TUCoPS :: Unix :: General :: kerb6~1.txt

COMMAND
 kerberos
SYSTEMS AFFECTED
 KRB4 KDC
PROBLEM
 Tom Yu found following. A buffer overrun capable of creating a
 denial of service exists in implementations of Kerberos 4 KDC
 programs. This is IN ADDITION to the krb_rd_req() vulnerability
 that was previously announced. Many Kerberos 4 KDC implementations
 derived from MIT sources are believed to be vulnerable.
 Another denial of service vulnerability exists in the krb5-1.1.x
 KDC implementations (and krb5-1.2-beta1, but not krb5-1.0.x) that
 can cause the Kerberos 4 compatibility code to perform a
 double-free, possibly resulting in a crash of the KDC process.
 A remote user may be able to cause the KDC to issue bogus tickets,
 or to return an error of the form "principal unknown" for all
 principals, necessitating a restart of the KDC to resume proper
 operation. A remote user may also be able to cause a krb5-1.1.x
 KDC to experience a segmentation violation or malloc pool
 corruption, causing the KDC process to crash.
 A static buffer can be overrun by corrupt requests sent to a KDC
 process. It is believed that this overrun does not lead to a root
 compromise, but it can lead to a denial of service by corrupting
 long-term state in the KDC process. The krb5-1.1.x KDC contains
 in its Kerberos 4 compatibility mode some code which tickles a
 memory management bug in the library. This can result in a
 double-free of memory and corruption of the malloc pool, possibly
 leading to a crash of the KDC. Whether or not a crash occurs
 depends on the idiosyncrasies of the malloc implementation used.
 Source distributions which may contain vulnerable code include:
 - MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
 - MIT Kerberos 4 patch 10, and probably earlier releases as well
 - KerbNet (Cygnus implementation of Kerberos 5)
 - Cygnus Network Security (CNS -- Cygnus implementation of Kerberos 4)
 - KTH-krb4 before version 0.10
 Source distributions that are believed not to be vulnerable
 include:
 - KTH-krb4 -- version 0.10 and above
 - Heimdal (KTH implementation of Kerberos 5) -- any version
SOLUTION
 The best course of action is to patch your KDC. If you have not
 done so already, install the patches to deal with the krb_rd_req()
 vulnerability that was previously announced. Patches and the
 original announcement may be found at:
 http://web.mit.edu/kerberos/www/advisories/index.html
 MIT will release krb5-1.2, which will have these changes
 incorporated. The krb5-1.2-beta1 release does not have this fix,
 though the upcoming krb5-1.2-beta2 release, tentatively scheduled
 for the week of June 5, will. The two recent beta patch releases,
 krb5-1.0.7-beta2 and krb5-1.1.2-beta1, which were intended to fix
 the krb4 buffer overrun problems, have not been patched for this
 problem yet.
 For FreeBSD upgrade your vulnerable FreeBSD 3.x system to a
 version of FreeBSD dated after the correction date (FreeBSD
 3.5-STABLE dated after the correction date, 4.0-RELEASE or
 4.0-STABLE). Correction date is 2000年07月12日. Be sure to install
 the Kerberos code when performing an upgrade (whether by source
 or by a binary upgrade) to ensure that the old binaries are no
 longer present on the system.