• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: MIT Kerberos 5 Administration Library Add_To_History Heap-Based Buffer Overflow Vulnerability

Severity: MODERATE

Description:

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. Kerberos is written and maintained by MIT. It is available for a variety of platforms including the Microsoft Windows, Unix, and Linux operating systems.

It is reported that the MIT Kerberos 5 administration library is affected by a heap-based buffer overflow vulnerability. The vulnerability presents itself in the 'add_to_history()' function of the 'svr_principal.c' source file. The vulnerability exists due to an indexing error that occurs under certain circumstances.

Specifically, when the password of a principal is changed fewer times than the number stored in the history count of the Kerberos password policy, and the history count is reduced to match the actual number of times that the password has been changed, an internal pointer will index out of a vulnerable heap-based array. A call to 'add_to_history()' invoked when a principal password is changed at a later date will employ the affected pointer resulting in password history entry data being written past the end of the vulnerable array. This will result in the corruption of adjacent heap-based memory management data.

An authenticated attacker may potentially exploit this vulnerability on a Key Distribution Center (KDC) to execute arbitrary code in the context of the vulnerable service, ultimately resulting in the compromise of an entire Kerberos realm.

Affected Products:

• Apple Mac OS X 10.3.9
• Apple Mac OS X Server 10.3.9
• Conectiva Linux 8.0.0
• Debian Linux 3.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• MIT Kerberos 5 1.0.0
• MIT Kerberos 5 1.0.6
• MIT Kerberos 5 1.0.8
• MIT Kerberos 5 1.1.0
• MIT Kerberos 5 1.1.1
• MIT Kerberos 5 1.2.0
• MIT Kerberos 5 1.2.1
• MIT Kerberos 5 1.2.2
• MIT Kerberos 5 1.2.2 -beta1
• MIT Kerberos 5 1.2.3
• MIT Kerberos 5 1.2.4
• MIT Kerberos 5 1.2.5
• MIT Kerberos 5 1.2.6
• MIT Kerberos 5 1.2.7
• MIT Kerberos 5 1.2.8
• MIT Kerberos 5 1.3.0
• MIT Kerberos 5 1.3.0 -alpha1
• MIT Kerberos 5 1.3.1
• MIT Kerberos 5 1.3.2
• MIT Kerberos 5 1.3.3
• MIT Kerberos 5 1.3.4
• MIT Kerberos 5 1.3.5
• MIT Kerberos 5 5.0.0 -1.0.x
• MIT Kerberos 5 5.0.0 -1.1
• MIT Kerberos 5 5.0.0 -1.1.1
• MIT Kerberos 5 5.0.0 -1.2beta1
• MIT Kerberos 5 5.0.0 -1.2beta2
• MIT Kerberos 5 5.0.0 -1.3.3
• MandrakeSoft Corporate Server 2.1.0
• MandrakeSoft Corporate Server 2.1.0 x86_64
• MandrakeSoft Linux Mandrake 10.0.0
• MandrakeSoft Linux Mandrake 10.0.0 amd64
• MandrakeSoft Linux Mandrake 10.1.0
• MandrakeSoft Linux Mandrake 10.1.0 x86_64
• MandrakeSoft Linux Mandrake 8.1.0
• MandrakeSoft Linux Mandrake 8.1.0 ia64
• MandrakeSoft Linux Mandrake 8.2.0
• MandrakeSoft Linux Mandrake 8.2.0 ppc
• MandrakeSoft Linux Mandrake 9.0.0
• MandrakeSoft Linux Mandrake 9.1.0
• MandrakeSoft Linux Mandrake 9.1.0 ppc
• MandrakeSoft Linux Mandrake 9.2.0
• MandrakeSoft Linux Mandrake 9.2.0 amd64
• MandrakeSoft Multi Network Firewall 2.0.0
• OpenBSD OpenBSD 3.1
• OpenBSD OpenBSD 3.2
• RedHat Desktop 4.0.0
• RedHat Enterprise Linux AS 4
• RedHat Enterprise Linux ES 4
• RedHat Enterprise Linux WS 4
• RedHat Fedora Core1
• RedHat Fedora Core2
• RedHat Fedora Core3
• RedHat Linux 6.2.0
• RedHat Linux 6.2.0 alpha
• RedHat Linux 6.2.0 i386
• RedHat Linux 6.2.0 sparc
• RedHat Linux 7.0.0
• RedHat Linux 7.0.0 alpha
• RedHat Linux 7.0.0 i386
• RedHat Linux 7.1.0
• RedHat Linux 7.1.0 alpha
• RedHat Linux 7.1.0 i386
• RedHat Linux 7.1.0 ia64
• RedHat Linux 7.2.0
• RedHat Linux 7.2.0 i386
• RedHat Linux 7.2.0 ia64
• RedHat Linux 7.3.0
• RedHat Linux 7.3.0 i386
• RedHat Linux 7.3.0 i686
• RedHat Linux 8.0.0
• RedHat Linux 8.0.0 i386
• RedHat Linux 9.0.0 i386
• SGI ProPack 3.0.0
• Sun SEAM 1.0.1
• Sun SEAM 1.0.2
• Sun Solaris 8
• Sun Solaris 8_x86
• Sun Solaris 9
• Sun Solaris 9_x86
• Trustix Secure Enterprise Linux 2.0.0
• Trustix Secure Linux 2.1.0
• Trustix Secure Linux 2.2.0
• Turbolinux Appliance Server 1.0.0 Hosting Edition
• Turbolinux Appliance Server 1.0.0 Workgroup Edition
• Turbolinux Home
• Turbolinux Turbolinux 10 F...
• Turbolinux Turbolinux Desktop 10.0.0
• Turbolinux Turbolinux Server 10.0.0
• Turbolinux Turbolinux Server 8.0.0
• WireX Immunix OS 7+

References:

• Conectiva: CLSA-2005:917 - Fix for buffer overflow in libkadm5srv
• MIT: Kerberos 5 Release 1.3.6
• MIT: Kerberos Homepage
• Sun: 57712 - Security Vulnerability in Kerberos 5 Administration Library for Solaris/

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.