=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN175
_____________________________________________________________________

DATE                      : 04/04/2007

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running MIT Kerberos 5.

======================================================================

                      National Cyber Alert System

                Technical Cyber Security Alert TA07-093B


MIT Kerberos Vulnerabilities

    Original release date: April 03, 2007
    Last revised: --
    Source: US-CERT


Systems Affected

      * MIT Kerberos

    Other products based on the GSS-API or the RPC libraries provided
    with MIT Kerberos may also be affected.


Overview

    The MIT Kerberos 5 implementation contains several vulnerabilities.
    One of these vulnerabilities (VU#220816) could allow a remote,
    unauthenticated attacker to log in via telnet (23/tcp) with
    elevated privileges. The other vulnerabilities (VU#704024,
    VU#419344) could allow a remote, authenticated attacker to execute
    arbitrary code on a Key Distribution Center (KDC).


I. Description

    There are three vulnerabilities that affect MIT Kerberos 5:

    * VU#220816 - MIT Kerberos 5 telnet daemon allows login as
                  arbitrary user

      The telnet daemon included with the MIT Kerberos administration
      daemon contains a vulnerability that may allow a remote,
      unauthorized user to log on to the system with elevated
      privileges.

    * VU#704024 - MIT Kerberos 5 administration daemon stack overflow
                  in krb5_klog_syslog()

      The MIT Kerberos administration daemon contains a vulnerability
      in the way the krb5_klog_syslog() function handles specially
      crafted strings that may allow a remote, authenticated attacker
      to execute arbitrary code. Other server applications that call
      krb5_klog_syslog() may also be affected. This vulnerability can
      be triggered by sending a specially crafted Kerberos message to a
      vulnerable system.

    * VU#419344 - MIT Kerberos 5 GSS-API library double-free
                  vulnerability

      A vulnerability exists in the way that the GSS-API library
      provided with MIT krb5 handles messages with an invalid direction
      encoding, resulting in a double free which may allow a remote,
      authenticated attacker to execute arbitrary code. Other server
      applications that utilize the RPC library or the GSS-API library
      provided with MIT Kerberos may also be affected. This
      vulnerability can be triggered by sending a specially crafted
      Kerberos message to a vulnerable system.


II. Impact

    In the case of VU#220816 a remote attacker could log on to the
    system via telnet and gain elevated privileges.

    In the case of VU#704024 and VU#419344, a remote, authenticated
    attacker may be able to execute arbitrary code on KDCs, systems
    running kadmind, and application servers that use the RPC or
    GSS-API libraries. An attacker could also cause a denial of service
    on any of these systems. As a secondary impact, either one of these
    vulnerabilities could result in the compromise of both the KDC and
    an entire Kerberos realm.


III. Solution

    Check with your vendors for patches or updates. For information
    about a vendor, please see the systems affected section in the
    individual vulnerability notes or contact your vendor directly.

    Alternatively, apply the appropriate source code patches referenced
    in MITKRB5-SA-2007-001, MITKRB5-SA-2007-002, and
    MITKRB5-SA-2007-003 and recompile.

    These vulnerabilities will also be addressed in krb5-1.6.1.


IV. References

      * US-CERT Vulnerability Note VU#220816 -
        <http://www.kb.cert.org/vuls/id/220816>

      * US-CERT Vulnerability Note VU#704024 -
        <http://www.kb.cert.org/vuls/id/704024>

      * US-CERT Vulnerability Note VU#419344 -
        <http://www.kb.cert.org/vuls/id/419344>

      * MIT krb5 Security Advisory 2007-001 -
        <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-001-telnetd.txt>

      * MIT krb5 Security Advisory 2007-002 -
        <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002-syslog.txt>

      * MIT krb5 Security Advisory 2007-003 -
        <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-003.txt>


  ____________________________________________________________________

    The most recent version of this document can be found at:

      <http://www.us-cert.gov/cas/techalerts/TA07-093B.html>
  ____________________________________________________________________

    Feedback can be directed to US-CERT Technical Staff. Please send
    email to <cert@cert.org> with "TA07-093B Feedback VU#202816" in the
    subject.
  ____________________________________________________________________

    For instructions on subscribing to or unsubscribing from this
    mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  ____________________________________________________________________

    Produced 2007 by US-CERT, a government organization.

    Terms of use:

      <http://www.us-cert.gov/legal.html>
  ____________________________________________________________________


Revision History

    April 03, 2007: Initial release

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================