=====================================================================
                                 CERT-Renater

                      Note d'Information No. 2004/VULN144
_____________________________________________________________________

DATE                      : 02/04/2004

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Heimdal versions prior to 0.6.1 
                                                         and 0.5.3.
                            
======================================================================

2004-04-01: Cross-realm trust vulnerability in Heimdal

All releases prior to 0.6.1 and 0.5.3 have a cross-realm vulnerability 
allowing someone with control over a realm to impersonate anyone in the 
cross-realm trust path.

0.6.1 and 0.5.3 performs proper consistency checks on cross-realm requests, 
as well as allowing for better control over transit checks.

If you are running a vulnerable KDC version and have established cross-realm 
trust with anyone, we recommend that you disable this trust and then upgrade 
to 0.6.1.

Too see if you have any cross-realm trust enabled you can list all krbtgt 
principals in the database:

kadmin> get -t krbtgt/*
  krbtgt/<MY.REALM>@<MY.REALM>
  krbtgt/<MY.REALM>@<OTHER.REALM>
  krbtgt/<OTHER.REALM>@<MY.REALM>

If you have any <OTHER.REALM> variants, you can temporarily disable them with:

kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM>
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:+disallow-all-tix

You have to repeat this for all such principals as there is no easy way to automate 
this. If you have a huge number to update, you will probably have to dump the database, 
edit the dump, and reload. After upgrading the KDC you can reenable them with:

kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM>
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes [disallow-all-tix]:-disallow-all-tix

See also CAN-2004-0371. 

======================================================================

        =========================================================
        Les serveurs de référence du CERT-Renater
        http://www.urec.fr/securite
        http://www.cru.fr/securite
        http://www.renater.fr 
	=========================================================
	+ CERT-RENATER		| tel : 01-53-94-20-44		+
	+ 151 bd de l'Hopital	| fax : 01-53-94-20-41		+
	+ 75013 Paris		| email: certsvp@renater.fr	+
	=========================================================