Note: This is an archival copy of Security Sun Alert 201582 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001187.1.
Article ID : 1001187.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2005-03-01
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in Kerberos 5 Administration Library for Solaris/SEAM



Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 8 Operating System

Bug Id
6209960

Date of Workaround Release
22-DEC-2004

Date of Resolved Release
02-MAR-2005

Impact

Due to a heap buffer overflow, an authenticated user (not necessarily one with administrative privileges), could execute arbitrary code on the Kerberos Key Distribution Center (KDC) host, compromising an entire Kerberos realm.

This issue is described in the following documents:

MIT krb5 Security Advisory at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt

CVE CAN-2004-1189 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1189


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • SEAM 1.0.1 for Solaris 8 without patch 110060-16
  • Solaris 9 without patch 112921-06

x86 Platform

  • SEAM 1.0.1 for Solaris 8 without patch 110061-15
  • Solaris 9 without patch 116046-06

Notes:

  1. Systems running Solaris Enterprise Authentication Mechanism (SEAM) 1.0.1 for Solaris 8 and SEAM 1.0.2 for Solaris 9 are impacted by this issue as SEAM 1.0.1 and 1.0.2 use the affected Kerberos libraries delivered in Solaris.
  2. Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled product available for Solaris 7, 8 and 9. For more information on SEAM, please see the SEAM(5) man page.

This issue may occur if the machine is configured as the Key Distribution Center (KDC). To verify this, the following command can be run:

    % ps -ef | grep kadmin
root   321     1  0   Dec 10 ?        0:00 /usr/krb5/lib/kadmind

If the above command shows that the daemon kadmind(1M) is running, then the machine is configured as the Key Distribution Center (KDC).


Symptoms

There are no predictable symptoms that would indicate the described issue has been exploited.


Workaround

It is advised that the history count is NOT decreased on any policy in the Kerberos realm. If the count has been decreased, it is advised to change it back to the previous higher value. (Kerberos password history count is the number of previous passwords that have been used by the principal that cannot be used).

To administer Kerberos, use kadmin(1M). To get the current history count, the following command can be run at the kadmin(1M) prompt:

    kadmin: get_policy <name of the policy>
Policy: ...
...
Number of old keys kept: 3
...

Here, the history count is the number of "old keys" kept. If the history count is changed from a higher number to the (current) lower number, change it back to the previous higher number. This can be done by running the following command at the kadmin(1M) prompt:

    kadmin: modify_policy -history <number> default

Please refer to kadmin(1M) man pages for further details.


Resolution

This issue is resolved in the following releases:

SPARC Platform

  • Solaris 9 with patch 112921-06 or later
  • SEAM 1.0.1 for Solaris 8 with patch 110060-16 or later

x86 Platform

  • Solaris 9 with patch 116046-06 or later
  • SEAM 1.0.1 for Solaris 8 with patch 110061-15 or later


Modification History
Date: 02-MAR-2005
  • Final resolution is determined to be current patches; modify Contributing Factors and Resolution sections, re-release as "Resolved".

Date: 25-FEB-2005
  • Resolution patches added for Solaris 9 and SEAM for Solaris 8; update Contributing Factors and Resolution sections


References

112921-06
110061-15
110060-16
116046-06




Attachments
This solution has no attachment