Multiple Vendor kadmind Remote Buffer Overflow Vulnerability

2002-10-21T00:00:00
ID SMNTC-6024
Type symantec
Reporter Symantec Security Response
Modified 2002-10-21T00:00:00

Description

Description

A vulnerability has been discovered in the kadmind daemon. It has been reported that kadmind is vulnerable to a remotely exploitable buffer overflow. This issue is due to insufficient bounds checking. Exploiting this issue could potentially allow an attacker to execute arbitrary code with the privileges of the kadmind process. This issue is reported to exist in the Kerberos 4 administration protocol. Kerberos 5 includes support for the Kerberos 4 administration daemon. Various Kerberos implementations are reported to be affected by this vulnerability. There are reports that this vulnerability is being actively exploited in the wild.

Technologies Affected

  • FreeBSD FreeBSD 4.0.0
  • FreeBSD FreeBSD 4.1.0
  • FreeBSD FreeBSD 4.2.0
  • FreeBSD FreeBSD 4.3.0
  • FreeBSD FreeBSD 4.4.0
  • FreeBSD FreeBSD 4.5.0
  • FreeBSD FreeBSD 4.6.0
  • FreeBSD FreeBSD 4.7.0 -RELEASE
  • FreeBSD FreeBSD 4.7.0
  • IBM PSSP 3.1.1
  • IBM PSSP 3.2.0
  • IBM PSSP 3.4.0
  • IBM PSSP 3.5.0
  • KTH Heimdal 0.21.0
  • KTH Heimdal 0.3.0 e
  • KTH Heimdal 0.4.0 a
  • KTH Heimdal 0.4.0 b
  • KTH Heimdal 0.4.0 c
  • KTH Heimdal 0.4.0 d
  • KTH Heimdal 0.4.0 e
  • KTH Heimdal 0.4.0 e
  • KTH Heimdal 0.5.0
  • KTH eBones 1.2.0
  • MIT Kerberos 4 1.0.0
  • MIT Kerberos 4 1.1.0
  • MIT Kerberos 4 4.0.0
  • MIT Kerberos 5 1.0.0
  • MIT Kerberos 5 1.0.6
  • MIT Kerberos 5 1.1.0
  • MIT Kerberos 5 1.1.1
  • MIT Kerberos 5 1.2.0
  • MIT Kerberos 5 1.2.1
  • MIT Kerberos 5 1.2.2
  • MIT Kerberos 5 1.2.3
  • MIT Kerberos 5 1.2.4
  • MIT Kerberos 5 1.2.5
  • MIT Kerberos 5 1.2.6
  • NetBSD NetBSD 1.5.0
  • NetBSD NetBSD 1.5.1
  • NetBSD NetBSD 1.5.2
  • NetBSD NetBSD 1.5.3
  • NetBSD NetBSD 1.6.0
  • OpenBSD OpenBSD 3.0
  • OpenBSD OpenBSD 3.1
  • OpenBSD OpenBSD 3.2

Recommendations

Block external access at the network boundary, unless external parties require service.
If possible restrict remote connectivity to trusted hosts and internal networks only. Block access to TCP/UDP on port 751 for the Kerberos 4 administration daemon and TCP/UDP on port 749 for Kerberos 5 administration if Kerberos 4 administration is supported.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Exploitation attempts may be indicated by intrusion detection systems. Audit IDS logs regularly.

Run all software as a nonprivileged user with minimal access rights.
When possible, run server process as low privileged users to limit the consequence of exploitation.

Disable any unneccessary default services.
Disable all services not explicitly required by the system. Disable the Kerberos 4 administration protocol if it is not needed.

CERT has released an advisory which contains information about various vendors and implementations that are reported to be affected by this vulnerability. CERT has released a followup advisory which retracts information about the applicability of Debian Security Advisory DSA-178 and associated fixes. SuSE Security Advisory SuSE-SA:2002:034 also does not address this issue. Debian has released Debian Security Advisory DSA 183-1 which does address this issue for affected MIT Kerberos 5 packages that ship with Debian GNU/Linux 3.0 alias woody. Information on obtaining fixes may be found in the referenced advisory. NetBSD has released an advisory. NetBSD-current, NetBSD 1.6 and NetBSD 1.5 branches dated 2002-10-22 and later have fixes for this vulnerability. Users are advised to upgrade the crypto/dist/heimdal/kadmin directory in CVS. Further information is available in the referenced advisory. FreeBSD have addressed this issue as of October 23rd, 2002 for the base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons. The heimdal and krb5 ports were corrected as of October 24th, 2002. A vendor advisory is reported to be forthcoming. MIT has released an advisory. Detailed patch information is available in the referenced advisory. Apple has announced that the Kerberos Administration Daemon was included in Mac OS X 10.0, but was removed in Mac OS X versions 10.1 and later. SuSE Linux versions 7.2 and ship with Heimdal Kerberos. However, Kerberos 4 support is not enabled. Gentoo Linux has released an advisory and made fixes available. To update systems, Gentoo Linux users are advised to perform the following update procedures: emerge rsync emerge kth-krb emerge heimdal emerge clean Sorcerer Linux has released an advisory and made fixes available. To update systems, Socerer Linux users are advise to perform the following update procedures: augur synch augur update Debian has released Debian Security Advisory DSA 184-1 which addresses the issue for affected MIT Kerberos 4 packages. Debian has released Debian Security Advisory DSA 185-1 which addresses the issue for affected Heimdal Kerberos packages. Information about obtaining fixes are available in the referenced advisory. Conectiva Linux has released an advisory. Further information can be obtained from referenced advisory. RedHat has released a security advisory which addressed the issue for affected MIT Kerberos 5 packages. FreeBSD has released an advisory. Users are advised to update their ports tree and reinstall the heimdal or krb5 ports or to download and install a patch. Further, detailed information is available in the referenced advisory. IBM has made APARs available to resolve this issue. HP has released advisory HPSBTL0211-077 for HP Secure OS advising users to apply the fixes listed in Red Hat advisory RHSA-2002:242-06. Fixes have been released which address this issue: