=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2011/VULN109
_____________________________________________________________________

DATE                      : 11/02/2011

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running MIT krb5 1.6 and later.

======================================================================
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-001.txt
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-002.txt
______________________________________________________________________

MITKRB5-SA-2011-001

MIT krb5 Security Advisory 2011-001
Original release: 2011-02-08
Last update: 2011-02-08

Topic: kpropd denial of service

CVE-2010-4022

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:H/RL:OF/RC:C

CVSSv2 Base Score:      5

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Partial

CVSSv2 Temporal Score:  4.4

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

SUMMARY
=======

The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to
a denial-of-service attack triggered by invalid network input.  If a
kpropd worker process receives invalid input that causes it to exit
with an abnormal status, it can cause the termination of the listening
process that spawned it, preventing the slave KDC it was running on
from receiving database updates from the master KDC.

Exploit code is not known to exist, but the vulnerability is easy to
trigger manually.

IMPACT
======

An unauthenticated remote attacker can cause kpropd running in
standalone mode (the "-S" option) to terminate its listening process,
preventing database propagations to the KDC host on which it was
running.  Configurations where kpropd runs in incremental propagation
mode ("iprop") or as an inetd server are not affected.

AFFECTED SOFTWARE
=================

kpropd in releases krb5-1.7 and later are vulnerable.  Earlier
releases did not contain the incremental propagation implementation
that inadvertently introduced this problem.

FIXES
=====

* Workaround: if incremental propagation is not configured, run kpropd
  as an inetd service.

* Future patch releases for 1.7, 1.8, and 1.9 will contain a fix.

* Apply the patch:

diff -up krb5/src/slave/kpropd.c krb5/src/slave/kpropd.c
- --- krb5/src/slave/kpropd.c	2010-12-17 11:14:26.000000000 -0500
+++ krb5/src/slave/kpropd.c	2010-12-17 11:41:19.000000000 -0500
@@ -404,11 +404,11 @@ retry:
             }

             close(s);
- -            if (iproprole == IPROP_SLAVE)
+            if (iproprole == IPROP_SLAVE) {
                 close(finet);
- -
- -            if ((ret = WEXITSTATUS(status)) != 0)
- -                return (ret);
+                if ((ret = WEXITSTATUS(status)) != 0)
+                    return (ret);
+            }
         }
         if (iproprole == IPROP_SLAVE)
             break;

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-001-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-001-patch.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4022

ACKNOWLEDGMENTS
===============

This issue was discovered by Keiichi Mori of Red Hat.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

As a result of the changes implementing incremental propagation, the
do_standalone() function in kpropd.c gained a flaw in child process
handling.  The do_iprop() function, which implements the bulk of the
incremental propagation capability, may need to receive a full
database dump from the master KDC, and calls do_standalone() with an
iprop_role argument of IPROP_SLAVE to partially emulate the behavior
of an ordinary (non-incremental) kpropd.  Unlike in earlier versions
of kpropd, do_standalone() returns the child's exit status (and thus
ceases accepting connections) if the worker process child exits
abnormally, rather than ignoring it.  The correct behavior when
receiving an abnormal exit status from the child process would be to
return from do_standalone() only when invoked from do_iprop().

REVISION HISTORY
================

2011-02-08      original release

Copyright (C) 2010 Massachusetts Institute of Technology

______________________________________________________________________

MITKRB5-SA-2011-002

MIT krb5 Security Advisory 2011-002
Original release: 2011-02-08
Last update: 2011-02-08

Topic: KDC denial of service attacks

CVE-2011-0281: KDC vulnerable to hang when using LDAP back end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.8

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

CVE-2011-0282: KDC vulnerable to crash when using LDAP back end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score:      7.8
CVSSv2 Temporal Score:  6.8

CVE-2011-0283: krb5-1.9 KDC vulnerable to crash

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C
CVSSv2 Base Score:      7.8
CVSSv2 Temporal Score:  6.8

SUMMARY
=======

The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to
denial of service attacks from unauthenticated remote attackers.
CVE-2011-0281 and CVE-2011-0282 occur only in KDCs using LDAP back
ends, but CVE-2011-0283 occurs in all krb5-1.9 KDCs.

Exploit code is not known to exist, but the vulnerabilities are easy
to trigger manually.  The trigger for CVE-2011-0281 has already been
disclosed publicly, but that fact might not be obvious to casual
readers of the message in which it was disclosed.  The triggers for
CVE-2011-0282 and CVE-2011-0283 have not yet been disclosed publicly,
but they are also trivial.

IMPACT
======

CVE-2011-0281: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to become completely unresponsive
until restarted.

CVE-2011-0282: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to crash with a null pointer
dereference.

CVE-2011-0283: An unauthenticated remote attacker can cause a krb5-1.9
KDC with any back end to crash with a null pointer dereference.

AFFECTED SOFTWARE
=================

CVE-2011-0281 and CVE-2011-0282: The KDC in releases krb5-1.6 and
later are vulnerable.  Earlier releases did not contain the LDAP back
end code, and are therefore not vulnerable to these issues.

CVE-2011-0283: The KDC in krb5-1.9 is vulnerable.  Earlier releases
did not contain the bug.

FIXES
=====

* Workaround: restart the KDC when it becomes unresponsive or crashes,
  possibly using an automated monitoring process.

* The patch for the krb5-1.9 release is available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch.txt.asc

* The patch for the krb5-1.8 and krb5-1.7 releases is at

  http://web.mit.edu/kerberos/advisories/2011-002-patch-r18.txt

  For the 1.7 releases, apply the patch ignoring whitespace
   (use "patch -l").

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch-r18.txt.asc

* The following patch applies to the krb5-1.6 release series.

  This patch is also available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch-r16.txt

  A PGP-signed patch is available at

  http://web.mit.edu/kerberos/advisories/2011-002-patch-r16.txt.asc

REFERENCES
==========

This announcement is posted at:

  http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

        http://web.mit.edu/kerberos/advisories/index.html

The main MIT Kerberos web page is at:

        http://web.mit.edu/kerberos/index.html

Mailing list message describing the trigger for CVE-2011-0281:
http://mailman.mit.edu/pipermail/kerberos/2010-December/016800.html

CVSSv2:

    http://www.first.org/cvss/cvss-guide.html
    http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0281
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0282
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-0283

ACKNOWLEDGMENTS
===============

The CVE-2011-0281 issue was discovered by Kevin Longfellow of Oracle
Corporation.

The CVE-2011-0283 issue was discovered by Zbysek Mraz of Red Hat.

CONTACT
=======

The MIT Kerberos Team security contact address is
<krbcore-security@mit.edu>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/8B8DF501 2010-01-15 [expires: 2011-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

pub   2048R/56CD8F76 2010-12-29 [expires: 2012-02-01]
uid     MIT Kerberos Team Security Contact <krbcore-security@mit.edu>

DETAILS
=======

CVE-2011-0281: KDC vulnerable to hang when using LDAP back end

The LDAP KDC database back end converts an internal representation of
the protocol encoding of a Kerberos principal name into a single C
string in order to do a lookup in LDAP.  The "unparse" code that does
this transformation can produce backslash escape sequences which the
LDAP client library rejects during the LDAP lookup.  The LDAP KDC
database back end loops attempting to reconnect to the LDAP server,
but leaks file descriptors while doing so.

When the amount of leakage reaches a file descriptor limit (e.g.,
FD_SETSIZE), the KDC may become unresponsive.  One possibility is that
having more than FD_SETSIZE open file descriptors causes select() to
become incapable of detecting status changes on the newest file
descriptor that the KDC uses to communicate with the LDAP server.

CVE-2011-0282: KDC vulnerable to crash when using LDAP back end

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.8

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

The KDC LDAP back end, when testing whether a principal belongs to the
default realm, assumes that principal name components are
null-terminated and are not null pointers.  Both of these assumptions
are invalid in the general case, so an attacker could craft a
principal name to induce a null pointer dereference or reading beyond
the end of a buffer, causing a crash.  Data leakage resulting from the
overrun is essentially impossible because the read operation is a
comparison rather than a copy.

CVE-2011-0283: krb5-1.9 KDC vulnerable to crash

CVSSv2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:C/E:H/RL:OF/RC:C

CVSSv2 Base Score:      7.8

Access Vector:          Network
Access Complexity:      Low
Authentication:         None
Confidentiality Impact: None
Integrity Impact:       None
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.8

Exploitability:         High
Remediation Level:      Official Fix
Report Confidence:      Confirmed

Changes in the KDC network code in the krb5-1.9 release introduced a
bug that allows a null pointer dereference, which would cause the KDC
to crash.  Any request packet that is sufficiently malformed that the
KDC would not generate a response packet can trigger this bug.

REVISION HISTORY
================

2011-02-08      original release

Copyright (C) 2011 Massachusetts Institute of Technology

======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 23 - 25 Rue Daviel    | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================