MIT Kerberos krb524d insecurely deallocates memory (double-free)

2004-09-02T00:00:00
ID VU:350792
Type cert
Reporter CERT
Modified 2004-09-03T20:22:00

Description

Overview

The MIT Kerberos krb524d daemon does not securely deallocate heap memory when handling an error condition, resulting in a double-free vulnerability. An unauthenticated, remote attacker could execute arbitrary code on a system running krb524d, which in many cases is also a Kerberos Distribution Center (KDC). The compromise of a KDC system can lead to the compromise of an entire Kerberos realm. An attacker may also be able to cause a denial of service on a system running krb524d.

Description

As described on the MIT Kerberos web site: "Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography." MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions.

The MIT Kerberos krb524d daemon converts Kerberos 5 service tickets into Kerberos 4 service tickets. There is a double-free vulnerability in krb524d that can be triggered during the conversion of a cross-realm ticket. From MITKRB5-SA-2004-002:

The patch (introduced in krb5-1.2.8 and present in all subsequent
releases) for disabling krb4 cross-realm authentication in krb524d
introduced a double-free vulnerability. If handle_classic_v4() denies
the conversion of a cross-realm ticket, v5tkt->enc_part2 gets freed
but not nulled, so do_connection() double-frees many things when it
subsequently calls krb5_free_ticket().


Impact

An unauthenticated, remote attacker to could execute arbitrary code on a system running krb524d. In many cases, this system also operates a KDC, so this vulnerability could allow an attacker to gain the master secret for a Kerberos realm, leading to compromise of the entire realm. An attacker may also be able to crash a system running krb524d, causing a denial of service.


Solution

Apply a patch

Apply the appropriate patch(es) referenced in MITKRB5-SA-2004-002 or specified by your vendor.

Upgrade

According to MITKRB5-SA-2004-002, "The upcoming krb5-1.3.5 release will contain fixes for these problems."


Restrict access

Depending on network architecture, it may be practical to restrict access to systems running krb524d (4444/udp) from untrusted networks such as the Internet. While this will help to limit the source of attacks, it will not prevent attacks from trusted hosts or networks or attackers who can successfully spoof their source addresses.


Vendor Information

350792

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ MIT Kerberos Development Team

Updated: September 02, 2004

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see MITKRB5-SA-2004-002.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ Cisco Systems Inc.

Notified: July 21, 2004 Updated: September 03, 2004

Status

__ Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CyberSafe

Updated: September 02, 2004

Status

__ Not Vulnerable

Vendor Statement

The CyberSafe products listed below are not vulnerable.

* CyberSafe Challenger 5.2.8 (this is the same code used within CISCO IOS)
* TrustBroker 2.0, 2.1
* ActiveTRUST 3.0, 4.0
* TrustBroker Application Security SDK & Runtime Library 3.1.0
* TrustBroker Secure Client 4.1.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt>
  • <http://web.mit.edu/kerberos/www/>
  • <http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#krb524d>
  • <http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html#kerbfirewall>
  • <http://www.securitytracker.com/alerts/2004/Aug/1011106.html>

Credit

Thanks to Tom Yu and the MIT Kerberos Development Team for reporting this vulnerability and coordinating with vendors. MITKRB5-SA-2004-002 acknowledges Marc Horowitz

This document was written by Art Manion.

Other Information

CVE IDs: | CVE-2004-0772
---|---
Severity Metric:** | 10.28
Date Public:
| 2004-08-31
Date First Published: | 2004-09-02
Date Last Updated: | 2004-09-03 20:22 UTC
Document Revision: | 16