Note: This is an archival copy of Security Sun Alert 201799 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001337.1.
Solaris 9 Operating System
Solaris 10 Operating System
Sun Enterprise Authentication Mechanism 1.0
Solaris 7 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
An unprivileged (either authenticated or unauthenticated) remote user may be able to execute arbitrary code with root privileges on Kerberos Key Distribution Center (KDC) systems and thus compromise an entire Kerberos realm due to a heap buffer overflow.
The unprivileged remote user may also be able to trigger an invalid free() and thus crash the KDC daemon (krb5dkc(1M)) on KDC systems thereby creating a Denial of Service (DoS).
These issues are described in MIT krb5 Security Advisory 2005-002, at
These issues are also described in
CERT Vulnerability VU#259798 at http://www.kb.cert.org/vuls/id/259798
CERT Vulnerability VU#885830 at http://www.kb.cert.org/vuls/id/885830
CAN-2005-1174 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174
CAN-2005-1175 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175
These issues can occur in the following releases:
To determine if a system is configured to utilize Kerberos, the following command can be run:
$ grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___
If the command returns no output or the "krb5.conf" file is not found, then the system is not configured for Kerberos.
To determine if a Kerberos configured system is a Key Distribution Center (KDC) host, check to see if the KDC daemon (see krb5kdc(1M)) is running:
$ pgrep krb5kdc || echo "krb5kdc(1M) daemon is NOT running"
To determine if SEAM has been installed, the following command can be run:
$ pkginfo SUNWkr5sv
If the SUNWkr5sv package is present, SEAM is installed on the system.
There are no reliable symptoms that would indicate the described issues have been exploited to execute arbitrary commands as root on a Kerberos host.
In order to prevent users from being able to kill the KDC daemon, sites can disable the KDC daemon from listening for TCP client connections. This can be done by modifying the kdc.conf(4) file and changing the entry for "kdc_tcp_ports" to a value of zero. The KDC daemon, krb5kdc(1M) will need to be restarted after making the above modification.
Note: This change does not protect a system from the heap buffer overflow issue.
These issues are addressed in the following releases:
This solution has no attachment