gmane.comp.encryption.kerberos.announce

krb5-1.10.1 is released

Tom Yu — 2012-03-08T21:35:56

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.10.1.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.10.1
====================================

You may retrieve the Kerberos 5 Release 1.10.1 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.10.1 release is:

        http://web.mit.edu/kerberos/krb5-1.10/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.10.1
=======================

This is a bugfix release.

* Fix access controls for KDB string attributes [CVE-2012-1012]

* Make the ASN.1 encoding of key version numbers interoperate with
  Windows Read-Only Domain Controllers

* Avoid generating spurious password expiry warnings in cases where
  the KDC sends an account expiry time without a password expiry time.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk9ZJkIACgkQSO8fWy4vZo6P5gCdF9vBrtmbVVnkG6iM9LsSiZnX
axUAn1tsNrCC5i/iXkUvlYncDEnZ3Wqb
=diUs
-----END PGP SIGNATURE-----

krb5-1.8.6 is released

Tom Yu — 2012-02-07T04:19:04

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.8.6.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.8.6
===================================

You may retrieve the Kerberos 5 Release 1.8.6 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.8.6 release is:

        http://web.mit.edu/kerberos/krb5-1.8/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The krb5-1.8 release disables single-DES cryptosystems by default.  As
a result, you may need to add the libdefaults setting
"allow_weak_crypto = true" to communicate with existing Kerberos
infrastructures if they do not support stronger ciphers.

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which now defaults to "false"
beginning with krb5-1.8.  The krb5-1.8 release includes additional
measures to ease the transition away from single-DES.  These
additional measures include:

* enctype config enhancements (so you can do "DEFAULT +des", etc.)
* new API to allow applications (e.g. AFS) to explicitly reenable weak
  crypto
* easier kadmin history key changes

Major changes in 1.8.6
======================

This is primarily a bugfix release.

* Fix an interaction in iprop that could cause spurious excess kadmind
  processes when a kprop child fails.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk8wpjwACgkQSO8fWy4vZo733wCg8gm/QrkkplJ/8ogC1eZCXkTx
ZngAn0jdCyz2jUP7IAEzrgiQgIkjBelq
=CXpD
-----END PGP SIGNATURE-----

krb5-1.9.3 is released

Tom Yu — 2012-02-07T03:34:26

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.9.3.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.9.3
===================================

You may retrieve the Kerberos 5 Release 1.9.3 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.9.3 release is:

        http://web.mit.edu/kerberos/krb5-1.9/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.9.3
======================

This is primarily a bugfix release.

* Fix MITKRB5-SA-2011-007 KDC null pointer dereference in TGS handling
  [CVE-2011-1530].

* Fix an interaction in iprop that could cause spurious excess kadmind
  processes when a kprop child fails.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk8wm8YACgkQSO8fWy4vZo7LawCg01DQygsFeWMeC91tXd+yF2hB
PYIAoL1mqiGWis3Wlcqq33GMs5WEHsAX
=bX1X
-----END PGP SIGNATURE-----

krb5-1.10 is released

Tom Yu — 2012-01-27T21:55:27

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.10.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.10
==================================

You may retrieve the Kerberos 5 Release 1.10 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.10 release is:

        http://web.mit.edu/kerberos/krb5-1.10/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.10
=====================

Additional background information on these changes may be found at

    http://k5wiki.kerberos.org/wiki/Release_1.10

and

    http://k5wiki.kerberos.org/wiki/Category:Release_1.10_projects

Code quality:

* Fix MITKRB5-SA-2011-006 and MITKRB5-SA-2011-007 KDC denial of
  service vulnerabilities [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529
  CVE-2011-1530].

* Update the Fortuna implementation to more accurately implement the
  description in _Cryptography Engineering_, and make it the default
  PRNG.

* Add an alternative PRNG that relies on the OS native PRNG.

Developer experience:

* Add the ability for GSSAPI servers to use any keytab key for a
  specified service, if the server specifies a host-based name with no
  hostname component.

* In the build system, identify the source files needed for
  per-message processing within a kernel and ensure that they remain
  independent.

* Allow rd_safe and rd_priv to ignore the remote address.

* Rework KDC and kadmind networking code to use an event loop
  architecture.

* Add a plugin interface for providing configuration information.

Administrator experience:

* Add more complete support for renaming principals.

* Add the profile variable ignore_acceptor_hostname in libdefaults. If
  set, GSSAPI will ignore the hostname component of acceptor names
  supplied by the server, allowing any keytab key matching the service
  to be used.

* Add support for string attributes on principal entries.

* Allow password changes to work over NATs.

End-user experience:

* Add the DIR credential cache type, which can hold a collection of
  credential caches.

* Enhance kinit, klist, and kdestroy to support credential cache
  collections if the cache type supports it.

* Add the kswitch command, which changes the selected default cache
  within a collection.

* Add heuristic support for choosing client credentials based on the
  service realm.

* Add support for $HOME/.k5identity, which allows credential choice
  based on configured rules.

* Add support for localization. (No translations are provided in this
  release, but the infrastructure is present for redistributors to
  supply them.)

Protocol evolution:

* Make PKINIT work with FAST in the client library.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk8jHVMACgkQSO8fWy4vZo6BEwCgqArxE1UmP446FB7R4r2xT1Qx
8BUAn2DbTphHnZGwWfJWr+7s6aWGUnO6
=/hE4
-----END PGP SIGNATURE-----

krb5-appl-1.0.3 is released

2011-12-27T17:24:40

Version 1.0.3 of the krb5-appl package has been released.  This
package contains the Kerberized versions of telnet, ftp, and the
rlogin suite.  The new release can be found at:

  http://web.mit.edu/kerberos/dist/

This is a security bugfix release, with the following change:

  * Fix MITKRB5-SA-2011-008 (CVE-2011-4862).

MITKRB5-SA-2011-008 buffer overflow in telnetd [CVE-2011-4862]

Tom Yu — 2011-12-26T21:14:12

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-008

MIT krb5 Security Advisory 2011-008
Original release: 2011-12-26
Last update: 2011-12-26

Topic: buffer overflow in telnetd

CVE-2011-4862

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:F/RL:OF/RC:C

CVSSv2 Base Score:      10

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  8.3

Exploitability:         Functional
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

The telnet daemon (telnetd) in MIT krb5 (and in krb5-appl after the
applications were moved to a separate distribution for krb5-1.8) is
vulnerable to a buffer overflow.  The flaw does not require
authentication to exploit.  Exploit code is reported to be actively
used in the wild.

IMPACT
======

An unauthenticated remote attacker can cause a buffer overflow and
probably execute arbitrary code with the privileges of the telnet
daemon (normally root).

AFFECTED SOFTWARE
=================

* The telnet daemon in all releases of MIT krb5 prior to krb5-1.8 is
  vulnerable.  Later releases moved the telnet code to the krb5-appl
  distribution.

* The telnet daemon in all releases of krb5-appl is vulnerable.

FIXES
=====

* Workaround: Disable telnet and use a more secure remote login
  solution, such as SSH.

* A future release of krb5-appl will fix this vulnerability.

* Apply the following patch:

diff --git a/telnet/libtelnet/encrypt.c b/telnet/libtelnet/encrypt.c
index f75317d..b8d6cdd 100644
- --- a/telnet/libtelnet/encrypt.c
+++ b/telnet/libtelnet/encrypt.c
< at >< at > -757,6 +757,9 < at >< at > static void encrypt_keyid(kp, keyid, len)
 int dir = kp->dir;
 register int ret = 0;
 
+if (len > MAXKEYLEN)
+len = MAXKEYLEN;
+
 if (!(ep = (*kp->getcrypt)(*kp->modep))) {
 if (len == 0)
 return;


  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-008-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-008-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-008.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-4862
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-4862

http://lists.freebsd.org/pipermail/freebsd-security/2011-December/006117.html

ACKNOWLEDGMENTS
===============

We became aware of this vulnerability through a FreeBSD security
advisory.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security< at >mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

DETAILS
=======

If the telnetd receives an ENCRYPT suboption that includes a key ID,
encrypt_keyid() in libtelnet/encrypt.c copies the suboption contents
into a fixed-size static buffer without first constraining the length,
leading to a buffer overflow.

REVISION HISTORY
================

2011-12-26      original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk744dsACgkQSO8fWy4vZo6oOACdFW96Ei5AHXbXHBsHaax6tiEE
8AIAoJjMKx/2cbcLiTlHYiN3ypy8XF4S
=acqN
-----END PGP SIGNATURE-----

MITKRB5-SA-2011-007 KDC null pointer dereference in TGS handling[CVE-2011-1530]

Tom Yu — 2011-12-06T19:07:40

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-007

MIT krb5 Security Advisory 2011-007
Original release: 2011-12-06
Last update: 2011-12-06

Topic: KDC null pointer dereference in TGS handling


CVE-2011-1530
KDC null pointer dereference in TGS handling

CVSSv2 Vector:          AV:N/AC:L/Au:S/C:N/I:C/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      6.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  5.9

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

In releases krb5-1.9 and later, the KDC can crash due to a null
pointer dereference in code that handles TGS (Ticket Granting Service)
requests.  The trigger condition is trivial to produce using
unmodified client software, but requires the ability to authenticate
as a principal in the KDC's realm.

IMPACT
======

An authenticated remote attacker can crash a KDC via null pointer
dereference.

AFFECTED SOFTWARE
=================

* The KDC in krb5-1.9 and later is vulnerable.  Earlier releases
  predate the internal interface changes that led to this
  vulnerability.

FIXES
=====

* Workaround: restart the KDC when it crashes, possibly using an
  automated monitoring process.

* Apply the patch:

diff --git a/src/kdc/Makefile.in b/src/kdc/Makefile.in
index f46cad3..102fbaa 100644
- --- a/src/kdc/Makefile.in
+++ b/src/kdc/Makefile.in
< at >< at > -67,6 +67,7 < at >< at > check-unix:: rtest
 
 check-pytests::
 $(RUNPYTEST) $(srcdir)/t_workers.py $(PYTESTFLAGS)
+$(RUNPYTEST) $(srcdir)/t_emptytgt.py $(PYTESTFLAGS)
 
 install::
 $(INSTALL_PROGRAM) krb5kdc ${DESTDIR}$(SERVER_BINDIR)/krb5kdc
diff --git a/src/kdc/do_tgs_req.c b/src/kdc/do_tgs_req.c
index c169c54..840a2ef 100644
- --- a/src/kdc/do_tgs_req.c
+++ b/src/kdc/do_tgs_req.c
< at >< at > -243,7 +243,8 < at >< at > tgt_again:
                     if (!tgs_1 || !data_eq(*server_1, *tgs_1)) {
                         errcode = find_alternate_tgs(request, &server);
                         firstpass = 0;
- -                        goto tgt_again;
+                        if (errcode == 0)
+                            goto tgt_again;
                     }
                 }
                 status = "UNKNOWN_SERVER";
diff --git a/src/kdc/t_emptytgt.py b/src/kdc/t_emptytgt.py
new file mode 100644
index 0000000..1760bcd
- --- /dev/null
+++ b/src/kdc/t_emptytgt.py
< at >< at > -0,0 +1,8 < at >< at >
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+    fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')


  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-007-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-007-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-007.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-1530
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1530

ACKNOWLEDGMENTS
===============

Simo Sorce discovered this vulnerability.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security< at >mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

DETAILS
=======

The process_tgs_req() function in the KDC has logic that attempts to
find an alternative service principal if the service principal in the
client's TGS-REQ is unknown.  If the find_alternate_tgs() helper
function returns an error that is not KRB5_KDB_NOENTRY, it leaves the
server variable holding a null pointer.  The process_tgs_req()
function improperly ignores that error, and proceeds to call functions
that dereference the null pointer.

Prior to krb5-1.9, the krb5_db_get_principal() function and related
interfaces had output parameters "more" and "nprincs".  The krb5-1.9
release includes changes to these interfaces so that they no longer
have those outputs.  Prior to krb5-1.9, the find_alternate_tgs()
function in the KDC had a void return type, and indicated failure by
setting its "more" and "nprincs" outputs appropriately.  Its interface
changed in krb5-1.9 to instead return an error code, with
corresponding changes to process_tgs_req(); these changes to
process_tgs_req() were flawed and allow errors other than
KRB5_KDB_NOENTRY to cause a null pointer dereference.

The vulnerable code executes after the KDC authenticates the request,
so an attacker must have first obtained valid initial Kerberos
credentials for the target realm.

REVISION HISTORY
================

2011-12-06      original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iQCVAgUBTt5mYabDgE/zdoE9AQIuKAQA0K1YUeTKjEIVjEIufpTanNoipQiWRNCE
alUjkcxQeD3yFK8LU6yKcs0CdTI60FDst3788tUtoGDdwpnbc90Rv8EID00VtgEc
0rI4Nfe32MxP/UlNNVRinWkwtDLWeh1gKQOPXAjeapKQcWAFB3tM/haRnDgCu49I
snM0jQSBFgA=
=FK9G
-----END PGP SIGNATURE-----

krb5-1.8.5 is released

Tom Yu — 2011-11-04T23:53:03

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.8.5.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.8.5
===================================

You may retrieve the Kerberos 5 Release 1.8.5 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.8.5 release is:

        http://web.mit.edu/kerberos/krb5-1.8/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The krb5-1.8 release disables single-DES cryptosystems by default.  As
a result, you may need to add the libdefaults setting
"allow_weak_crypto = true" to communicate with existing Kerberos
infrastructures if they do not support stronger ciphers.

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which now defaults to "false"
beginning with krb5-1.8.  The krb5-1.8 release includes additional
measures to ease the transition away from single-DES.  These
additional measures include:

* enctype config enhancements (so you can do "DEFAULT +des", etc.)
* new API to allow applications (e.g. AFS) to explicitly reenable weak
  crypto
* easier kadmin history key changes

Major changes in 1.8.5
======================

This is primarily a bugfix release.

* Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities
  [CVE-2011-1528 CVE-2011-1529 CVE-2011-4151].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk60euMACgkQSO8fWy4vZo6cWwCgnI+NCZL5w57eJl0LMaA1c7sP
e7QAoP1HGOo7E8y6izIqpZI48oZ8mXEr
=PtM0
-----END PGP SIGNATURE-----

krb5-1.9.2 is released

Tom Yu — 2011-11-02T22:56:54

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.9.2.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.9.2
===================================

You may retrieve the Kerberos 5 Release 1.9.2 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.9.2 release is:

        http://web.mit.edu/kerberos/krb5-1.9/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.9.2
======================

This is primarily a bugfix release.

* Improve KDC performance by fully its disabling replay cache.

* Fix MITKRB5-SA-2011-006 KDC denial of service vulnerabilities
  [CVE-2011-1527 CVE-2011-1528 CVE-2011-1529].
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk6xyroACgkQSO8fWy4vZo47BACfW35se6Bez3ZAUtGuoYihiQ6F
BWIAoJonCFylfxwTJX7SBjYSFy4JmaWE
=QMUj
-----END PGP SIGNATURE-----

MITKRB5-SA-2011-006 KDC denial of service vulnerabilities[CVE-2011-1527 CVE-2011-1528 CVE-2011-1529]

Tom Yu — 2011-10-18T18:06:02

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-006

MIT krb5 Security Advisory 2011-006
Original release: 2011-10-18
Last update: 2011-10-18

Topic: KDC denial of service vulnerabilities

CVE-2011-1527: null pointer dereference in KDC LDAP back end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.8

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

CVE-2011-1528: assertion failure in multiple KDC back ends

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      7.8
CVSSv2 Temporal Score:  6.1

CVE-2011-1529: null pointer dereference in multiple KDC back ends

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      7.8
CVSSv2 Temporal Score:  6.1

SUMMARY
=======

CVE-2011-1527: In releases krb5-1.9 and later, the KDC can crash due
to a null pointer dereference if configured to use the LDAP back end.
A trigger condition is publicly known but not known to be widely
circulated.

CVE-2011-1528: In releases krb5-1.8 and later, the KDC can crash due
to an assertion failure.  No exploit is known to exist, but there is
public evidence that the unidentified trigger condition occurs in the
field.

CVE-2011-1529: In releases krb5-1.8 and later, the KDC can crash due
to a null pointer dereference.  No exploit is known to exist.

IMPACT
======

CVE-2011-1527: An unauthenticated remote attacker can crash a KDC
daemon via null pointer dereference if the KDC is configured to use
the LDAP back end.  (This is not the default configuration.)

CVE-2011-1528: An unauthenticated remote attacker can crash a KDC
daemon via assertion failure.

CVE-2011-1529: An unauthenticated remote attacker can crash a KDC
daemon via null pointer dereference.

AFFECTED SOFTWARE
=================

* The KDC in krb5-1.9 and later is vulnerable to CVE-2011-1527 when
  configured with the LDAP back end.  Earlier releases had different
  code that masked this bug and did not crash under these conditions.

* The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1528 when
  configured with the LDAP back end.  When configured with the
  Berkeley DB ("db2") back end, only releases krb5-1.8 through
  krb5-1.8.4 are vulnerable.

* The KDC in krb5-1.8 and later is vulnerable to CVE-2011-1529 when
  configured with either the Berkeley DB ("db2") or the LDAP back end.

FIXES
=====

* Workaround: restart the KDC when it crashes, possibly using an
  automated monitoring process.

* An upcoming release in the krb5-1.9.x series will fix CVE-2011-1527.

* Upcoming releases in the krb5-1.8.x and krb5-1.9.x series will fix
  CVE-2011-1528 and CVE-2011-1529.

* The patch for krb5-1.9.x is available at

  http://web.mit.edu/kerberos/advisories/2011-006-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-006-patch.txt.asc


* The patch for krb5-1.8.x is available at

  http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-006-patch-r18.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-006.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-1527
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1527

CVE: CVE-2011-1528
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1528

CVE: CVE-2011-1529
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1529

Debian bug #629558:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=629558

Ubuntu bug #715579:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/715579

ACKNOWLEDGMENTS
===============

CVE-2011-1527: Nalin Dahyabhai and Andrej Ota independently reported
this vulnerability.  Kyle Moffett independently reported this bug to
Debian.

CVE-2011-1528: Mark Deneen reported this vulnerability to Ubuntu.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security< at >mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

DETAILS
=======

CVE-2011-1527: null pointer dereference in KDC LDAP back end

Under certain error conditions, krb5_ldap_get_principal() in the KDC
LDAP back end can return success yet leave the client principal entry
as a null pointer.  Subsequently executed code attempts to dereference
this null pointer.

CVE-2011-1528: assertion failure in multiple KDC back ends

In the KDC LDAP back end in releases krb5-1.8 and later,
krb5_ldap_lockout_audit() calls assert() with an expression that could
be false under as-yet unidentified conditions.  A similar problem
occurs in the KDC Berkeley DB ("db2") back end in
krb5_db2_lockout_audit() in releases krb5-1.8 through krb5-1.8.4.
(The db2 back end no longer has this assertion in releases krb5-1.9
and later, and is therefore not vulnerable.)  There is a report that
the assertion failure occurs in the field, but there is insufficient
information to identify the actual vector.

CVE-2011-1529: null pointer dereference in multiple KDC back ends

In releases krb5-1.8 and later, lookup_lockout_policy() in both the
Berkeley DB ("db2") and LDAP KDC back ends fails to check that the
principal entry pointer is non-null prior to dereferencing it.  This
can happen if an error condition such as KRB5KDC_ERR_PREAUTH_FAILED or
KRB5KRB_AP_ERR_BAD_INTEGRITY occurs in process_as_req() before it
retrieves the principal database entry for the requested client.

REVISION HISTORY
================

2011-10-18      original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk6dvtMACgkQSO8fWy4vZo6GowCePb09TB6ml1fQCPgNh+au5RGN
V6sAmwY8e1uEI/PaualYavqA/fAbpCuq
=j6ql
-----END PGP SIGNATURE-----

krb5-appl-1.0.2 is released

2011-07-11T20:00:45

Version 1.0.2 of the krb5-appl package has been released.  This
package contains the Kerberized versions of telnet, ftp, and the
rlogin suite.  The new release can be found at:

       http://web.mit.edu/kerberos/dist/

This is a bugfix release, with the following changes:

  * Fix MITKRB5-SA-2011-005 (CVE-2011-1526).

  * Man page formatting fixes.

  * Portability fixes to GNU Hurd and Alpha Linux.

  * Correctly parse "restrict" lines in the ftpusers file.

  * Allow username lengths up to UT_NAMESIZE characters in rshd.

MITKRB5-SA-2011-005 FTP daemon fails to set effective group ID[CVE-2011-1526]

Tom Yu — 2011-07-05T18:06:17

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-005

MIT krb5 Security Advisory 2011-005
Original release: 2011-07-05

Topic: FTP daemon fails to set effective group ID

CVE-2011-1526

CVSSv2 Vector: AV:N/AC:L/Au:S/C:P/I:P/A:P/E:H/RL:O/RC:C

CVSSv2 Base Score:      6.5

Access Vector:          Network
Access Complexity:      Low
Authentication:         Single
Confidentiality Impact: Partial
Integrity Impact:       Partial
Availability Impact:    Partial

CVSSv2 Temporal Score:  5.7

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

A remote client of the GSS-API FTP daemon in the krb5-appl
distribution can access files using the effective group ID that the
FTP daemon process had when it started.

IMPACT
======

An authenticated remote user can gain unauthorized read or write
access to files whose group owner is the initial effective group ID of
the FTP daemon process.  This is often GID 0 ("root" or "wheel").

The severity of the consequences depends heavily on the details of an
individual system's configuration.  Prudent system administration
practices concerning file permissions will largely prevent any
malicious damage from this vulnerability.

No exploit code is necessary; any user able to log into the FTP server
will gain unauthorized access.

AFFECTED SOFTWARE
=================

* The GSS-API FTP daemon in all krb5-appl releases, up to and
  including krb5-appl-1.0.1, is vulnerable.

FIXES
=====

* An upcoming release of krb5-appl will contain a fix.

* Apply the following patch.  You will need to run ./autogen.sh to
  rebuild the configure script, and you should rebuild from a clean
  source tree to ensure that the correct macro definitions are
  compiled.

diff --git a/configure.ac b/configure.ac
index 86e23f1..2fe68ad 100644
- --- a/configure.ac
+++ b/configure.ac
< at >< at > -107,6 +107,7 < at >< at > AC_CHECK_FUNCS(_getpty cgetent getcwd getenv gettosbyname getusershell getutmp)
 AC_CHECK_FUNCS(getutmpx grantpt inet_aton initgroups isatty killpg killpg)
 AC_CHECK_FUNCS(line_push ptsname revoke rmufile rresvport_af)
 AC_CHECK_FUNCS(seteuid setlogin setpgid setpriority setresuid setreuid)
+AC_CHECK_FUNCS(setegid setregid setresgid)
 AC_CHECK_FUNCS(setutent setutsent setutxent strsave tcgetpgrp tcsetpgrp)
 AC_CHECK_FUNCS(ttyname unsetenv updwtmp updwtmpx utimes utmpname utmpxname)
 AC_CHECK_FUNCS(vhangup vsnprintf waitpid)
diff --git a/gssftp/ftpd/ftpd.c b/gssftp/ftpd/ftpd.c
index fe62a9c..a150819 100644
- --- a/gssftp/ftpd/ftpd.c
+++ b/gssftp/ftpd/ftpd.c
< at >< at > -994,9 +994,14 < at >< at > login(passwd, logincode)
 #endif
 }
 
- -(void) krb5_setegid((gid_t)pw->pw_gid);
- -(void) initgroups(pw->pw_name, pw->pw_gid);
- -
+if (krb5_setegid((gid_t)pw->pw_gid) < 0) {
+reply(550, "Can't set egid.");
+goto bad;
+}
+if (geteuid() == 0 && initgroups(pw->pw_name, pw->pw_gid) < 0) {
+reply(550, "Can't initgroups");
+goto bad;
+}
 /* open wtmp before chroot */
 (void) snprintf(ttyline, sizeof(ttyline), "ftp%ld", (long) getpid());
 pty_logwtmp(ttyline, pw->pw_name, rhost_sane);
diff --git a/k5-util.h b/k5-util.h
index 7bb8cfb..64cd53d 100644
- --- a/k5-util.h
+++ b/k5-util.h
< at >< at > -69,8 +69,7 < at >< at >
 #elif defined(HAVE_SETREUID)
 #  define krb5_seteuid(EUID)setreuid(geteuid(), (uid_t)(EUID))
 #else
- -   /* You need to add a case to deal with this operating system.*/
- -#  define krb5_seteuid(EUID)(errno = EPERM, -1)
+#  error "You need to add a case to deal with this operating system."
 #endif
 
 #ifdef HAVE_SETEGID
< at >< at > -80,8 +79,7 < at >< at >
 #elif defined(HAVE_SETREGID)
 #  define krb5_setegid(EGID)(setregid(getegid(), (gid_t)(EGID)))
 #else
- -   /* You need to add a case to deal with this operating system.*/
- -#  define krb5_setegid(EGID)(errno = EPERM, -1)
+#  error "You need to add a case to deal with this operating system."
 #endif
 
 #endif

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-005-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-005-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-005.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-1526
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-1526

ACKNOWLEDGMENTS
===============

We thank Tim Zingelman for discovering this vulnerability and
providing a preliminary patch.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security< at >mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

DETAILS
=======

The vulnerability results from two interacting flaws: omission of
required autoconf tests, causing krb5_setegid() to always fail, and
the FTP daemon's failure to check for the successful execution of
krb5_setegid().

The FTP daemon calls the portability macro krb5_setegid() from
k5-util.h, which is intended to wrap or emulate the POSIX interface
setegid().  The definition of the macro depends on macros that the
autoconf configure script defines (based on tests of the target
platform environment) when it runs.  When the krb5 application
programs moved out of the main krb5 source tree, the new configure
script inadvertently omitted the necessary autoconf tests for
setegid() and related legacy interfaces.  If no setegid() equivalent
appears to exist on the system, k5-util.h defines krb5_setegid() to
always fail with errno EPERM.  Since the relevant autoconf tests never
execute, k5-util.h will always define krb5_setegid() to fail.

The FTP daemon does not check the return value of krb5_setegid(), so
it silently fails to set its effective GID, allowing users to gain
unauthorized access using the effective GID that the daemon process
started with.

REVISION HISTORY
================

2011-07-05      original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk4TT7IACgkQSO8fWy4vZo7ttQCglKWLu47znBVfeGXl3LlnZtF2
llIAoNgVuCYIdVWcMEJaZ0oBp9RxhkzJ
=RUE/
-----END PGP SIGNATURE-----

krb5-1.7.2 is released

Tom Yu — 2011-05-24T23:35:55

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.7.2.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.7.2
===================================

You may retrieve the Kerberos 5 Release 1.7.2 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.7.2 release is:

        http://web.mit.edu/kerberos/krb5-1.7/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release will contain measures to encourage sites to migrate
away from using single-DES cryptosystems.  Among these is a
configuration variable that enables "weak" enctypes, but will default
to "false" in the future.  Additional migration aids are planned for
future releases.

Major changes in 1.7.2
======================

This is primarily a bugfix release.

* Fix vulnerabilities:
  ** KDC denial of service [MITKRB5-SA-2010-001 CVE-2010-0283]
  ** SPNEGO denial of service [MITKRB5-SA-2010-002 CVE-2010-0628]
  ** KDC double free [MITKRB5-SA-2010-004 CVE-2010-1320]
  ** GSS-API null pointer dereference [MITKRB5-SA-2010-005 CVE-2010-1321]
  ** multiple checksum vulnerabilities [MITKRB5-SA-2010-007
     CVE-2010-1324 CVE-2010-1323 CVE-2010-4021]
  ** kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
  ** KDC denial of service [MITKRB5-SA-2011-002 CVE-2011-0281 CVE-2011-0282]
  ** KDC double-free (PKINIT) [MITKRB5-SA-2011-003 CVE-2011-0284]
  ** kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]

* Fix the krb5-1.7 KDB master key migration support to handle pre-1.7
  databases with master key kvno != 1
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk3cQN4ACgkQSO8fWy4vZo7A9gCg3jjInKzdzCeDyyQ1x5NcHqir
n1sAn1WYe8Ey8RE635Q+rmrufYlqOsA0
=CSUc
-----END PGP SIGNATURE-----

krb5-1.8.4 is released

Tom Yu — 2011-05-24T23:34:29

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.8.4.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

Note that there is a GSS-API behavior change introduced by this
release: see below for additional information.

RETRIEVING KERBEROS 5 RELEASE 1.8.4
===================================

You may retrieve the Kerberos 5 Release 1.8.4 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.8.4 release is:

        http://web.mit.edu/kerberos/krb5-1.8/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The krb5-1.8 release disables single-DES cryptosystems by default.  As
a result, you may need to add the libdefaults setting
"allow_weak_crypto = true" to communicate with existing Kerberos
infrastructures if they do not support stronger ciphers.

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which now defaults to "false"
beginning with krb5-1.8.  The krb5-1.8 release includes additional
measures to ease the transition away from single-DES.  These
additional measures include:

* enctype config enhancements (so you can do "DEFAULT +des", etc.)
* new API to allow applications (e.g. AFS) to explicitly reenable weak
  crypto
* easier kadmin history key changes

Major changes in 1.8.4
======================

This is primarily a bugfix release.

* Fix vulnerabilities:
  ** KDC uninitialized pointer crash [MITKRB5-SA-2010-006 CVE-2010-1322]
  ** kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
  ** KDC denial of service attacks [MITKRB5-SA-2011-002
     CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
  ** KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003
     CVE-2011-0284]
  ** kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]

* Interoperability:

  ** Correctly encrypt GSSAPI forwarded credentials using the session
     key, not a subkey.

  ** Set NT-SRV-INST on TGS principal names as expected by some
     Windows Server Domain Controllers.

  ** Don't reject AP-REQ messages if their PAC doesn't validate;
     suppress the PAC instead.

  ** Correctly validate HMAC-MD5 checksums that use DES keys
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk3cQIsACgkQSO8fWy4vZo6ZBQCgiPXnjyKOntusBv0nVdY4meGV
rxMAnRau+siZTbh5PKxHnuAMr9R5VsjB
=4Mm6
-----END PGP SIGNATURE-----

krb5-1.9.1 is released

Tom Yu — 2011-05-05T22:28:54

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.9.1.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.9.1
===================================

You may retrieve the Kerberos 5 Release 1.9.1 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.9.1 release is:

        http://web.mit.edu/kerberos/krb5-1.9/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.9.1
======================

This is primarily a bugfix release.

* Fix vulnerabilities:
  ** kpropd denial of service [MITKRB5-SA-2011-001 CVE-2010-4022]
  ** KDC denial of service attacks [MITKRB5-SA-2011-002
     CVE-2011-0281 CVE-2011-0282 CVE-2011-0283]
  ** KDC double-free when PKINIT enabled [MITKRB5-SA-2011-003
     CVE-2011-0284]
  ** kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]

* Interoperability:

  ** Don't reject AP-REQ messages if their PAC doesn't validate;
     suppress the PAC instead.

  ** Correctly validate HMAC-MD5 checksums that use DES keys
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk3DJKkACgkQSO8fWy4vZo5xuwCeJZBkP2Acf228qXHpT+0oucIH
aIsAn0/OOdDmhwBSyJE5y32sPDCC1mau
=aSUM
-----END PGP SIGNATURE-----

MITKRB5-SA-2011-004 kadmind invalid pointer free() [CVE-2011-0285]

Tom Yu — 2011-04-13T18:33:10

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-004

MIT krb5 Security Advisory 2011-004
Original release: 2011-04-12
Last update: 2011-04-12

Topic: kadmind invalid pointer free()

CVE-2011-0285

CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      10

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.8

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

The password-changing capability of the MIT krb5 administration daemon
(kadmind) has a bug that can cause it to attempt to free() an invalid
pointer under certain error conditions.  This can cause the daemon to
crash or induce the execution of arbitrary code (which is believed to
be difficult).  No exploit that executes arbitrary code is known to
exist, but it is easy to trigger a denial of service manually.

IMPACT
======

An unauthenticated remote attacker can cause the kadmind to terminate,
resulting in a denial of service.  The attacker might be able to
remotely execute code on the host running kadmind, but exploiting the
freeing of an invalid pointer to execute arbitrary code is believed to
be difficult.

Some platforms detect attempted freeing of invalid pointers and
protectively terminate the process, preventing arbitrary code
execution on those platforms.

AFFECTED SOFTWARE
=================

* kadmind in MIT releases krb5-1.7 and later is vulnerable.  Earlier
  releases do not contain the functionality that the vulnerable code
  implements.

FIXES
=====

* Workaround: restart the kadmind when it crashes, possibly using an
  automated monitoring process.

* Upcoming releases in the krb5-1.7.x, krb5-1.8.x, and krb5-1.9.x
  series will contain fixes.

* For the krb5-1.9 release, apply the following patch:

diff --git a/src/kadmin/server/schpw.c b/src/kadmin/server/schpw.c
index 1124445..0056885 100644
- --- a/src/kadmin/server/schpw.c
+++ b/src/kadmin/server/schpw.c
< at >< at > -52,6 +52,7 < at >< at > process_chpw_request(context, server_handle, realm, keytab,
 
     ret = 0;
     rep->length = 0;
+    rep->data = NULL;
 
     auth_context = NULL;
     changepw = NULL;
< at >< at > -76,8 +77,13 < at >< at > process_chpw_request(context, server_handle, realm, keytab,
     plen = (*ptr++ & 0xff);
     plen = (plen<<8) | (*ptr++ & 0xff);
 
- -    if (plen != req->length)
- -        return(KRB5KRB_AP_ERR_MODIFIED);
+    if (plen != req->length) {
+        ret = KRB5KRB_AP_ERR_MODIFIED;
+        numresult = KRB5_KPASSWD_MALFORMED;
+        strlcpy(strresult, "Request length was inconsistent",
+                sizeof(strresult));
+        goto chpwfail;
+    }
 
     /* verify version number */
 
< at >< at > -531,6 +537,10 < at >< at > cleanup:
     if (local_kaddrs != NULL)
         krb5_free_addresses(server_handle->context, local_kaddrs);
 
+    if ((*response)->data == NULL) {
+        free(*response);
+        *response = NULL;
+    }
     krb5_kt_close(server_handle->context, kt);
 
     return ret;


  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-004-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-004-patch.txt.asc

* For the krb5-1.8.x releases, the patch is available at

  http://web.mit.edu/kerberos/advisories/2011-004-patch-r18.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-004-patch-r18.txt.asc

* For the krb5-1.7.x releases, use the patch for the krb5-1.8.x
  releases, but apply ignoring whitespace differences ("patch -l").

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-0285
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0285

http://krbdev.mit.edu/rt/Ticket/Display.html?id=6899
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621726

ACKNOWLEDGMENTS
===============

This bug was initially reported to Debian by Felipe Ortega.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security< at >mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

DETAILS
=======

The dispatch() function in kadmin/server/schpw.c (which handles the
password changing protocol) allocates an uninitialized krb5_data
structure for the response packet, expecting process_chpw_request() to
fill it in.  There is remotely-inducible error one path through
process_chpw_request() that can return to dispatch() without
initializing the data pointer in the krb5_data structure that is to
hold the response packet, which will cause process_tcp_connection() in
lib/app-utils/net-server.c to free() an invalid pointer (via
kill_tcp_or_rpc_connection()).  Password change requests that arrive
via UDP will not cause kadmind to free() an invalid pointer.

Releases krb5-1.7 and krb5-1.8 put some of the above-mentioned
functions in different source files, but the execution flow is largely
identical.  Releases prior to krb5-1.7 did not have the TCP kpasswd
capability, and are not vulnerable.

REVISION HISTORY
================

2011-04-12      original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk2l6RMACgkQSO8fWy4vZo5bjgCgqnWVF2nixIkpdUPI1THkTgLn
h6cAn1bBnzjAxGA1fF56e7LNXPMZao+j
=9KKM
-----END PGP SIGNATURE-----

MITKRB5-SA-2011-003 [CVE-2011-0284] KDC double-free when PKINITenabled

Tom Yu — 2011-03-15T18:06:29

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-003

MIT krb5 Security Advisory 2011-003
Original release: 2011-03-15
Last update: 2011-03-15

Topic: KDC vulnerable to double-free when PKINIT enabled

CVE-2011-0284

CVSSv2 Vector: AV:N/AC:M/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      9.3

Access Vector:          Network
Access Complexity:      Medium
Authentication:         None
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  7.3

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable
to a double-free condition if the Public Key Cryptography for Initial
Authentication (PKINIT) capability is enabled, resulting in daemon
crash or arbitrary code execution (which is believed to be difficult).

IMPACT
======

An unauthenticated remote attacker can induce a double-free event,
causing the KDC daemon to crash (denial of service), or to execute
arbitrary code.  Exploiting a double-free event to execute arbitrary
code is believed to be difficult.

AFFECTED SOFTWARE
=================

The KDC in releases krb5-1.7 and later are vulnerable, if they are
configured to respond to PKINIT requests.  Earlier releases did not
contain the vulnerable code.  Additionally, third-party
preauthentication plugins that generate TYPED-DATA in the e-data field
of a KRB-ERROR message may be vulnerable.

FIXES
=====

* Upcoming releases in the krb5-1.7, krb5-1.8, and krb5-1.9 series
  will contain fixes.

* Apply the following patch:

diff --git a/src/kdc/do_as_req.c b/src/kdc/do_as_req.c
index 46b5fa1..464cb6e 100644
- --- a/src/kdc/do_as_req.c
+++ b/src/kdc/do_as_req.c
< at >< at > -741,6 +741,8 < at >< at > prepare_error_as (struct kdc_request_state *rstate, krb5_kdc_req *request,
                     pad->contents = td[size]->data;
                     pad->length = td[size]->length;
                     pa[size] = pad;
+                    td[size]->data = NULL;
+                    td[size]->length = 0;
                 }
             krb5_free_typed_data(kdc_context, td);
         }

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-003-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-003-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE: CVE-2011-0284
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0284

ACKNOWLEDGMENTS
===============

This issue was discovered by Cameron Meadors of Red Hat.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security< at >mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

DETAILS
=======

In do_as_req.c, the function perpare_error_as() attempts to decode the
e_data field both as preauth data and as typed data.  If the e_data
contents are typed data, they are converted to preauth data.  This
conversion can free pointers to the typed data items, and free them
again when cleaning up the preauth data during function exit.

REVISION HISTORY
================

2011-03-15      original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk1/qSUACgkQSO8fWy4vZo7g3gCfTiJoaxuB3yVIGKOkttvFJg2z
J2wAoPuSZ56AJ1ugZP0YzObbWVq4cWRt
=BJJb
-----END PGP SIGNATURE-----

MITKRB5-SA-2011-001 kpropd denial of service [CVE-2010-4022]

Tom Yu — 2011-02-08T19:53:36

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-001

MIT krb5 Security Advisory 2011-001
Original release: 2011-02-08
Last update: 2011-02-08

Topic: kpropd denial of service

CVE-2010-4022

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C

CVSSv2 Base Score:      5

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Partial

CVSSv2 Temporal Score:  4.4

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to
a denial-of-service attack triggered by invalid network input.  If a
kpropd worker process receives invalid input that causes it to exit
with an abnormal status, it can cause the termination of the listening
process that spawned it, preventing the slave KDC it was running on
from receiving database updates from the master KDC.

Exploit code is not known to exist, but the vulnerability is easy to
trigger manually.

IMPACT
======

An unauthenticated remote attacker can cause kpropd running in
standalone mode (the "-S" option) to terminate its listening process,
preventing database propagations to the KDC host on which it was
running.  Configurations where kpropd runs in incremental propagation
mode ("iprop") or as an inetd server are not affected.

AFFECTED SOFTWARE
=================

kpropd in releases krb5-1.7 and later are vulnerable.  Earlier
releases did not contain the incremental propagation implementation
that inadvertently introduced this problem.

FIXES
=====

* Workaround: if incremental propagation is not configured, run kpropd
  as an inetd service.

* Future patch releases for 1.7, 1.8, and 1.9 will contain a fix.

* Apply the patch:

diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c
- --- krb5/src/slave/kpropd.c2010-12-17 11:14:26.000000000 -0500
+++ krb5/src/slave/kpropd.c2010-12-17 11:41:19.000000000 -0500
< at >< at > -404,11 +404,11 < at >< at > retry:
             }
 
             close(s);
- -            if (iproprole == IPROP_SLAVE)
+            if (iproprole == IPROP_SLAVE) {
                 close(finet);
- -
- -            if ((ret = WEXITSTATUS(status)) != 0)
- -                return (ret);
+                if ((ret = WEXITSTATUS(status)) != 0)
+                    return (ret);
+            }
         }
         if (iproprole == IPROP_SLAVE)
             break;

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-001-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-001-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4022

ACKNOWLEDGMENTS
===============

This issue was discovered by Keiichi Mori of Red Hat.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security< at >mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

DETAILS
=======

As a result of the changes implementing incremental propagation, the
do_standalone() function in kpropd.c gained a flaw in child process
handling.  The do_iprop() function, which implements the bulk of the
incremental propagation capability, may need to receive a full
database dump from the master KDC, and calls do_standalone() with an
iprop_role argument of IPROP_SLAVE to partially emulate the behavior
of an ordinary (non-incremental) kpropd.  Unlike in earlier versions
of kpropd, do_standalone() returns the child's exit status (and thus
ceases accepting connections) if the worker process child exits
abnormally, rather than ignoring it.  The correct behavior when
receiving an abnormal exit status from the child process would be to
return from do_standalone() only when invoked from do_iprop().

REVISION HISTORY
================

2011-02-08      original release

Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk1RlE4ACgkQSO8fWy4vZo6MkACghLz1l0/+aO4hs2iQwlCZBjeR
v7EAoNHYLVApbjrLTEKNsHLXXAjTIfWb
=2W7G
-----END PGP SIGNATURE-----

MITKRB5-SA-2011-002 KDC denial of service attacks [CVE-2011-0281CVE-2011-0282 CVE-2011-0283]

Tom Yu — 2011-02-08T19:53:59

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2011-002

MIT krb5 Security Advisory 2011-002
Original release: 2011-02-08
Last update: 2011-02-08

Topic: KDC denial of service attacks

CVE-2011-0281: KDC vulnerable to hang when using LDAP back end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.8

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

CVE-2011-0282: KDC vulnerable to crash when using LDAP back end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score:      7.8
CVSSv2 Temporal Score:  6.8

CVE-2011-0283: krb5-1.9 KDC vulnerable to crash

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score:      7.8
CVSSv2 Temporal Score:  6.8

SUMMARY
=======

The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to
denial of service attacks from unauthenticated remote attackers.
CVE-2011-0281 and CVE-2011-0282 occur only in KDCs using LDAP back
ends, but CVE-2011-0283 occurs in all krb5-1.9 KDCs.

Exploit code is not known to exist, but the vulnerabilities are easy
to trigger manually.  The trigger for CVE-2011-0281 has already been
disclosed publicly, but that fact might not be obvious to casual
readers of the message in which it was disclosed.  The triggers for
CVE-2011-0282 and CVE-2011-0283 have not yet been disclosed publicly,
but they are also trivial.

IMPACT
======

CVE-2011-0281: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to become completely unresponsive
until restarted.

CVE-2011-0282: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to crash with a null pointer
dereference.

CVE-2011-0283: An unauthenticated remote attacker can cause a krb5-1.9
KDC with any back end to crash with a null pointer dereference.

AFFECTED SOFTWARE
=================

CVE-2011-0281 and CVE-2011-0282: The KDC in releases krb5-1.6 and
later are vulnerable.  Earlier releases did not contain the LDAP back
end code, and are therefore not vulnerable to these issues.

CVE-2011-0283: The KDC in krb5-1.9 is vulnerable.  Earlier releases
did not contain the bug.

FIXES
=====

* Workaround: restart the KDC when it becomes unresponsive or crashes,
  possibly using an automated monitoring process.

* The patch for the krb5-1.9 release is available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch.txt.asc

* The patch for the krb5-1.8 and krb5-1.7 releases is at

  http://web.mit.edu/kerberos/advisories/2011-002-patch-r18.txt

  For the 1.7 releases, apply the patch ignoring whitespace
   (use "patch -l").

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch-r18.txt.asc

* The following patch applies to the krb5-1.6 release series.

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch-r16.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch-r16.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

Mailing list message describing the trigger for CVE-2011-0281:
http://mailman.mit.edu/pipermail/kerberos/2010-December/016800.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0282
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0283

ACKNOWLEDGMENTS
===============

The CVE-2011-0281 issue was discovered by Kevin Longfellow of Oracle
Corporation.

The CVE-2011-0283 issue was discovered by Zbysek Mraz of Red Hat.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security< at >mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

DETAILS
=======

CVE-2011-0281: KDC vulnerable to hang when using LDAP back end

The LDAP KDC database back end converts an internal representation of
the protocol encoding of a Kerberos principal name into a single C
string in order to do a lookup in LDAP.  The "unparse" code that does
this transformation can produce backslash escape sequences which the
LDAP client library rejects during the LDAP lookup.  The LDAP KDC
database back end loops attempting to reconnect to the LDAP server,
but leaks file descriptors while doing so.

When the amount of leakage reaches a file descriptor limit (e.g.,
FD_SETSIZE), the KDC may become unresponsive.  One possibility is that
having more than FD_SETSIZE open file descriptors causes select() to
become incapable of detecting status changes on the newest file
descriptor that the KDC uses to communicate with the LDAP server.

CVE-2011-0282: KDC vulnerable to crash when using LDAP back end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.8

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

The KDC LDAP back end, when testing whether a principal belongs to the
default realm, assumes that principal name components are
null-terminated and are not null pointers.  Both of these assumptions
are invalid in the general case, so an attacker could craft a
principal name to induce a null pointer dereference or reading beyond
the end of a buffer, causing a crash.  Data leakage resulting from the
overrun is essentially impossible because the read operation is a
comparison rather than a copy.

CVE-2011-0283: krb5-1.9 KDC vulnerable to crash

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.8

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

Changes in the KDC network code in the krb5-1.9 release introduced a
bug that allows a null pointer dereference, which would cause the KDC
to crash.  Any request packet that is sufficiently malformed that the
KDC would not generate a response packet can trigger this bug.

REVISION HISTORY
================

2011-02-08      original release

Copyright (C) 2011 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk1RlFMACgkQSO8fWy4vZo5GBQCdHjbGW27n3nskeQCzlCkQY1aA
H40AnAsI0BTieELwAz8rcshwkocFhSTJ
=uL6I
-----END PGP SIGNATURE-----

krb5-1.9 is released

Tom Yu — 2010-12-22T22:03:08

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The MIT Kerberos Team announces the availability of MIT Kerberos 5
Release 1.9.  Please see below for a list of some major changes
included, or consult the README file in the source tree for a more
detailed list of significant changes.

RETRIEVING KERBEROS 5 RELEASE 1.9
=================================

You may retrieve the Kerberos 5 Release 1.9 source from the
following URL:

        http://web.mit.edu/kerberos/dist/

The homepage for the krb5-1.9 release is:

        http://web.mit.edu/kerberos/krb5-1.9/

Further information about Kerberos 5 may be found at the following
URL:

        http://web.mit.edu/kerberos/

and at the MIT Kerberos Consortium web site:

        http://www.kerberos.org/

DES transition
==============

The Data Encryption Standard (DES) is widely recognized as weak.  The
krb5-1.7 release contains measures to encourage sites to migrate away
- From using single-DES cryptosystems.  Among these is a configuration
variable that enables "weak" enctypes, which defaults to "false"
beginning with krb5-1.8.

Major changes in 1.9
====================

Additional background information on these changes may be found at

    http://k5wiki.kerberos.org/wiki/Release_1.9

and

    http://k5wiki.kerberos.org/wiki/Category:Release_1.9_projects

Code quality:

* Fix MITKRB5-SA-2010-007 checksum vulnerabilities (CVE-2010-1324 and
  others).

* Add a Python-based testing framework.

* Perform DAL cleanup.

Developer experience:

* Add NSS crypto back end.

* Improve PRNG modularity.

* Add a Fortuna-like PRNG back end.

Performance:

* Account lockout performance improvements -- allow disabling of some
  account lockout functionality to reduce the number of write
  operations to the database during authentication

* Add support for multiple KDC worker processes.

Administrator experience:

* Add Trace logging support to ease the diagnosis of configuration
  problems.

* Add support for purging old keys (e.g. from "cpw -randkey -keepold").

* Add plugin interface for password sync -- based on proposed patches
  by Russ Allbery that support his krb5-sync package

* Add plugin interface for password quality checks -- enables
  pluggable password quality checks similar to Russ Allbery's
  krb5-strength package.

* Add a configuration file validator script.

* Add KDC support for SecurID preauthentication -- this is the old
  SAM-2 protocol, implemented to support existing deployments, not the
  in-progress FAST-OTP work.

* Add "cheat" capability for kinit when running on a KDC host.

Protocol evolution:

* Add support for IAKERB -- a mechanism for tunneling Kerberos KDC
  transactions over GSS-API, enabling clients to authenticate to
  services even when the clients cannot directly reach the KDC that
  serves the services.

* Add support for Camellia encryption (experimental; disabled by
  default).

* Add GSS-API support for implementors of the SASL GS2 bridge
  mechanism.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAk0SdaAACgkQSO8fWy4vZo4bYACg7GsxKGLhILFy08EGYq3mx/8Q
ANkAoIn++/ZqgVJZENGmhpcsMzQPEH4Q
=YyJF
-----END PGP SIGNATURE-----

MITKRB5-SA-2010-007 Multiple checksum handling vulnerabilities[CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021]

Tom Yu — 2010-11-30T19:13:42

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

MITKRB5-SA-2010-007

MIT krb5 Security Advisory 2010-007
Original release: 2010-11-30
Last update: 2010-11-30

Topic: Multiple checksum handling vulnerabilities

CVE-2010-1324
* krb5 GSS-API applications may accept unkeyed checksums
* krb5 application services may accept unkeyed PAC checksums
* krb5 KDC may accept low-entropy KrbFastArmoredReq checksums

CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:C/A:N/E:POC/RL:OF/RC:C

CVSSv2 Base Score:      7.1

Access Vector:          Network
Access Complexity:      Medium
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       Complete
Availability Impact:    None

CVSSv2 Temporal Score:  5.6

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

CVE-2010-1323
* krb5 clients may accept unkeyed SAM-2 challenge checksums
* krb5 may accept KRB-SAFE checksums with low-entropy derived keys

CVSSv2 Vector: AV:N/AC:H/Au:N/C:N/I:C/A:N/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      5.4
CVSSv2 Temporal Score:  4.2

CVE-2010-4020
* krb5 may accept authdata checksums with low-entropy derived keys

CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      3.5
CVSSv2 Temporal Score:  2.7

CVE-2010-4021
* krb5 KDC may issue unrequested tickets due to KrbFastReq forgery

CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C
CVSSv2 Base Score:      2.1
CVSSv2 Temporal Score:  1.6

See DETAILS for the expanded CVSSv2 metrics for CVE-2010-1323,
CVE-2010-4020, and CVE-2010-4021.

SUMMARY
=======

These vulnerabilities are in the MIT implementation of Kerberos
(krb5), but because these vulnerabilities arise from flaws in protocol
handling logic, other implementations may also be vulnerable.

CVE-2010-1324

MIT krb5 (releases krb-1.7 and newer) incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121) of the GSS-API
krb5 mechanism.

MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed
checksum for PAC signatures.  Running exclusively krb5-1.8 or newer
KDCs blocks the attack.

MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the
req-checksum in a KrbFastArmoredReq.

CVE-2010-1323

MIT krb5 clients (releases krb5-1.3 and newer) incorrectly accept an
unkeyed checksums in the SAM-2 preauthentication challenge.

MIT krb5 (releases krb5-1.3 and newer) incorrectly accepts RFC 3961
key-derivation checksums using RC4 keys when verifying KRB-SAFE
messages.

CVE-2010-4020

MIT krb5 (releases krb5-1.8 and newer) incorrectly accepts RFC 3961
key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH
and AD-KDC-ISSUED authorization data.

CVE-2010-4021

MIT krb5 KDC (release krb5-1.7 only) may issue tickets not requested
by a client, based on an attacker-chosen KrbFastArmoredReq.

IMPACT
======

CVE-2010-1324

An unauthenticated remote attacker can forge GSS tokens that are
intended to be integrity-protected but unencrypted, if the targeted
pre-existing application session uses a DES session key.

An authenticated remote attacker can forge PACs if using a KDC that
does not filter client-provided PAC data.  This can result in
privilege escalation against a service that relies on PAC contents to
make authorization decisions.

An unauthenticated remote attacker has a 1/256 chance of swapping a
client-issued KrbFastReq into a different KDC-REQ, if the armor key is
RC4.  The consequences are believed to be minor.

CVE-2010-1323

An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC.  Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token.

An unauthenticated remote attacker has a 1/256 chance of forging
KRB-SAFE messages in an application protocol if the targeted
pre-existing session uses an RC4 session key.  Few application
protocols use KRB-SAFE messages.

CVE-2010-4020

An authenticated remote attacker that controls a legitimate service
principal has a 1/256 chance of forging the AD-SIGNEDPATH signature if
the TGT key is RC4, allowing it to use self-generated "evidence"
tickets for S4U2Proxy, instead of tickets obtained from the user or
with S4U2Self.  Configurations using RC4 for the TGT key are believed
to be rare.

An authenticated remote attacker has a 1/256 chance of forging
AD-KDC-ISSUED signatures on authdata elements in tickets having an RC4
service key, resulting in privilege escalation against a service that
relies on these signatures.  There are no known uses of the KDC-ISSUED
authdata container at this time.

CVE-2010-4021

An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ it
has intercepted.  The attacker could then use this ticket for
S4U2Proxy to impersonate the targeted client even if the client never
authenticated to the subverted service.  The vulnerable configuration
is believed to be rare.

AFFECTED SOFTWARE
=================

CVE-2010-1324

Kerberos application client and server software (including third-party
applications) using GSS-API libraries from MIT releases krb5-1.7 and
newer are vulnerable to the DES GSS-API issue if they use GSS-API for
integrity protection of unencrypted messages.

Kerberos application server software (including third-party
applications) using libraries from MIT releases krb5-1.7 and newer are
vulnerable to the PAC issue.

Deployments running exclusively KDCs from releases krb5-1.8 and newer
are not vulnerable to the PAC issue because those KDCs discard
client-provided PAC authdata.

The MIT krb5 KDC in releases krb5-1.7 and newer is vulnerable to the
KrbFastReq swapping issue.

CVE-2010-1323

Initial credential acquisition clients (including kinit) in MIT
releases krb5-1.3 and newer are vulnerable to the SAM-2 issue.
Third-party applications that obtain initial Kerberos credentials
using libraries from these releases are also vulnerable.

Kerberos application client and server software (including third-party
applications) using libraries from MIT releases krb5 krb5-1.3 and
newer are vulnerable to the RC4 KRB-SAFE issue.

CVE-2010-4020

The AD-SIGNEDPATH issue affects the KDC in releases krb5-1.8 and
newer.

Kerberos application server software (including third-party
applications) using libraries from MIT releases krb5-1.8 and newer are
vulnerable to the AD-KDC-ISSUED problem.  Deployments running
exclusively KDCs from releases krb5-1.8 and newer discard
client-provided AD-KDC-ISSUED authdata and are not vulnerable to this
issue.

CVE-2010-4021

The KDC from release krb5-1.7 only is vulnerable to the KrbFastReq
forgery issue.

FIXES
=====

* Upcoming releases in the krb5-1.8 and krb5-1.7 series will contain
  fixes for these issues.

* The patches for this advisory do not cover CVE-2010-4021, which is a
  minor issue already corrected in krb5-1.7.1.

  A patch for the krb5-1.8 series is available at

  http://web.mit.edu/kerberos/advisories/2010-007-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2010-007-patch.txt.asc

  A patch for the krb5-1.7 series is available at

  http://web.mit.edu/kerberos/advisories/2010-007-patch-r17.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2010-007-patch-r17.txt.asc

  A patch for the krb5-1.6 series is available at

  http://web.mit.edu/kerberos/advisories/2010-007-patch-r16.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2010-007-patch-r16.txt.asc

  A patch for the krb5-1.5 series is available at

  http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1323
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4021

ACKNOWLEDGMENTS
===============

Thanks to Sam Hartman for helping with analysis.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security< at >mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security< at >mit.edu>

DETAILS
=======

Background for RC4-keyed RFC 3961 checksum issues:

The hmac-sha1-des3, hmac-sha1-96-aes128, and hmac-sha1-96-aes256
checksum types are specified to be used with 3DES, AES128, and AES256
keys respectively, but MIT krb5 allows these checksum types to be used
with any type of key.  All three checksum types make use of a key
derivation algorithm built around the block encryption operation of
the key's encryption type.

The arcfour-hmac and arcfour-hmac-exp encryption types are specified
in RFC 4757, and make use of a stream cipher instead of a block
cipher.  The MIT krb5 implementation treats these encryption types as
having a cipher block size of one byte for the purposes of key
derivation.  When the aforementioned checksum types perform key
derivation, they repeatedly invoke stream cipher encryption on
one-byte blocks.  The result is a derived key whose contents alternate
between a known byte (which depends only on the key usage value) and a
byte whose values depend on the key.  There are only 256 possible
derived keys for each key usage value.

CVE-2010-1324 (GSS-API issue):

RFC 4121 specifies version 2 of the krb5 GSS-API mechanism.  It is
commonly used only with "newer" encryption types, but may be used with
any encryption type.  RFC 4121 specifies that non-confidential Wrap
messages and Message Integrity Codes (MICs) are computed using the
required checksum type for the key's encryption type.  MIT krb5 uses
the internal krb5int_c_mandatory_cksumtype function to look up this
checksum type.  This function returns incorrect values for DES
encryption types, selecting unkeyed rather than keyed checksums.

If a GSS-API context is established using a DES key, the MIT krb5 code
will accept Wrap or MIC tokens in either the RFC 4121 or RFC 1964
style.  An attacker can construct a Wrap or MIC token in the RFC 4121
style using unkeyed checksums.

CVE-2010-1324 (PAC issue):

Privilege Attribute Certificates (PACs) are a type of authorization
data specified in:

http://msdn.microsoft.com/en-us/library/cc237917(PROT.13).aspx

PACs contain two signature fields which bind the PAC to the server and
krbtgt keys; this signature is intended to prove that the PAC was
generated by the KDC and not by a client.  PAC signatures are
specified to use the hmac-md5, hmac-sha1-96-aes128, or
hmac-sha1-96-aes256 keyed checksum types.  The MIT krb5 code for
verifying PAC signatures does not verify that the checksum type
contained in the PAC is a keyed signature, so a client could use an
unkeyed checksum to "prove" that its made-up PAC data was generated by
a KDC.  This attack would not work in the presence of a sufficiently
recent (1.8 or later) MIT KDC because the KDC would filter out
client-provided PAC authdata.

CVE-2010-1324 (KrbFastReq swapping issue):

The KDC may accept an RFC 3961 key-derivation checksum keyed with an
RC4 key in the req-checksum field of KrbArmoredFastReq.  An attacker
has a 1/256 chance of guessing the derived key that would be required
to bind a captured encrypted KrbFastReq to a different KDC-REQ
message.  This is probably at worst an auditing issue; the KDC will
log a successful authentication, but with the wrong parameters, and
the client will not necessarily be able to use the resulting ticket.

CVE-2010-1323 (SAM-2 issue):

CVSSv2 Base Score:      5.4

Access Vector:          Network
Access Complexity:      High
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       Complete
Availability Impact:    None

CVSSv2 Temporal Score:  4.2

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SAM-2 is a preauthentication mechanism described in:

http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-sam-03 (SAM2)

In this mechanism, a KDC sends a challenge to the client consisting of
a challenge body and a list of checksums.  The client prompts the user
for Single-use Authentication Data (SAD), computes a reply key based
on the SAD and the parameters in the challenge body, and then tries to
verify each of the checksums against the body using the reply key.  If
no checksum matches, the client assumes that the SAD value is
incorrect or the integrity of the challenge has been tampered with by
a party with no knowledge of the reply key.  The MIT krb5 code for
verifying SAM-2 challenge signatures does not verify that the checksum
type is keyed, so an attacker alter a challenge and supply an unkeyed
signature, fooling the client into believing that the challenge body
was not tampered with.  The general result would be that the client
would transmit an invalid reply to the KDC, causing preauthentication
to fail.

With non-challenge/response SAM tokens having low entropy (e.g., a
clock-based token with six decimal digits of readout), this may allow
an attacker to learn the SAD value by a precomputation attack,
negating the incremental security benefit of using a SAM token.  This
would allow the attacker to authenticate to the KDC as the user, or to
impersonate the KDC to the user, provided that the user's password has
been previously captured.

CVE-2010-1323 (KRB-SAFE RC4 issue):

The KRB-SAFE message is intended for the integrity protection of
cleartext application data.  An attacker can forge KRB-SAFE messages
in an existing application protocol session with 1/256 probability of
success, if the session uses an RC4 session key.

CVE-2010-4020 (authdata RC4 issue):

CVSSv2 Base Score:      3.5

Access Vector:          Network
Access Complexity:      Medium
Authentication:         Single
Confidentiality Impact: None
Integrity Impact:       Partial
Availability Impact:    None

CVSSv2 Temporal Score:  2.7

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

S4U2proxy is a Microsoft protocol extension that allows a service to
impersonate a user to another service, in a constrained way:

http://msdn.microsoft.com/en-us/library/cc246071(PROT.13).aspx

MIT and Heimdal implementations of Kerberos use an extension to take
the place of the Windows PAC in S4U2proxy evidence tickets:

http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation

The signature in the SIGNEDPATH authorization data uses the TGT key,
which is only known to the KDC.  If the TGT key is RC4, then a service
can forge this signature with a 1/256 chance of success by supplying
an inappropriate checksum type.

CVE-2010-4021 (KrbFastReq forgery issue):

CVSSv2 Base Score:      2.1

Access Vector:          Network
Access Complexity:      High
Authentication:         Single
Confidentiality Impact: None
Integrity Impact:       Partial
Availability Impact:    None

CVSSv2 Temporal Score:  1.6

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed

In release krb5-1.7, but not newer releases, the KDC allows an
arbitrary TGT credential to serve as the armor for TGS requests,
allowing the inner request to be arbitrarily altered by an attacker
who controls a service principal.  (The attacker has full knowledge of
the armor key, having provided the armor ticket.)  The resulting
ticket is useless to both client and attacker unless the named service
principal in the forged request is that of the attacker.

By intercepting a legitimate TGS-REQ message, a malicious service that
has S4U2Proxy privileges can rewrite the inner request so that the
service named in the request is itself, and then capture the issued
ticket for use as an evidence ticket in a S4U2Proxy request to
impersonate the client to another service, even though the client
never asked for a ticket for the malicious service.  Since krb5-1.7
does not natively support S4U2proxy, the attack is only feasible in
certain cross-realm configurations, which are believed to be rare,
involving Active Directory domains that grant S4U2proxy privileges to
services in a non-AD Kerberos foreign realm.

REVISION HISTORY
================

2010-11-30      original release

Copyright (C) 2010 Massachusetts Institute of Technology
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.8 (SunOS)

iEYEARECAAYFAkz1SjoACgkQSO8fWy4vZo5CGgCePDfxaWdGcX70V4U83JUbi9uF
VXoAoO0eP1MPEOUZt096Xsgyv1fR1k1u
=BFph
-----END PGP SIGNATURE-----