Kerberos-related vulnerability affects many Linux/UNIX versions
The Kerberos Administration daemon (kadmind), which is used in connection with Kerberos authentication, contains a buffer overflow vulnerability in many implementations, mostly affecting Linux/UNIX. Since kadmind is the daemon that handles the password changes and other modification requests to the Kerberos database, it is a vital element of many, but not all, security systems based on Kerberos.
A Symantec report says that this threat is due to "insufficient bounds checking" and that an exploitation of this vulnerability could allow the attacker to run arbitrary code on the system.
CERT Advisory CA-2002-29, "Buffer Overflow in Kerberos Administration Daemon," indicates that this problem is found in both the MIT and the KTH versions of Kerberos. Specifically, there is a buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server.
This vulnerability has been confirmed as existing in MIT Kerberos version 4 and version 5 through krb5-1.2.6, KTH eBones prior to version 1.2.1, and KTH Heimdal prior to version 0.5.1.
Although this appears to be just a Kerberos 4 problem, many implementations of Kerberos 5 have been installed in a manner to support the earlier version and are thus also affected because of the Kerberos 4 component.
Symantec reports that some versions of Conectiva, Red Hat, Gentoo, Mandrake, SuSE, and Debian Linux shipped with vulnerable versions of Kerberos, as did NetBSD, OpenBSD, and IBM’s pSeries Parallel System Support Programs, as well as multiple versions of FreeBSD UNIX. Some of these operating systems that did include a vulnerable version of Kerberos may not have had it installed by default and therefore may not be vulnerable.
The list of specific versions affected or potentially vulnerable is long and may grow, so you might want to check the Symantec report to get a handle on the scope of the problem.
Microsoft uses a proprietary version of Kerberos in Windows, and it is not vulnerable to this exploit, so no action is required for Windows systems.
Openwall reports that it does not provide Kerberos support, so Openwall GNU/Linux is not vulnerable.
Sun’s Enterprise Authentication Mechanism (Kerberos 5) doesn’t support Kerberos v4 protocols and is therefore not affected. See SEAM for more information.
Wind River BSD is not vulnerable.
Apple Computer reports that the vulnerability applies to OS X 10.0, but kadmind was removed from version 10.1 and later versions, so it does not affect them.
Exploiting this vulnerability would give a remote attacker root privileges and complete control over the Kerberos authentication scheme for the affected systems. The Debian Security Advisories on Kerberos 4 and 5 confirm that exploit code is in circulation for this vulnerability, so it is a serious security hole and not just a theoretical problem.
If you don’t use Kerberos, kadmind probably isn’t enabled. If it is, you can remove it to eliminate this threat. Kerberos 5 doesn’t appear to be vulnerable by itself, but some implementations also support version 4 protocols, making them vulnerable.
Disable support for Kerberos 4 authentication if it is not explicitly in use on your network. For MIT Kerberos 5, disable kadmind4 at compile time. Information about this is posted here. For KTH Heimdal, the instructions for disabling Kerberos 4 are posted here.
Symantec and CERT recommend restricting remote connectivity as a workaround. Block TCP/UDP access on port 751 for Kerberos 4 and on port 749 for Kerberos 5 where Kerberos 4 is supported along with version 5. This will not completely block exploitation but will limit damages by preventing password changes and other administrative actions.
You can also apply patches where practical. Patches are available for KTH Heimdal software at the Debian GNU/Linux Security site’s DSA-183-1 Security Advisory krb 5 and at DSA-184-1 for krb4.
You can also go to the Symantec report for direct links to many patches for KTH.
Please note that there may be updates to the various security advisories as additional information and more patches are released. For instance, FreeBSD had reportedly already addressed the base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons flaw at the time of this writing, but no vendor advisory was posted yet. It will almost certainly be posted by the time this article is published. Several of the other FTP or advisory links were not immediately active but should be by the time you read this.
Check with your vendor or see the CERT Advisory CA-2002-29 for another list of available patches.
Kerberos is a protocol designed at MIT and intended to make it easy to authenticate users across a series of networks based on a single sign-in. Penetrating the Kerberos security system at one point can potentially open a lot of resources to the attacker. For some basic details of how Kerberos works, see the MIT Kerberos site. Unlike basic firewall protection, the use of Kerberos authentication can protect networks from unauthorized insiders as well as outsiders, which makes it a valuable security mechanism.
Kerberos is a free security tool offered by MIT, but there are also commercial versions. Microsoft introduced Kerberos support in Windows 2000 but did so in a proprietary way, which made it difficult for other vendors' networks to be connected to the Microsoft systems using Kerberos. The upside is that, in this case, this vulnerability doesn’t affect Microsoft networks because they use the company’s specialized version of Kerberos.
However, this vulnerability does affect a lot of systems, and the exploit code is known to be circulating. You need to patch systems where appropriate, disable the daemons if not needed, and consider blocking access to manage this threat until you can remove support for Kerberos 4 or otherwise correct the problem. Remember that firewall port blocking is only a partial protection for vulnerable systems and is not a real fix.
No messages found
No messages found
The logistics of checking every vendor's site every few minutes for a week or more and re-editing the column with every change is neither practical nor necessary since CERT and some other sites already post all vendor update notes which aresubmitted to the central traking authorities.
There are also space considerations in the column preventing my going into extensive details and the fact that no one is interested in specific versions (such as Red Hat) except those who maintain them - therefore it doesn't make much sense to post dozens or hundreds of patches in this column when managers probably already know the Web address for their particular software's updates.
In addition, the best sources are always the vendors as I believe most of my readers already know. If any feel that they should post links to patches here in the comments they are welcome to do so, especially if they provide URLs.
In this instance, if anyone cares to check the CERT CA-2002-29 link I included in the third paragraph, they will find a link to the Red Hat patch. (I presume you meant e.g. Red Hat, Inc. since I am not aware of any company named EG Red-Had.)
A bit more research could do wonders
RHSA-2002:242-06 on 06-Nov-2002 to correct this problem
There are no posts from your contacts.
Adding contacts is simple. Just mouse over any member's photo or click any member's name then click the "Follow" button. You can easily manage your contacts within your account contacts page.