J-Security Center

Latest Attack Object Updates
  • IDP Daily Update #1545
    posted: 11/19/09
  • NSM Daily Update #1545
    posted: 11/19/09
  • Deep Inspection 5.3r5 and above, 5.4, 6.0 #1545
    posted: 11/19/09
  • Deep Inspection 5.1 and 5.2 #1435
    posted: 11/19/09
  • Deep Inspection 5.0, 5.3r4 and below #1132
    posted: 03/28/08 (04/01/08 for 5.0)
  • Antivirus
    posted: 11/19/09

Title: MIT Kerberos 5 Multiple Double-Free Vulnerabilities

Severity: CRITICAL

Description:

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos is written and maintained by MIT. It is available for a variety of platforms including the Microsoft Windows, Unix, and Linux operating systems.

There are multiple reported double-free vulnerabilities reported to exist in MIT Kerberos 5.

All vulnerabilities stem from inconsistent memory handling. The ASN.1 decoding implementation, as well as other code contained in the krb5 library does not contain a consistent convention for memory handling. Callers of library functions expect the library to allocate memory. Upon receipt of an error, calling functions may attempt to free() memory regions allocated by the library routine. In some cases, the library routine will have already freed the memory, but not set the memory pointer to NULL. This leads to a double-free condition that may possibly be leveraged to exploit arbitrary code in the context of the process utilizing the krb5 library. Typically, Kerberos server processes run with superuser privileges.

The first specific vulnerability is present in the KDC (Key Distribution Center). Cleanup code will attempt to free memory returned from ASN.1 decoders if they are non-NULL, leading to a double-free condition. It is reported that a remote unauthenticated attacker may execute arbitrary code with superuser privileges and compromise an entire Kerberos realm.

The second vulnerability is present when the krb5_rd_cred() function attempts to free memory returned from decode_krb5_enc_cred_part() (an ASN.1 decoding function), also leading to a double-free condition. This vulnerability only exists after an attacker successfully authenticates. This issue can allow the attacker to gain superuser privileges on a Kerberos enabled computer.

The third vulnerability exists during Kerberos 4 cross-realm authentication. If cross-realm authentication is denied in the handle_classic_v4() function, then do_connection() calls krb5_free_ticket() and double-frees memory.

These vulnerabilities are exploitable in various ways:
- An attacker can execute arbitrary code in the context of a KDC server process, potentially compromising the entire Kerberos realm.
- An attacker can execute arbitrary code in the context of a krb524d server process, potentially compromising the entire Kerberos realm if it is running on the same computer as a KDC.
- An attacker can execute arbitrary code in the context of various other server processes utilizing the krb5 library.
- An attacker impersonating a KDC or application server may be able to execute arbitrary code in the context of a client process attempting to authenticate.

Versions up to and including 1.3.4 are reported vulnerable.

Update: IBM has reported that IBM Tivoli Access Manager for e-business version 5.1 is vulnerable to CAN-2004-0642 and CAN-2004-0643 when configured for single sign on using SPNEGO authentication.

Affected Products:

  • Apple Mac OS X 10.2.0
  • Apple Mac OS X 10.2.1
  • Apple Mac OS X 10.2.2
  • Apple Mac OS X 10.2.3
  • Apple Mac OS X 10.2.4
  • Apple Mac OS X 10.2.5
  • Apple Mac OS X 10.2.6
  • Apple Mac OS X 10.2.7
  • Apple Mac OS X 10.2.8
  • Apple Mac OS X 10.3.0
  • Apple Mac OS X 10.3.1
  • Apple Mac OS X 10.3.2
  • Apple Mac OS X 10.3.3
  • Apple Mac OS X 10.3.4
  • Apple Mac OS X 10.3.5
  • Apple Mac OS X 10.3.6
  • Apple Mac OS X Server 10.2.0
  • Apple Mac OS X Server 10.2.1
  • Apple Mac OS X Server 10.2.2
  • Apple Mac OS X Server 10.2.3
  • Apple Mac OS X Server 10.2.4
  • Apple Mac OS X Server 10.2.5
  • Apple Mac OS X Server 10.2.6
  • Apple Mac OS X Server 10.2.7
  • Apple Mac OS X Server 10.2.8
  • Apple Mac OS X Server 10.3.0
  • Apple Mac OS X Server 10.3.1
  • Apple Mac OS X Server 10.3.2
  • Apple Mac OS X Server 10.3.3
  • Apple Mac OS X Server 10.3.4
  • Apple Mac OS X Server 10.3.5
  • Apple Mac OS X Server 10.3.6
  • Avaya Converged Communications Server 2.0.0
  • Avaya Integrated Management
  • Avaya S8300 R2.0.0
  • Avaya S8300 R2.0.1
  • Avaya S8500 R2.0.0
  • Avaya S8500 R2.0.1
  • Avaya S8700 R2.0.0
  • Avaya S8700 R2.0.1
  • Cisco VPN 3000 Concentrator 4.0.0
  • Cisco VPN 3000 Concentrator 4.0.0 .x
  • Cisco VPN 3000 Concentrator 4.0.1
  • Cisco VPN 3000 Concentrator 4.1.0 .x
  • Conectiva Linux 8.0.0
  • Debian Linux 3.0.0
  • Debian Linux 3.0.0 alpha
  • Debian Linux 3.0.0 arm
  • Debian Linux 3.0.0 hppa
  • Debian Linux 3.0.0 ia-32
  • Debian Linux 3.0.0 ia-64
  • Debian Linux 3.0.0 m68k
  • Debian Linux 3.0.0 mips
  • Debian Linux 3.0.0 mipsel
  • Debian Linux 3.0.0 ppc
  • Debian Linux 3.0.0 s/390
  • Debian Linux 3.0.0 sparc
  • Gentoo Linux 1.4.0
  • Gentoo Linux 1.4.0 _rc1
  • Gentoo Linux 1.4.0 _rc2
  • Gentoo Linux 1.4.0 _rc3
  • IBM AIX 5.1
  • IBM AIX 5.1.0 L
  • IBM AIX 5.2
  • IBM AIX 5.2.0 L
  • IBM AIX 5.2.2
  • IBM AIX 5.3.0 L
  • IBM Tivoli Access Manager for e-business 5.1.0
  • MIT Kerberos 5 1.0.0
  • MIT Kerberos 5 1.0.6
  • MIT Kerberos 5 1.0.8
  • MIT Kerberos 5 1.1.0
  • MIT Kerberos 5 1.1.1
  • MIT Kerberos 5 1.2.0
  • MIT Kerberos 5 1.2.1
  • MIT Kerberos 5 1.2.2
  • MIT Kerberos 5 1.2.2 -beta1
  • MIT Kerberos 5 1.2.3
  • MIT Kerberos 5 1.2.4
  • MIT Kerberos 5 1.2.5
  • MIT Kerberos 5 1.2.6
  • MIT Kerberos 5 1.2.7
  • MIT Kerberos 5 1.2.8
  • MIT Kerberos 5 1.3.0
  • MIT Kerberos 5 1.3.0 -alpha1
  • MIT Kerberos 5 1.3.1
  • MIT Kerberos 5 1.3.2
  • MIT Kerberos 5 1.3.3
  • MIT Kerberos 5 1.3.4
  • MandrakeSoft Corporate Server 2.1.0
  • MandrakeSoft Corporate Server 2.1.0 x86_64
  • MandrakeSoft Linux Mandrake 10.0.0
  • MandrakeSoft Linux Mandrake 10.0.0 amd64
  • MandrakeSoft Linux Mandrake 10.1.0
  • MandrakeSoft Linux Mandrake 10.1.0 x86_64
  • MandrakeSoft Linux Mandrake 8.1.0
  • MandrakeSoft Linux Mandrake 8.1.0 ia64
  • MandrakeSoft Linux Mandrake 8.2.0
  • MandrakeSoft Linux Mandrake 8.2.0 ppc
  • MandrakeSoft Linux Mandrake 9.0.0
  • MandrakeSoft Linux Mandrake 9.1.0
  • MandrakeSoft Linux Mandrake 9.1.0 ppc
  • MandrakeSoft Linux Mandrake 9.2.0
  • MandrakeSoft Linux Mandrake 9.2.0 amd64
  • MandrakeSoft Multi Network Firewall 2.0.0
  • OpenBSD OpenBSD 3.1
  • OpenBSD OpenBSD 3.2
  • OpenPKG OpenPKG 2.0.0
  • OpenPKG OpenPKG 2.1.0
  • OpenPKG OpenPKG Current
  • RedHat Desktop 3.0.0
  • RedHat Desktop 4.0.0
  • RedHat Enterprise Linux AS 3
  • RedHat Enterprise Linux AS 4
  • RedHat Enterprise Linux ES 3
  • RedHat Enterprise Linux ES 4
  • RedHat Enterprise Linux WS 3
  • RedHat Enterprise Linux WS 4
  • RedHat Fedora Core1
  • RedHat Fedora Core2
  • RedHat Linux 6.2.0
  • RedHat Linux 6.2.0 alpha
  • RedHat Linux 6.2.0 i386
  • RedHat Linux 6.2.0 sparc
  • RedHat Linux 7.0.0
  • RedHat Linux 7.0.0 alpha
  • RedHat Linux 7.0.0 i386
  • RedHat Linux 7.1.0
  • RedHat Linux 7.1.0 alpha
  • RedHat Linux 7.1.0 i386
  • RedHat Linux 7.1.0 ia64
  • RedHat Linux 7.2.0
  • RedHat Linux 7.2.0 i386
  • RedHat Linux 7.2.0 ia64
  • RedHat Linux 7.3.0
  • RedHat Linux 7.3.0 i386
  • RedHat Linux 7.3.0 i686
  • RedHat Linux 8.0.0
  • RedHat Linux 8.0.0 i386
  • RedHat Linux 9.0.0 i386
  • Sun SEAM 1.0.2
  • Sun Solaris 9
  • Sun Solaris 9_x86
  • Turbolinux Appliance Server Hosting Edition 1.0.0
  • Turbolinux Appliance Server Workgroup Edition 1.0.0
  • Turbolinux Home
  • Turbolinux Turbolinux 10 F...
  • Turbolinux Turbolinux Desktop 10.0.0
  • Turbolinux Turbolinux Server 10.0.0
  • Turbolinux Turbolinux Server 8.0.0
  • WireX Immunix OS 7+

References:

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.