• Product Information
• Security Products Overview
• Juniper Networks ISG Series
• IDP Demo
• Product Poster & Z-Card 

Title: MIT Kerberos 5 KAdminD Server RPC Type Conversion Stack Buffer Overflow Vulnerability

Severity: CRITICAL

Description:

Kerberos is a network-authentication protocol; 'kadmind' (Kerberos Administration Daemon) is the administration server for Kerberos networks.

Kerberos 5 'kadmind' is prone to a stack-based buffer-overflow vulnerability because it fails to adequately bounds-check user-supplied data before copying it to an insufficiently sized buffer.

Specifically, the problem is due to a type conversion in the 'gssrpc__svcauth_unix()' function from the 'src/lib/rpc/svc_auth_unix.c' RPC source file. The 'str_len' parameter is defined as a signed integer, but receives an unsigned integer from 'IXDR_GET_U_LONG'. This type conversion causes a later 'MAX_MACHINE_NAME' limit size check to pass due to a negative value in the 'str_len' parameter. After the check is passed, the affected function makes a call to 'memmove()' using the affected parameter as the length size to a target stack memory buffer. This issue is very difficult to exploit due to the large number being passed to 'memmove()', which will likely cause a memory access fault before returning.

An attacker can exploit this issue to execute arbitrary code with administrative privileges. A successful attack can result in the complete compromise of the application. Failed attempts will likely result in denial-of-service conditions.

This issue also affects third-party applications using the affected RPC library.

All 'kadmind' servers run on the master Kerberos server. Since the master server holds the KDC principal and policy database, an attack may not only compromise the affected computer, but could also compromise multiple hosts that use the server for authentication.

Kerberos 5 'kadmind' 1.6.1 and prior versions are vulnerable.

Affected Products:

• Apple Mac OS X 10.3.9
• Apple Mac OS X 10.4.10
• Apple Mac OS X Server 10.3.9
• Apple Mac OS X Server 10.4.10
• Avaya Aura Application Enablement Services 4.0
• Avaya Message Networking
• Avaya Message Networking MN 3.1
• Avaya Messaging Storage Server MM3.0
• Conectiva Linux 8.0.0
• Debian Linux 3.0.0
• Debian Linux 3.0.0 alpha
• Debian Linux 3.0.0 arm
• Debian Linux 3.0.0 hppa
• Debian Linux 3.0.0 ia-32
• Debian Linux 3.0.0 ia-64
• Debian Linux 3.0.0 m68k
• Debian Linux 3.0.0 mips
• Debian Linux 3.0.0 mipsel
• Debian Linux 3.0.0 ppc
• Debian Linux 3.0.0 s/390
• Debian Linux 3.0.0 sparc
• Debian Linux 3.1.0
• Debian Linux 3.1.0 alpha
• Debian Linux 3.1.0 amd64
• Debian Linux 3.1.0 arm
• Debian Linux 3.1.0 hppa
• Debian Linux 3.1.0 ia-32
• Debian Linux 3.1.0 ia-64
• Debian Linux 3.1.0 m68k
• Debian Linux 3.1.0 mips
• Debian Linux 3.1.0 mipsel
• Debian Linux 3.1.0 ppc
• Debian Linux 3.1.0 s/390
• Debian Linux 3.1.0 sparc
• Debian Linux 4.0
• Debian Linux 4.0 alpha
• Debian Linux 4.0 amd64
• Debian Linux 4.0 arm
• Debian Linux 4.0 hppa
• Debian Linux 4.0 ia-32
• Debian Linux 4.0 ia-64
• Debian Linux 4.0 m68k
• Debian Linux 4.0 mips
• Debian Linux 4.0 mipsel
• Debian Linux 4.0 powerpc
• Debian Linux 4.0 s/390
• Debian Linux 4.0 sparc
• Foresight Linux Foresight Linux 1.1
• Gentoo Linux
• HP HP-UX B.11.11
• HP HP-UX B.11.23
• HP HP-UX B.11.31
• KTH Kerberos 4 0.0
• KTH Kerberos 4 0.1.0
• KTH Kerberos 4 0.10.0
• KTH Kerberos 4 0.10.1
• KTH Kerberos 4 0.5.0
• KTH Kerberos 4 0.6.0
• KTH Kerberos 4 0.7.0
• KTH Kerberos 4 0.8.0
• KTH Kerberos 4 0.9.0
• KTH Kerberos 4 0.9.1
• KTH Kerberos 4 0.9.2
• KTH Kerberos 4 0.9.2 a
• KTH Kerberos 4 0.9.3
• KTH Kerberos 4 0.9.5
• KTH Kerberos 4 0.9.6
• KTH Kerberos 4 0.9.6 +patches
• KTH Kerberos 4 0.9.7
• KTH Kerberos 4 0.9.8
• KTH Kerberos 4 0.9.9
• KTH Kerberos 4 1.0.0
• KTH Kerberos 4 1.0.0 -1.0.1
• KTH Kerberos 4 1.0.0 .X
• KTH Kerberos 4 1.0.1
• KTH Kerberos 4 1.0.1 -1
• KTH Kerberos 4 1.0.2
• KTH Kerberos 4 1.0.3
• KTH Kerberos 4 1.0.3 -1
• KTH Kerberos 4 1.0.3 -1.0
• KTH Kerberos 4 1.0.4
• KTH Kerberos 4 1.1.1
• Linux kernel 2.6.5
• MIT Kerberos 4 1.0.0
• MIT Kerberos 4 1.1.0
• MIT Kerberos 4 4.0.0
• MIT Kerberos 4 4.0.0 patch 10
• MIT Kerberos 4 Protocol
• MIT Kerberos 5 1.0.0
• MIT Kerberos 5 1.0.6
• MIT Kerberos 5 1.0.8
• MIT Kerberos 5 1.1.0
• MIT Kerberos 5 1.1.1
• MIT Kerberos 5 1.2.0
• MIT Kerberos 5 1.2.1
• MIT Kerberos 5 1.2.2
• MIT Kerberos 5 1.2.2 -beta1
• MIT Kerberos 5 1.2.3
• MIT Kerberos 5 1.2.4
• MIT Kerberos 5 1.2.5
• MIT Kerberos 5 1.2.6
• MIT Kerberos 5 1.2.7
• MIT Kerberos 5 1.2.8
• MIT Kerberos 5 1.3.0
• MIT Kerberos 5 1.3.0 -alpha1
• MIT Kerberos 5 1.3.1
• MIT Kerberos 5 1.3.2
• MIT Kerberos 5 1.3.3
• MIT Kerberos 5 1.3.4
• MIT Kerberos 5 1.3.5
• MIT Kerberos 5 1.3.6
• MIT Kerberos 5 1.4.0
• MIT Kerberos 5 1.4.1
• MIT Kerberos 5 1.4.2
• MIT Kerberos 5 1.4.3
• MIT Kerberos 5 1.5.0
• MIT Kerberos 5 1.5.1
• MIT Kerberos 5 1.5.2
• MIT Kerberos 5 1.5.3
• MIT Kerberos 5 1.5.4
• MIT Kerberos 5 1.6.0
• MIT Kerberos 5 1.6.1
• Mandriva Corporate Server 2.1.0
• Mandriva Corporate Server 2.1.0 x86_64
• Mandriva Corporate Server 3.0.0
• Mandriva Corporate Server 3.0.0 x86_64
• Mandriva Corporate Server 4.0
• Mandriva Corporate Server 4.0.0 x86_64
• Mandriva Linux Mandrake 10.0.0
• Mandriva Linux Mandrake 10.0.0 amd64
• Mandriva Linux Mandrake 10.1.0
• Mandriva Linux Mandrake 10.1.0 x86_64
• Mandriva Linux Mandrake 2007.0
• Mandriva Linux Mandrake 2007.0 x86_64
• Mandriva Linux Mandrake 2007.1
• Mandriva Linux Mandrake 2007.1 x86_64
• Mandriva Linux Mandrake 8.1.0
• Mandriva Linux Mandrake 8.1.0 ia64
• Mandriva Linux Mandrake 8.2.0
• Mandriva Linux Mandrake 8.2.0 ppc
• Mandriva Linux Mandrake 9.0.0
• Mandriva Linux Mandrake 9.1.0
• Mandriva Linux Mandrake 9.1.0 ppc
• Mandriva Linux Mandrake 9.2.0
• Mandriva Linux Mandrake 9.2.0 amd64
• Mandriva Multi Network Firewall 2.0.0
• Novell KDC (Key Distribution Center) 1.0
• Novell KDC (Key Distribution Center) 1.0.2
• OpenAFS OpenAFS 1.0.0
• OpenAFS OpenAFS 1.0.1
• OpenAFS OpenAFS 1.0.2
• OpenAFS OpenAFS 1.0.3
• OpenAFS OpenAFS 1.0.4
• OpenAFS OpenAFS 1.0.4 a
• OpenAFS OpenAFS 1.1.0
• OpenAFS OpenAFS 1.1.1
• OpenAFS OpenAFS 1.1.1 a
• OpenAFS OpenAFS 1.2.0
• OpenAFS OpenAFS 1.2.1
• OpenAFS OpenAFS 1.2.2
• OpenAFS OpenAFS 1.2.2 a
• OpenAFS OpenAFS 1.2.2 b
• OpenAFS OpenAFS 1.2.3
• OpenAFS OpenAFS 1.2.4
• OpenAFS OpenAFS 1.2.5
• OpenAFS OpenAFS 1.2.6
• OpenAFS OpenAFS 1.2.7
• OpenAFS OpenAFS 1.2.8
• OpenAFS OpenAFS 1.3.0
• OpenAFS OpenAFS 1.3.1
• OpenAFS OpenAFS 1.3.2
• OpenBSD OpenBSD 3.1
• OpenBSD OpenBSD 3.2
• Red Hat Advanced Workstation for the Itanium Processor 2.1.0
• Red Hat Desktop 3.0.0
• Red Hat Desktop 4.0.0
• Red Hat Enterprise Linux 5 server
• Red Hat Enterprise Linux AS 2.1
• Red Hat Enterprise Linux AS 3
• Red Hat Enterprise Linux AS 4
• Red Hat Enterprise Linux Desktop 5 client
• Red Hat Enterprise Linux Desktop Workstation 5 client
• Red Hat Enterprise Linux ES 2.1
• Red Hat Enterprise Linux ES 3
• Red Hat Enterprise Linux ES 4
• Red Hat Enterprise Linux WS 2.1
• Red Hat Enterprise Linux WS 3
• Red Hat Enterprise Linux WS 4
• Red Hat Fedora Core1
• Red Hat Fedora Core2
• Red Hat Fedora Core3
• Red Hat Linux 6.2.0
• Red Hat Linux 6.2.0 alpha
• Red Hat Linux 6.2.0 i386
• Red Hat Linux 6.2.0 sparc
• Red Hat Linux 7.0.0
• Red Hat Linux 7.0.0 alpha
• Red Hat Linux 7.0.0 i386
• Red Hat Linux 7.1.0
• Red Hat Linux 7.1.0 alpha
• Red Hat Linux 7.1.0 i386
• Red Hat Linux 7.1.0 ia64
• Red Hat Linux 7.2.0
• Red Hat Linux 7.2.0 i386
• Red Hat Linux 7.2.0 ia64
• Red Hat Linux 7.3.0
• Red Hat Linux 7.3.0 i386
• Red Hat Linux 8.0.0
• Red Hat Linux 8.0.0 i386
• Red Hat Linux 9.0.0 i386
• SGI ProPack 3.0.0 SP6
• SuSE Linux 10.0
• SuSE Linux 10.1
• SuSE SUSE Linux Enterprise Desktop 10
• SuSE SUSE Linux Enterprise SDK 10
• SuSE SUSE Linux Enterprise Server 10
• SuSE openSUSE 10.2
• Trustix Secure Enterprise Linux 2.0.0
• Trustix Secure Linux 2.1.0
• Trustix Secure Linux 2.2.0
• Trustix Secure Linux 3.0.0
• Trustix Secure Linux 3.0.5
• Turbolinux Appliance Server 2.0
• Turbolinux Home
• Turbolinux Multimedia
• Turbolinux Personal
• Turbolinux Turbolinux 10 F...
• Turbolinux Turbolinux Desktop 10.0.0
• Turbolinux Turbolinux Server 10.0.0
• Turbolinux Turbolinux Server 10.0.0 x64
• Turbolinux Turbolinux Server 8.0.0
• Ubuntu Ubuntu Linux 6.06 LTS amd64
• Ubuntu Ubuntu Linux 6.06 LTS i386
• Ubuntu Ubuntu Linux 6.06 LTS powerpc
• Ubuntu Ubuntu Linux 6.06 LTS sparc
• Ubuntu Ubuntu Linux 6.10 amd64
• Ubuntu Ubuntu Linux 6.10 i386
• Ubuntu Ubuntu Linux 6.10 powerpc
• Ubuntu Ubuntu Linux 6.10 sparc
• Ubuntu Ubuntu Linux 7.04 amd64
• Ubuntu Ubuntu Linux 7.04 i386
• Ubuntu Ubuntu Linux 7.04 powerpc
• Ubuntu Ubuntu Linux 7.04 sparc
• VMWare ESX 2.1.3
• VMWare ESX Server 2.0.2
• VMWare ESX Server 2.0.2 Patch 1
• VMWare ESX Server 2.0.2 Patch 2
• VMWare ESX Server 2.0.2 Patch 4
• VMWare ESX Server 2.0.2 Patch 5
• VMWare ESX Server 2.1.3
• VMWare ESX Server 2.1.3 Patch 1
• VMWare ESX Server 2.1.3 Patch 2
• VMWare ESX Server 2.1.3 Patch 5
• VMWare ESX Server 2.5.3
• VMWare ESX Server 2.5.3 Patch 2
• VMWare ESX Server 2.5.3 Patch 4
• VMWare ESX Server 2.5.3 Patch 5
• VMWare ESX Server 2.5.3 Patch 6
• VMWare ESX Server 2.5.3 Patch 7
• VMWare ESX Server 2.5.3 Patch 8
• VMWare ESX Server 2.5.4
• VMWare ESX Server 2.5.4 Patch 1
• VMWare ESX Server 2.5.4 Patch 3
• VMWare ESX Server 2.5.4 Patch 5
• VMWare ESX Server 3.0.0
• VMWare ESX Server 3.0.1
• VMWare ESX Server 3.0.2
• WireX Immunix OS 7+
• rPath rPath Linux 1

References:

• Avaya: ASA-2007-294 krb5 security update (RHSA-2007-0562)
• HP: HPSBUX02544 SSRT100107 rev.1 - HP-UX Running Kerberos, Remote Denial of Service
• MIT: Kerberos Homepage
• Novell: Security Vulnerability: kadmind affected by multiple RPC library vulnerabilities
• Novell: Security Vulnerability: kadmind stack buffer overflow vulnerability
• Red Hat: RHSA-2007:0384-4: krb5 security update
• Red Hat: RHSA-2007:0562-2: krb5 security update
• US-CERT: Vulnerability Note VU#365313: MIT Kerberos kadmind RPC library gssrpc__svcauth_u

Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.