Note: This is an archival copy of Security Sun Alert 200906 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000693.1.
Solaris 9 Operating System
Date of Workaround Release
Date of Resolved Release
1. An unprivileged (either authenticated or unauthenticated) remote user may be able to execute arbitrary code with "root" privileges on Kerberos Key Distribution Center (KDC) systems and thus compromise an entire Kerberos realm.
2. An unprivileged authenticated local or remote user may be able to execute arbitrary code with root privileges on Kerberos enabled systems due to double free vulnerabilities in the Kerberos V5 libraries.
3. An unprivileged (either authenticated or unauthenticated) remote user may be able to cause the KDC daemon (krb5dkc(1M)) or a Kerberos application to hang.
4. A privileged remote user who impersonates a legitimate KDC or Kerberos application server may be able to execute arbitrary code with "root" privileges on a Kerberos client while that client is authenticating.
These issues are described in the MIT krb5 Security Advisories:
MIT krb5 Security Advisory 2004-002 at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
MIT krb5 Security Advisory 2004-003 at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt
These issues are also referenced in:
CAN-2004-0642 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0642
CAN-2004-0643 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0643
CAN-2004-0644 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-0644
and CERT Vulnerability Notes:
VU#550464 at http://www.kb.cert.org/vuls/id/550464
VU#866472 at http://www.kb.cert.org/vuls/id/866472
VU#795632 at http://www.kb.cert.org/vuls/id/795632
These issues can occur in the following releases:
1. Systems running Solaris Enterprise Authentication Mechanism (SEAM) 1.0.2 for Solaris 9 are impacted by this issue as SEAM 1.0.2 uses the affected Kerberos libraries delivered in Solaris 9.
2. Solaris 8 and SEAM 1.0 (for Solaris 7) and SEAM 1.0.1 (for Solaris 8) are not impacted by this issue.
3. Only systems configured to utilize Kerberos are affected by these issues. To determine if a system is configured to utilize Kerberos, run the following command:
$ grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___
If the command returns no output or the "krb5.conf" file is not found, then the system is not configured for Kerberos.
4. Two of the listed impacts relate to the Kerberos Key Distribution Center (KDC). Systems are only vulnerable to these two issues if the Kerberos configured system has been configured as a KDC host. To check to see if the KDC daemon (see krb5kdc(1M)) is running, run the following command:
$ pgrep krb5kdc || echo "krb5kdc(1M) daemon is NOT running"
If this returns a process ID, then the system is configured as a KDC host. If this returns the message "krb5kdc(1M) daemon is NOT running", then KDC is not running.
"Kerberized" applications or services (such as the SEAM applications shipped in "/usr/krb5/bin" and "/usr/krb5/lib") may hang and stop responding to requests.
There are no reliable symptoms that would indicate the described issues have been exploited to execute arbitrary commands as "root" on a Kerberos host.
There is no workaround for this issue. Please see the "Resolution" section below.
This issue is adressed in the following releases:
Note: Although this issue is shown to be resolved in patch release 112908-15 (see patch README), that patch revision has been obsoleted is no longer available for download. Please use 112908-16 or later.
This solution has no attachment