=====================================================================
                                  CERT-Renater

                       Note d'Information No. 2005/VULN550
_____________________________________________________________________

DATE                      : 20/09/2005

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running Kerberos KDC Daemon.

======================================================================

Sun(sm) Alert Notification
      * Sun Alert ID: 101809
      * Synopsis: Security Vulnerabilities in the Kerberos Key
        Distribution Center (KDC) Daemon
      * Category: Security
      * Product: Solaris 9 Operating System, Solaris 10 Operating System,
        Sun Enterprise Authentication Mechanism, Solaris 8 Operating
        System
      * BugIDs: 6261685
      * Avoidance: Patch, Workaround
      * State: Resolved
      * Date Released: 12-Jul-2005, 14-Sep-2005
      * Date Closed: 14-Sep-2005
      * Date Modified: 02-Aug-2005, 16-Aug-2005, 14-Sep-2005

1. Impact

    An unprivileged (either authenticated or unauthenticated) remote user
    may be able to execute arbitrary code with root privileges on Kerberos
    Key Distribution Center (KDC) systems and thus compromise an entire
    Kerberos realm due to a heap buffer overflow.

    The unprivileged remote user may also be able to trigger an invalid
    free() and thus crash the KDC daemon (krb5dkc(1M)) on KDC systems
    thereby creating a Denial of Service (DoS).

    These issues are described in MIT krb5 Security Advisory 2005-002, at

    http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt

    These issues are also described in

    CERT Vulnerability VU#259798 at
    http://www.kb.cert.org/vuls/id/259798

    CERT Vulnerability VU#885830 at
    http://www.kb.cert.org/vuls/id/885830

    and:

    CAN-2005-1174 at
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174

    CAN-2005-1175 at
    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175

2. Contributing Factors

    These issues can occur in the following releases:

    SPARC Platform
      * SEAM 1.0.1 for Solaris 8
      * SEAM 1.0.2 for Solaris 9
      * Solaris 8 without patch 112237-13
      * Solaris 8 with the Solaris Supplemental Encryption packages and
        without patch 112390-11
      * Solaris 9 without patch 112908-20
      * Solaris 10 without patch 120469-01

    x86 Platform
      * SEAM 1.0.1 for Solaris 8
      * SEAM 1.0.2 for Solaris 9
      * Solaris 8 without patch 112238-12
      * Solaris 8 with the Solaris Supplemental Encryption packages
        without patch 112240-10
      * Solaris 9 without patch 115168-08
      * Solaris 10 without patch 120470-01

    Notes:
     1. Only systems configured to utilize Kerberos and are configured as
        a Key Distribution Center (KDC) host are affected by these issues.
     2. Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled
        product available for Solaris 7, 8 and 9. For more information on
        SEAM, please see the SEAM(5) man page.
     3. Although SEAM 1.0 for Solaris 7 is affected by this issue, Solaris
        7 will not be evaluated regarding the potential impact of the
        issue described in this Sun Alert.
     4. Different components of the SEAM product have migrated to Solaris
        over time and thus both Solaris 9 and SEAM 1.0.2 are impacted.
        This is also the reason that there is no SEAM product for Solaris
        10.

    To determine if a system is configured to utilize Kerberos, the
    following command can be run:
     $ grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___

    If the command returns no output or the "krb5.conf" file is not found,
    then the system is not configured for Kerberos.

    To determine if a Kerberos configured system is a Key Distribution
    Center (KDC) host, check to see if the KDC daemon (see krb5kdc(1M)) is
    running:
     $ pgrep krb5kdc || echo "krb5kdc(1M) daemon is NOT running"

    To determine if SEAM has been installed, the following command can be
    run:
     $ pkginfo SUNWkr5sv

    If the SUNWkr5sv package is present, SEAM is installed on the system.

3. Symptoms

    There are no reliable symptoms that would indicate the described
    issues have been exploited to execute arbitrary commands as root on a
    Kerberos host.

4. Relief/Workaround

    In order to prevent users from being able to kill the KDC daemon,
    sites can disable the KDC daemon from listening for TCP client
    connections. This can be done by modifying the kdc.conf(4) file and
    changing the entry for "kdc_tcp_ports" to a value of zero. The KDC
    daemon, krb5kdc(1M) will need to be restarted after making the above
    modification.

    Note: This change does not protect a system from the heap buffer
    overflow issue.

5. Resolution

    This issue is addressed in the following releases:

    SPARC Platform
      * Solaris 8 with the Solaris Supplemental Encryption packages and
        with patch 112390-11 or later
      * Solaris 8 with patch 112237-13 or later
      * Solaris 9 with patch 112908-20 or later
      * Solaris 10 with patch 120469-01 or later

    x86 Platform
      * Solaris 8 with the Solaris Supplemental Encryption packages and
        with patch 112240-10 or later
      * Solaris 8 with patch 112238-12 or later
      * Solaris 9 with patch 115168-08 or later
      * Solaris 10 with patch 120470-01 or later

Change History

    02-Aug-2005:
      * Update Contributing Factors and Resolution sections

    16-Aug-2005:
      * Updated Contributing Factors and Resolution sections

    14-Sep-2005:
      * Update Contributing Factors and Resolution sections; re-release as
        Resolved

    This Sun Alert notification is being provided to you on an "AS IS"
    basis. This Sun Alert notification may contain information provided by
    third parties. The issues described in this Sun Alert notification may
    or may not impact your system(s). Sun makes no representations,
    warranties, or guarantees as to the information contained herein. ANY
    AND ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING WITHOUT LIMITATION
    WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR
    NON-INFRINGEMENT, ARE HEREBY DISCLAIMED. BY ACCESSING THIS DOCUMENT
    YOU ACKNOWLEDGE THAT SUN SHALL IN NO EVENT BE LIABLE FOR ANY DIRECT,
    INDIRECT, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES THAT ARISE
    OUT OF YOUR USE OR FAILURE TO USE THE INFORMATION CONTAINED HEREIN.
    This Sun Alert notification contains Sun proprietary and confidential
    information. It is being provided to you pursuant to the provisions of
    your agreement to purchase services from Sun, or, if you do not have
    such an agreement, the Sun.com Terms of Use. This Sun Alert
    notification may only be used for the purposes contemplated by these
    agreements.

    Copyright 2000-2005 Sun Microsystems, Inc., 4150 Network Circle, Santa
    Clara, CA 95054 U.S.A. All rights reserved

======================================================================

         =========================================================
         Les serveurs de référence du CERT-Renater
         http://www.urec.fr/securite
         http://www.cru.fr/securite
         http://www.renater.fr
         =========================================================
         + CERT-RENATER          | tel : 01-53-94-20-44          +
         + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
         + 75013 Paris           | email: certsvp@renater.fr     +
         =========================================================