MIT Kerberos kadmind RPC library gssrpc__svcauth_unix() integer conversion error

Overview

The MIT Kerberos administration daemon (kadmind) contains an integer conversion error vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.

Description

The gssrpc__svcauth_unix() function used by the Kerberos administration daemon contains an integer conversion error. This vulnerability may cause a stack buffer overflow that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-004:

_The function gssrpc__svcauth_unix() in src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from IXDR_GET_U_LONG into a signed integer variable “str_len”. Subsequently, it checks that “str_len” is less than MAX_MACHINE_NAME, which will always be true of “str_len” is negative, which can happen when a large unsigned integer is converted to a signed integer. Once the length check succeeds, gssrpc__svcauth_unix() calls memmove() with a length of “str_len” with the target in a stack buffer. _

This vulnerability is believed to be difficult to exploit because the memmove() implementation receives a very large number (a negative integer converted to a large unsigned value), which will almost certainly cause some sort of memory access fault prior to returning. This probably avoids any usage of the corrupted return address in the overwritten stack frame. Note that some (perhaps unlikely) memmove() implementations may call other procedures and thus may be vulnerable to corrupted return addresses.
Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.1. Third-party applications using the MIT krb5 RPC library or other RPC libraries derived from SunRPC may also be vulnerable. MIT has been provided with proof-of-concept exploit code that causes a denial of service, but it’s not clear whether the exploit code is publicly available yet.

This vulnerability occurred as a result of failing to comply with rule INT31-C of the CERT C Programming Language Secure Coding Standard.

---

Impact

A remote, unauthenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.

---

Solution

Apply a patch
A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-004. MIT also states that this will be addressed in the upcoming krb5-1.6.2 and krb5-1.5.4 releases. Please check with your vendor for third-party product updates.

---

Vendor Information

365313

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Debian GNU/Linux __ Affected

Notified: June 18, 2007 Updated: July 30, 2007

Status

Affected

Vendor Statement

These vulnerabilities have been fixed in Debian GNU/Linux 4.0 (stable) in version 1.4.4-7etch2. and for Debian GNU/Linux 3.1 (oldstable) in version 1.3.6-2sarge5 via Debian Security Advisory 1323 as in <<http://www.debian.org/security/2007/dsa-1323&gt;&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc. __ Affected

Notified: June 18, 2007 Updated: June 27, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Mandriva Advisory MDKSA-2007:137.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23365313 Feedback>).

Red Hat, Inc. __ Affected

Notified: June 18, 2007 Updated: June 26, 2007

Status

Affected

Vendor Statement

These issues affect the krb5-server package available for Red Hat

Enterprise Linux 2.1, 3, 4, and 5. Updated packages to correct this
issue are available along with our advisories at the URLs below and
via Red Hat Network.

Red Hat Enterprise Linux 2.1, 3:
<https://rhn.redhat.com/errata/RHSA-2007-0384.html&gt;

Red Hat Enterprise Linux 4, 5:
<https://rhn.redhat.com/errata/RHSA-2007-0562.html&gt;

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu __ Affected

Notified: June 18, 2007 Updated: June 27, 2007

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Ubuntu Security Notice USN-477-1.

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23365313 Feedback>).

CyberSafe, Inc. __ Not Affected

Notified: June 18, 2007 Updated: June 18, 2007

Status

Not Affected

Vendor Statement

The vulnerabilities referenced in VU#365313 do not apply to CyberSafe products, including all versions of TrustBroker, ActiveTRUST and Challenger products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc. __ Not Affected

Notified: June 18, 2007 Updated: June 26, 2007

Status

Not Affected

Vendor Statement

Juniper Networks products do not use Kerberos, and are therefore not susceptible to this set of vulnerabilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation Not Affected

Notified: June 18, 2007 Updated: June 19, 2007

Status

Not Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Network Appliance, Inc. __ Not Affected

Updated: June 27, 2007

Status

Not Affected

Vendor Statement

NetApp does not ship kadmind.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc. __ Not Affected

Notified: June 18, 2007 Updated: June 28, 2007

Status

Not Affected

Vendor Statement

Sun can confirm that none of its products are vulnerable to VU#365313.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

AttachmateWRQ, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC Corporation Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries) Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

KTH Kerberos Team Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MIT Kerberos Development Team Unknown

Notified: June 13, 2007 Updated: June 13, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MontaVista Software, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc. Unknown

Notified: June 18, 2007 Updated: June 18, 2007

Status

Unknown

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 45 vendors __View less vendors __

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt&gt;
• <http://www.ubuntu.com/usn/usn-477-1&gt;
• <http://www.mandriva.com/security/advisories?name=MDKSA-2007:137&gt;
• <http://secunia.com/advisories/25800/&gt;
• <http://secunia.com/advisories/26033/&gt;
• <http://docs.info.apple.com/article.html?artnum=306172&gt;

Acknowledgements

Thanks to MIT for reporting this vulnerability, who in turn credit Wei Wang of McAfee Avert Labs.

This document was written by Will Dormann.

Other Information

CVE IDs:	CVE-2007-2443
Severity Metric:	5.40 Date Public: