Security Vulnerability in the Kerberos krb5

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Sun Enterprise Authentication Mechanism 1.0
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
6284864

Date of Workaround Release
12-JUL-2005

Date of Resolved Release
29-AUG-2005

Impact

An unprivileged (either authenticated or unauthenticated) remote user may be able to execute arbitrary code with elevated privileges on Kerberos systems due to a double-free error in the krb5_recvauth() library routine. The privileges attained would depend on the affected program that utilizes the krb5_recvauth() routine; some affected applications such as kpropd() run with root privileges on slave Key Distribution Center (KDC) hosts, which means its potentially possible to compromise an entire Kerberos realm.

This issue is described in MIT krb5 Security Advisory 2005-003 available at

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt

This issue is also referenced in the following documents:

CAN-2005-1689 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689

CERT VU#623332 at http://www.kb.cert.org/vuls/id/623332.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

SEAM 1.0 for Solaris 7
Solaris 8 with the Solaris Supplemental Encryption packages and without patch 112390-11
Solaris 8 without patch 112237-13
Solaris 9 without patch 112908-20
Solaris 10 without patch 120469-02

x86 Platform

SEAM 1.0 for Solaris 7
Solaris 8 with the Solaris Supplemental Encryption packages without patch 112240-10
Solaris 8 without patch 112238-12
Solaris 9 without patch 115168-08
Solaris 10 without patch 120470-02

Notes:

Only systems configured to utilize Kerberos are affected by this issue.
Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled product available for Solaris 7, 8 and 9. For more information on SEAM, please see the SEAM(5) man page.
Different components of the SEAM product have migrated to Solaris over time and thus Solaris 8 and 9 are impacted while SEAM for Solaris 8 and 9 is not. This is also the reason that there is no SEAM product for Solaris 10.

To determine if a system is configured to utilize Kerberos, the following command can be run:

$ grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___

If the command returns no output or the "krb5.conf" file is not found, then the system is not configured for Kerberos.

To determine if SEAM has been installed, the following command can be run:

$ pkginfo SUNWkr5sv

If the SUNWkr5sv package is present, SEAM is installed on the system.

Symptoms

There are no reliable symptoms that would indicate the described issues have been exploited to execute arbitrary commands as root on a Kerberos host.

Workaround

There is no workaround for this issue. Please see the Resoltuion section.

Resolution

This issue is addressed in the following releases:

SPARC Platform

Solaris 8 with the Solaris Supplemental Encryption packages and with patch 112390-11 or later
Solaris 8 with patch 112237-13 or later
Solaris 9 with patch 112908-20 or later
Solaris 10 with patch 120469-02 or later

x86 Platform

Solaris 8 with the Solaris Supplemental Encryption packages and with patch 112240-10 or later
Solaris 8 with patch 112238-12 or later
Solaris 9 with patch 115168-08 or later
Solaris 10 with patch 120470-02 or later

Modification History
Date: 02-AUG-2005

02-Aug-2005:

Update Contributing Factors and Resolution sections

Date: 05-AUG-2005

05-Aug-2005:

Update Contributing Factors and Resolution sections

Date: 08-AUG-2005

Updated Contributing Factors and Resolution sections

Date: 16-AUG-2005

16-Aug-2005:

Update Contributing Factors and Resolution sections

Date: 29-AUG-2005

29-Aug-2005:

Update Contributing Factors and Resolution sections

References

112240-10
112390-11
112237-13
112238-12
120469-02
120470-02

Attachments

This solution has no attachment