Note: This is an archival copy of Security Sun Alert 275530 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1021779.1.
Article ID : 1021779.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2010-03-17
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Integer Overflow Security Vulnerability in AES and RC4 Decryption in the Solaris Kerberos Crypto Library May Lead to Execution of Arbitrary Code or a Denial of Service (DoS)



Category
Security

Release Phase
Resolved

Bug Id
6908114

Product
Solaris 10 Operating System
OpenSolaris

Date of Workaround Release
12-Jan-2010

Date of Resolved Release
18-Mar-2010

An integer overflow security vulnerability in the Solaris Kerberos ...

1. Impact

An integer overflow security vulnerability in the Solaris Kerberos (see kerberos(5)) crypto library
may allow an unprivileged local or remote user to cause one of the Kerberos daemons to crash, or,
under extraordinarily unlikely conditions, execute arbitrary code wth elevated privileges by inducing
the decryption of an invalid AES or RC4 ciphertext. If a master or slave Key Distribution Center (KDC)
is compromised then all services relying on that KDC for authentication may be compromised as well.

This issue is also referenced in:

    MIT krb5 Security Advisory 2009-004
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2009-004.txt

CVE-2009-4212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4212




2. Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 10 without patch 141500-06
  • OpenSolaris based upon builds snv_01 through snv_131

x86 Platform

  • Solaris 10 without patch 141501-07
  • OpenSolaris based upon builds snv_01 through snv_131

Note 1: Solaris 8 and Solaris 9 are not impacted by this issue.

Note 2: This issue only affects systems configured to use Kerberos. To determine
if a system is configured to use Kerberos, the following command may be run:

	  $ test -f /etc/krb5/krb5.conf && grep default_realm /etc/krb5/krb5.conf \
|| echo "System is not configured to use Kerberos."

If there is no krb5.conf(4) Kerberos configuration file or if the output of the above
command is as follows:

    default_realm = ___default_realm___

then the system is not configured to use Kerberos.

Note 3: OpenSolaris distributions may include additional bug fixes above and beyond
the build from which it was derived. The base build can be derived as follows:

    $ uname -v
snv_101



3. Symptoms

There are no predictable symptoms that would indicate the described issue
has been exploited to execute arbitrary code or heap corruption. If the
described issue has been exploited to cause a Denial of Service (DoS) the
symptoms will depend on which Kerberos component has been impacted.




4. Workaround

There is no workaround. Please see Resolution section below.


5. Resolution

This issue is addressed in the following releases:

SPARC Platform

  • Solaris 10 with patch 141500-06 or later
  • OpenSolaris based upon builds snv_132

x86 Platform

  • Solaris 10 with patch 141501-07 or later
  • OpenSolaris based upon builds snv_132



Modification History
18-Mar-2010: Updated Contributing Factors, Workaround and Resolution sections. Now Resolved.


References

141500-06
141501-07





Attachments
This solution has no attachment