#1 is not an issue since we don't run kerberized telnet. #2 and #3 are pretty embarrassing, but not really a surprise given how ugly the MIT code is. Fortunately they can only be exploited by people with Kerberos principals, which, right now is pretty small. We should definately upgrade as soon as a patch is available.
I may switch my personal machines to Heimdal after this. I'll let you know how it goes. - a "Nathan Kennedy" <[EMAIL PROTECTED]> writes: > Looks bad, please read. I don't think Debian has an update out yet for > krb5. I'm guessing they will before we start really migrating users, but > if not we'll have to patch ourselves. > > -ntk > >> From: US-CERT Technical Alerts [mailto:[EMAIL PROTECTED] >> Sent: Tuesday, April 03, 2007 7:57 PM >> To: [EMAIL PROTECTED] >> Subject: US-CERT Technical Cyber Security Alert TA07-093B -- MIT >> Kerberos Vulnerabilities >> >> >> -----BEGIN PGP SIGNED MESSAGE----- >> Hash: SHA1 >> >> >> National Cyber Alert System >> >> Technical Cyber Security Alert TA07-093B >> >> >> MIT Kerberos Vulnerabilities >> >> Original release date: April 03, 2007 >> Last revised: -- >> Source: US-CERT >> >> >> Systems Affected >> >> * MIT Kerberos >> >> Other products based on the GSS-API or the RPC libraries provided >> with MIT Kerberos may also be affected. >> >> >> Overview >> >> The MIT Kerberos 5 implementation contains several vulnerabilities. >> One of these vulnerabilities (VU#220816) could allow a remote, >> unauthenticated attacker to log in via telnet (23/tcp) with >> elevated privileges. The other vulnerabilities (VU#704024, >> VU#419344) could allow a remote, authenticated attacker to execute >> arbitrary code on a Key Distribution Center (KDC). >> >> >> I. Description >> >> There are three vulnerabilities that affect MIT Kerberos 5: >> >> * VU#220816 - MIT Kerberos 5 telnet daemon allows login as >> arbitrary user >> >> The telnet daemon included with the MIT Kerberos administration >> daemon contains a vulnerability that may allow a remote, >> unauthorized user to log on to the system with elevated >> privileges. >> >> * VU#704024 - MIT Kerberos 5 administration daemon stack overflow >> in krb5_klog_syslog() >> >> The MIT Kerberos administration daemon contains a vulnerability >> in the way the krb5_klog_syslog() function handles specially >> crafted strings that may allow a remote, authenticated attacker >> to execute arbitrary code. Other server applications that call >> krb5_klog_syslog() may also be affected. This vulnerability can >> be triggered by sending a specially crafted Kerberos message to a >> vulnerable system. >> >> * VU#419344 - MIT Kerberos 5 GSS-API library double-free >> vulnerability >> >> A vulnerability exists in the way that the GSS-API library >> provided with MIT krb5 handles messages with an invalid direction >> encoding, resulting in a double free which may allow a remote, >> authenticated attacker to execute arbitrary code. Other server >> applications that utilize the RPC library or the GSS-API library >> provided with MIT Kerberos may also be affected. This >> vulnerability can be triggered by sending a specially crafted >> Kerberos message to a vulnerable system. >> >> >> II. Impact >> >> In the case of VU#220816 a remote attacker could log on to the >> system via telnet and gain elevated privileges. >> >> In the case of VU#704024 and VU#419344, a remote, authenticated >> attacker may be able to execute arbitrary code on KDCs, systems >> running kadmind, and application servers that use the RPC or >> GSS-API libraries. An attacker could also cause a denial of service >> on any of these systems. As a secondary impact, either one of these >> vulnerabilities could result in the compromise of both the KDC and >> an entire Kerberos realm. >> >> >> III. Solution >> >> Check with your vendors for patches or updates. For information >> about a vendor, please see the systems affected section in the >> individual vulnerability notes or contact your vendor directly. >> >> Alternatively, apply the appropriate source code patches referenced >> in MITKRB5-SA-2007-001, MITKRB5-SA-2007-002, and >> MITKRB5-SA-2007-003 and recompile. >> >> These vulnerabilities will also be addressed in krb5-1.6.1. >> >> >> IV. References >> >> * US-CERT Vulnerability Note VU#220816 - >> <http://www.kb.cert.org/vuls/id/220816> >> >> * US-CERT Vulnerability Note VU#704024 - >> <http://www.kb.cert.org/vuls/id/704024> >> >> * US-CERT Vulnerability Note VU#419344 - >> <http://www.kb.cert.org/vuls/id/419344> >> >> * MIT krb5 Security Advisory 2007-001 - >> >> <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-001- >> telnetd.txt> >> >> * MIT krb5 Security Advisory 2007-002 - >> >> <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002- >> syslog.txt> >> >> * MIT krb5 Security Advisory 2007-003 - >> <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007- >> 003.txt> >> >> >> ____________________________________________________________________ >> >> The most recent version of this document can be found at: >> >> <http://www.us-cert.gov/cas/techalerts/TA07-093B.html> >> ____________________________________________________________________ >> >> Feedback can be directed to US-CERT Technical Staff. Please send >> email to <[EMAIL PROTECTED]> with "TA07-093B Feedback VU#202816" in the >> subject. >> ____________________________________________________________________ >> >> For instructions on subscribing to or unsubscribing from this >> mailing list, visit <http://www.us-cert.gov/cas/signup.html>. >> ____________________________________________________________________ >> >> Produced 2007 by US-CERT, a government organization. >> >> Terms of use: >> >> <http://www.us-cert.gov/legal.html> >> ____________________________________________________________________ >> >> >> Revision History >> >> April 03, 2007: Initial release -- PGP/GPG: 5C9F F366 C9CF 2145 E770 B1B8 EFB1 462D A146 C380 _______________________________________________ HCoop-SysAdmin mailing list [email protected] http://hcoop.net/cgi-bin/mailman/listinfo/hcoop-sysadmin
