Affected systems
- MIT Kerberos 5 versions prior to krb5-1.3.5
- Applications that use versions of the MIT Kerberos 5 libraries earlier than krb5-1.3.5
- Applications containing code derived from MIT Kerberos 5
Updated supplier information is available in the affected systems section of the individual file. vulnerability notes.
Preview
The MIT Kerberos 5 implementation contains several vulnerabilities, the most serious of which could allow an unauthenticated, remote attacker to execute arbitrary code on a Kerberos Distribution Center (KDC). This could result in an entire Kerberos realm being compromised.
Description
There are several vulnerabilities in the MIT implementation of the Kerberos 5 protocol. With one exception (VU#550464), all of the vulnerabilities involve unsafe deallocation of heap memory (double-free vulnerabilities) during error handling and Abstract Syntax Notation One (ASN.1) decoding. For more details, please see the following vulnerability notes:
VIEW#795632 – MIT Kerberos 5 ASN.1 decode functions free memory insecurely (double free)
The MIT Kerberos 5 library does not securely free heap memory when decoding ASN.1 structures, leading to doubly free vulnerabilities. An unauthenticated, remote attacker could execute arbitrary code on a KDC server, potentially compromising an entire Kerberos domain. An attacker may also be able to execute arbitrary code on Kerberos clients, or cause a denial of service on KDCs or clients.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0642)
VIEW#866472 – MIT Kerberos 5 ASN.1 decode function krb5_rd_cred() frees memory insecurely (double free)
The krb5_rd_cred() function in the MIT Kerberos 5 library does not securely free heap memory when decoding ASN.1 structures, resulting in a doubly free vulnerability. A remote, authenticated attacker could execute arbitrary code or cause a denial of service on any system running an application calling krb5_rd_cred(). This includes Kerberos application servers and other applications that handle Kerberos authentication through the MIT Kerberos 5 library, Generic Security Services Application Programming Interface (GSSAPI), and other libraries.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0643)
VIEW#350792 – MIT Kerberos krb524d frees memory insecurely (double free)
The MIT Kerberos daemon krb524d does not securely free heap memory when handling an error condition, resulting in a double free vulnerability. An unauthenticated remote attacker could execute arbitrary code on a system running krb524d, which in many cases is also a KDC. Compromise of a KDC system can lead to compromise of an entire Kerberos domain. An attacker can also cause a denial of service on a system running krb524d.
(Other resources: MITKRB5-SA-2004-002, CAN-2004-0772)
VIEW#550464 – MIT Kerberos 5 ASN.1 decoding function asn1buf_skiptail() does not terminate the loop correctly
The asn1buf_skiptail() function in the MIT Kerberos 5 library does not properly terminate a loop, allowing an unauthenticated, remote attacker to cause a denial of service in a KDC, application server, or Kerberos client.
(Other resources: MITKRB5-SA-2004-003, CAN-2004-0644)
Impact
The impacts of these vulnerabilities vary, but an attacker may be able to execute arbitrary code on KDCs, systems running krb524d (usually also KDCs), application servers, applications that use Kerberos libraries directly or through GSSAPI, and Kerberos clients. An attacker could also cause a denial of service on one of these systems.
The most serious vulnerabilities could allow an unauthenticated, remote attacker to execute arbitrary code on a KDC system. This could result in the KDC and an entire Kerberos realm being compromised.
Solution
Apply a patch or upgrade
Check with your provider(s) for patches or updates. For more information on a specific vendor, please see the relevant systems sections in the vulnerability notes or contact your supplier directly.
You can also apply the appropriate source code patch(s) referenced in MITKRB5-SA-2004-002 And MITKRB5-SA-2004-003 and recompile.
These vulnerabilities will be fixed in krb5-1.3.5.
Appendix A. References
Thanks to Tom Yu and the MIT Kerberos development team for fixing these vulnerabilities and coordinating with vendors. MIT thanks the following individuals: Will Fiveash, Joseph Galbraith, John Hawkinson, Marc Horowitz, and Nico Williams.
