=====================================================================
                                     CERT-Renater

                          Note d'Information No. 2007/VULN179
_____________________________________________________________________

DATE                      : 05/04/2007

HARDWARE PLATFORM(S)      : IBM.

OPERATING SYSTEM(S)       : AIX 5.2, AIX 5.3 running Network Authentication
                                                             Service .

======================================================================

IBM SECURITY ADVISORY

First Issued: Tue Apr  3 13:39:48 CDT 2007
===========================================================================
                            VULNERABILITY SUMMARY

VULNERABILITY:      A double free vulnerability may allow an attacker to
                     execute arbitrary code.

PLATFORMS:          Network Authentication Service 1.3 and 1.4
                     for AIX 5.2 and AIX 5.3.

SOLUTION:           Apply the fixes described below.

THREAT:             A remote attacker may execute arbitrary code on the
                     host running kadmind

CERT VU Number:     VU#419344
CVE Number:         CVE-2007-1216

===========================================================================
                            DETAILED INFORMATION


I.  Description
===============
The MIT Kerberos team recently reported various vulnerabilities in Kerberos
version 5. Kerberos is available for AIX via Network Authentication Service
on the Expansion Pack. Network Authentication Service for AIX is not
affected by MITKRB5-SA-2007-001 (CVE-2007-0956, VU#220816) or
MITKRB5-SA-2007-002 (CVE-2007-0957, VU#704024).

MITKRB5-SA-2007-003 (CVE-2007-1216,VU#419344) may allow an attacker to
execute arbitrary code on the host running kadmind. kamind runs as root so
the attacker could execute arbitrary code with root privileges. More
information about security vulnerabilities in MIT kerberos can be found at
http://web.mit.edu/kerberos/advisories/.

The following versions of Network Authentication Service are vulnerable:

      * Network Authentication Service 1.3.0.0 through 1.3.0.5
      * Network Authentication Service 1.4.0.0 through 1.4.0.5

To determine which version of Network Authentication Service is installed,
execute the following commands:

# lslpp -L krb5.client.rte
# lslpp -L krb5.server.rte

If the filesets are installed they will be listed along with version
information, state, type and a description. The first command prints
information for the client fileset and the second command prints
information for the server fileset. Affected hosts should upgrade all
affected Network Authentication Service filesets that are installed.


II. Impact
==========

A remote attacker may cause execute arbitrary code on a host running
kadmind.


III.  Solutions
===============

A. Fix
IBM provides the following fixes:

       AIX 5.2.0: Install Network Authentication Service version 1.4.0.6 or
       1.3.0.6.  Customers may contact AIX Support to request either
       versions.

       AIX 5.3.0: Install Network Authentication Service version
       1.3.0.6 or 1.4.0.6. Customers may contact AIX Support to request
       either versions. Version 1.4.0.6 will also available on the AIX 5L
       for POWER V5.3 Expansion Pack available in November 2007.  (form
       number LCD4-7460-08).

IV.  Contact Information
========================

If you would like to receive AIX Security Advisories via email, please visit:
      https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

      security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a
PGP Public Key Server. The key id is 0x3AE561C3.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.

======================================================================

            =========================================================
            Les serveurs de référence du CERT-Renater
            http://www.urec.fr/securite
            http://www.cru.fr/securite
            http://www.renater.fr
            =========================================================
            + CERT-RENATER          | tel : 01-53-94-20-44          +
            + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
            + 75013 Paris           | email: certsvp@renater.fr     +
            =========================================================