

   To be added to our mailing list for advisories and bulletins, send
   email to cert-advisory-request@cert.org and include SUBSCRIBE
   your-email-address in the subject of your message.

   * "CERT" and "CERT Coordination Center" are registered in the U.S.
   Patent and Trademark Office.
   ______________________________________________________________________

   NO WARRANTY
   Any material furnished by Carnegie Mellon University and the Software
   Engineering Institute is furnished on an "as is" basis. Carnegie
   Mellon University makes no warranties of any kind, either expressed or
   implied as to any matter including, but not limited to, warranty of
   fitness for a particular purpose or merchantability, exclusivity or
   results obtained from use of the material. Carnegie Mellon University
   does not make any warranty of any kind with respect to freedom from
   patent, trademark, or copyright infringement.
     _________________________________________________________________

   Conditions for use, disclaimers, and sponsorship information

   Copyright 2000 Carnegie Mellon University, portions copyright MIT
   University.

   Revision History
May 17, 2000:  Initial release

[ End of CERT Advisory ]

______________________________________________________________________________

The following advisory was taken on 25 May 2000 from the URL

     http://www.redhat.com/support/errata/RHSA-2000-025.html

The URL was accessed through the Red Hat Linux Errata URL at

     http://www.redhat.com/support/errata/index.html

[ Start of Red Hat Linux Advisory RHSA-2000:025-08 ]

Synopsis:  Updated Kerberos 5 packages are now available for Red Hat Linux.

Advisory ID:  RHSA-2000:025-08

Issue Date:  2000-05-16

Updated on:  2000-05-18

Product:  Red Hat Linux

Keywords:  N/A

Cross References:  N/A

1. Topic:

Security vulnerabilities have been found in the Kerberos 5 implementation
shipped with Red Hat Linux 6.2.

2. Problem description:

A number of possible buffer overruns were found in libraries included in the
affected packages. A denial-of-service vulnerability was also found in the
ksu program.

* A remote user may gain unauthorized root access to a machine running
services authenticated with Kerberos 4.

* A remote user may gain unauthorized root access to a machine running krshd,
regardless of whether the program is configured to accept Kerberos 4
authentication.

* A local user may gain unauthorized root access by exploiting v4rcp or ksu.

A packaging error was discovered in the original set of updates. This set of
update packages includes no functional differences compared to the
previously-released set.

3. Bug IDs fixed: (see bugzilla for more information)

10653 - 'stat' unresolved on "libkrb5.so.2.2" load
11496 - security-updated krb5 packages fail dependencies

4. Relevant releases/architectures:

Red Hat Linux 6.2 - i386 alpha sparc

5. RPMs required:

Red Hat Linux 6.2:

intel:
ftp://ftp.redhat.com/6.2/i386/krb5-configs-1.1.1-16.i386.rpm
ftp://ftp.redhat.com/6.2/i386/krb5-devel-1.1.1-16.i386.rpm
ftp://ftp.redhat.com/6.2/i386/krb5-libs-1.1.1-16.i386.rpm
ftp://ftp.redhat.com/6.2/i386/krb5-server-1.1.1-16.i386.rpm
ftp://ftp.redhat.com/6.2/i386/krb5-workstation-1.1.1-16.i386.rpm

alpha:
ftp://ftp.redhat.com/6.2/alpha/krb5-configs-1.1.1-16.alpha.rpm
ftp://ftp.redhat.com/6.2/alpha/krb5-devel-1.1.1-16.alpha.rpm
ftp://ftp.redhat.com/6.2/alpha/krb5-libs-1.1.1-16.alpha.rpm
ftp://ftp.redhat.com/6.2/alpha/krb5-server-1.1.1-16.alpha.rpm
ftp://ftp.redhat.com/6.2/alpha/krb5-workstation-1.1.1-16.alpha.rpm

sparc:
ftp://ftp.redhat.com/6.2/sparc/krb5-configs-1.1.1-16.sparc.rpm
ftp://ftp.redhat.com/6.2/sparc/krb5-devel-1.1.1-16.sparc.rpm
ftp://ftp.redhat.com/6.2/sparc/krb5-libs-1.1.1-16.sparc.rpm
ftp://ftp.redhat.com/6.2/sparc/krb5-server-1.1.1-16.sparc.rpm
ftp://ftp.redhat.com/6.2/sparc/krb5-workstation-1.1.1-16.sparc.rpm

6. Solution:

For each RPM for your particular architecture, run:

rpm -Fvh [filename]

where filename is the name of the RPM.

7. Verification:

MD5 sum                           Package Name
- -------------------------------------------------------------------------
4baa2dd96f7657285f3c2c198e2bac40  6.2/alpha/krb5-configs-1.1.1-16.alpha.rpm
2dae166f04584a45154e87bacccd2255  6.2/alpha/krb5-devel-1.1.1-16.alpha.rpm
cb6207296553c05fd4fbb8e0708f9199  6.2/alpha/krb5-libs-1.1.1-16.alpha.rpm
89e3ef03e4d067a807b057ac0c2fd2e6  6.2/alpha/krb5-server-1.1.1-16.alpha.rpm
8f54621b1eabfcb3e440858063947c29
                       6.2/alpha/krb5-workstation-1.1.1-16.alpha.rpm
fa04878ec530e0e8b42741bf74fbbb9d  6.2/i386/krb5-configs-1.1.1-16.i386.rpm
3f51c3141a4fcbdc03fc865f0e111c29  6.2/i386/krb5-devel-1.1.1-16.i386.rpm
c2f40d1858d8e13f825cea0b8228e89e  6.2/i386/krb5-libs-1.1.1-16.i386.rpm
cb794eb8477b9bebc0feb5030e6754c5  6.2/i386/krb5-server-1.1.1-16.i386.rpm
aaa159ad746cac605da050b2e440840f  6.2/i386/krb5-workstation-1.1.1-16.i386.rpm
acaf9130f3d0ed56ae1c444482c9ab57  6.2/sparc/krb5-configs-1.1.1-16.sparc.rpm
4d35c4294c38c4297001f04842a1d9cf  6.2/sparc/krb5-devel-1.1.1-16.sparc.rpm
93022952876e2fb5f73248e5be739322  6.2/sparc/krb5-libs-1.1.1-16.sparc.rpm
fd8dcb69e828f8a2d63543bfaee4c945  6.2/sparc/krb5-server-1.1.1-16.sparc.rpm
98ed42725c3574d4e5b4024dd65fd8fd
                       6.2/sparc/krb5-workstation-1.1.1-16.sparc.rpm

These packages are GPG signed by Red Hat, Inc. for security. Our key is
available at:

http://www.redhat.com/about/contact.html

You can verify each package with the following command:

rpm --checksig filename

If you only wish to verify that each package has not been corrupted
or tampered with, examine only the md5sum with the following command:

rpm --checksig --nogpg filename

Note that you need RPM >= 3.0 to check GnuPG keys.

8. References:

http://www.securityfocus.com/bid/1220

Copyright  2000 Red Hat, Inc. All rights reserved.

[ End of Red Hat Linux Advisory RHSA-2000:025-08 ]
______________________________________________________________________________

[ Start of FreeBSD Advisory FreeBSD-SA-00:20]

=============================================================================
FreeBSD-SA-00:20                                           Security Advisory
                                                                FreeBSD, Inc.

Topic:          krb5 port contains remote and local root exploits.

Category:       ports
Module:         krb5
Announced:      2000-05-26
Credits:        Jeffrey I. Schiller 
Affects:        Ports collection prior to the correction date
Corrected:      2000-05-17
Vendor status:  Patch released
FreeBSD only:   NO

I.   Background

MIT Kerberos 5 is an implementation of the Kerberos 5 protocol which
is available in the FreeBSD ports collection as the security/krb5
port. FreeBSD also includes separately-developed Kerberos 4 and 5
implementations from KTH, which are optionally installed as part of
the base system (KTH Heimdal, the Kerberos 5 implementation, is
currently considered "experimental" software).

II.  Problem Description

The MIT Kerberos 5 port, versions 1.1.1 and earlier, contains several
remote and local buffer overflows which can lead to root compromise.

Note that the implementations of Kerberos shipped in the FreeBSD base
system are separately-developed software to MIT Kerberos and are
believed not to be vulnerable to these problems.

However, a very old release of FreeBSD dating from 1997 (FreeBSD
2.2.5) did ship with a closely MIT-derived Kerberos implementation
("eBones") and may be vulnerable to attacks of the kind described
here. Any users still using FreeBSD 2.2.5 and who have installed the
optional Kerberos distribution are urged to upgrade to 2.2.8-STABLE or
later. Note however that FreeBSD 2.x is no longer an officially
supported version, nor are security fixes always provided.

The krb5 port is not installed by default, nor is it "part of FreeBSD"
as such: it is part of the FreeBSD ports collection, which contains
nearly 3300 third-party applications in a ready-to-install format. The
ports collection shipped with FreeBSD 4.0 contains this problem since
it was discovered after the release.

FreeBSD makes no claim about the security of these third-party
applications, although an effort is underway to provide a security
audit of the most security-critical ports.

III. Impact

Local or remote users can obtain root access on the system running krb5.

If you have not chosen to install the krb5 port, then your system is
not vulnerable to this problem.

IV.  Workaround

Due to the nature of the vulnerability there are several programs and
network services which are affected. If recompiling the port is not
practical, please see the MIT Kerberos advisory for suggested
workarounds (including the disabling or adjustment of services and
removal of setuid permissions on vulnerable binaries). The advisory
can be found at the following location:

http://web.mit.edu/kerberos/www/advisories/krb4buf.txt

V.   Solution

1) Upgrade your entire ports collection and rebuild the krb5 port. A
package is not provided for this port for export control reasons.

2) download a new port skeleton for the krb5 port from:

http://www.freebsd.org/ports/

and use it to rebuild the port.

3) Use the portcheckout utility to automate option (3) above. The
portcheckout port is available in /usr/ports/devel/portcheckout or the
package can be obtained from:

ftp://ftp.freebsd.org/pub/FreeBSD/ports/packages/devel/portcheckout-1.0.tgz

[ End of FreeBSD Advisory FreeBSD-SA-00:20]


CIAC wishes to acknowledge the contributions of CERT, Red Hat Linux, and FreeBSD for the information contained in this bulletin.



CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:

    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     http://ciac.llnl.gov
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     ciac.llnl.gov
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
UCRL-MI-119788
[Privacy and Legal Notice]


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH