Kerberos Detected
Updated (3.1.2)
CVE 2000-0389
CVE 2000-0390
CVE 2000-0391
Impact
If any services which use a vulnerable version of Kerberos are
enabled, remote root access may be possible due to a buffer overflow
condition. If the Key Distribution Center is affected, the entire
Kerberos domain could be compromised.
Background
Kerberos is used to
provide strong authentication and encryption between a client and
a server. A Kerberos Distribution Center, consisting of
an authentication server and a ticket granting server,
is involved in the authentication process. Cryptography is used
to verify the identity of the user and the server, and to encrypt
the session between them.
The Problem
Vulnerabilities in MIT/Cygnus versions
Four buffer overflow conditions have been discovered in Kerberos.
The most serious one could allow remote root access if any of the
following services are running.
- krshd
- klogind (if Kerberos 4 authentication is accepted)
- telnetd (if Kerberos 4 authentication is accepted)
- ftpd (if Kerberos 4 authentication is accepted)
- rkinitd
- kpopd
Another buffer overflow condition could allow a local attacker
to gain root access by exploiting v4rcp or ksu.
The following implementations of Kerberos are affected by these
vulnerabilities:
- MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
- MIT Kerberos 4 patch 10, and likely earlier releases as well
- KerbNet (Cygnus implementation of Kerberos 5)
- Cygnus Network Security (CNS -- Cygnus implementation of Kerberos 4)
Vulnerabilities in KTH version
Three vulnerabilities have been discovered in the KTH version
of Kerberos, which is included in OpenBSD and FreeBSD operating
systems. Two of these vulnerabilities can be used in conjuction
with each other to gain root access on an affected system.
The first vulnerability allows a remote telnet user to pass
environment variables through the telnet session without
requiring a local user account. By resetting the krb4_proxy
variable, an attacker could cause the Kerberos authentication
requests to go to a fake server, thus fooling the system
into accepting a false reply. The second vulnerability, a
buffer overflow condition in the code which processes authentication
replies, could be used with the first vulnerability to gain
root access.
The third vulnerability could allow arbitrary files to
be overwritten on the system. Ticket files are created
in the /tmp directory with predictable
file names. A user with an account on the system could
guess the file name of a future ticket file, and symbolically
link that file name to an arbitrary file on the system.
When the ticket file is created, the arbitrary file is
overwritten.
Resolution
To fix the problems in the MIT version, upgrade to Kerberos version
krb5-1.2, or install the appropriate
patches
to fix the problem.
Alternatively, the problems in some of the services can be fixed with
the following workarounds:
- The vulnerability in the klogind and telnetd
services can be fixed by disabling Kerberos 4 authentication. This can
be done by inserting the appropriate command-line options into their
invokation in /etc/inetd.conf. Consult the Kerberos
documentation to find out which options to use. This workaround is also
possible for krshd but may not be effective due to another
unrelated buffer overflow in that service.
- Remove the set-userid mode from v4rcp and ksu . This
can be done by changing into the directory containing those files and
entering chmod u-s v4rcp and chmod u-s ksu.
To fix the vulnerability in the KTH version, see the posting
to Bugtraq.
Where can I read more about this?
More information is available from
CERT Advisory 2000-06 or the
Kerberos advisory.