Note: This is an archival copy of Security Sun Alert 228409 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1017350.1.
Article ID : 1017350.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-08-12
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Kerberos kadm5 Library May Allow Execution of Arbitrary Code

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6538001

Date of Workaround Release
29-MAY-2007

Date of Resolved Release
13-AUG-2007

Impact

A security vulnerability in the kadm5 library shipped with Solaris may allow a remote authenticated user to command a host running kadmind(1M) and execute arbitrary code with the privileges of the kadmind process (usually 'root'). This issue affects systems configured as Kerberos Key Distribution Centers(KDC).

In addition, this issue may allow the remote user to compromise the Kerberos key database or cause the affected program to crash, causing a Denial of Service(DOS).

This issue is also described in the following documents:

CVE-2007-0957 at

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0957

MIT krb5 Security Advisory 2007-002 at

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002-syslog.txt


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • SEAM 1.0.1 (for Solaris 8) without patch 110060-22
  • Solaris 8 without patch 109223-10
  • Solaris 9 without patches 112921-09, 112923-04 and 112925-07
  • Solaris 10 without patch 120473-10

x86 Platform

  • SEAM 1.0.1 (for Solaris 8) without patch 110061-22
  • Solaris 8 without patch 109224-10
  • Solaris 9 without patches 116044-04, 116045-02, 116046-09 and 116175-05
  • Solaris 10 without patch 120037-20

Note: This issue can only occur if the system is configured as a Kerberos Key Distribution Center(KDC).

To determine if a system is configured as a KDC, the following command can be run:

    % ps -ef | grep kadmin
    root   321     1  0   Dec 10 ?    0:00 /usr/krb5/lib/kadmind

If the above command shows that the kadmind(1M) daemon is running, then the machine is configured as a KDC and is vulnerable.


Symptoms

There are no predictable symptoms that would indicate this issue has been exploited to execute arbitrary code with elevated privileges on a system.


Workaround

While it is possible to disable kadmind(1M), this would take down all administrative functionality of the Kerberos environment. The Kerberos realm itself would remain usable while kadmind is down.


Resolution

This issue is addressed in the following releases:

SPARC Platform

  • SEAM 1.0.1 (for Solaris 8) with patch 110060-22 or later
  • Solaris 8 with patch 109223-10 or later
  • Solaris 9 with patches 112921-09, 112923-04 and 112925-07 or later (for all patches)
  • Solaris 10 with patch 120473-10 or later

x86 Platform

  • SEAM 1.0.1 (for Solaris 8) with patch 110061-22 or later
  • Solaris 8 with patch 109224-10 or later
  • Solaris 9 with patches 116044-04, 116045-02, 116046-09 and 116175-05 or later (for all patches)
  • Solaris 10 with patch 120037-20 or later

Note: When SEAM 1.0.1 is run on a Solaris 8 system, both the SEAM 1.0.1 and Solaris 8 patches listed above should be installed to resolve this issue.



Modification History
Date: 18-JUN-2007
  • Updated Contributing Factors and Resolution sections

Date: 31-JUL-2007
  • Updated Contributing Factors, Relief/Workaround and Resolution sections

Date: 13-AUG-2007
  • Updated Contributing Factors and Resolution sections
  • State: Resolved


References

120473-10
120037-20
110060-22
110061-22
109223-10
109224-10
112921-09
112923-04
112925-07
116044-04
116045-02
116046-09
116175-05




Attachments
This solution has no attachment