Note: This is an archival copy of Security Sun Alert 200604 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1000466.1.
Article ID : 1000466.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-08-14
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in the Kerberos Administration Daemon (kadmind(1M)) May Lead to Arbitrary Code Execution

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id
6562672

Date of Workaround Release
27-JUN-2007

Date of Resolved Release
15-AUG-2007

Impact

A security vulnerability in the Kerberos administration daemon (kadmind(1M)) may allow a remote authenticated user to be able to execute arbitrary commands on Kerberos Key Distribution Center(KDC) systems with the privilegs of the kadmind(1M) daemon (usually root). This issue may also allow the remote user to compromise the Kerberos key database or cause the kadmind(1M) daemon to crash, which is a form of Denial of Service (DoS).

This issue is referenced in the following documents:


Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • SEAM 1.0.1 (for Solaris 8) without patch 110060-22
  • Solaris 9 without patch 112925-07
  • Solaris 10 without patch 120473-12

x86 Platform

  • SEAM 1.0.1 (for Solaris 8) without patch 110061-22
  • Solaris 9 without patch 116044-04
  • Solaris 10 without patch 120037-22

Note 1: Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled product available for Solaris 8 and 9. For more information on SEAM, please see the SEAM(5) man page.

Note 2: To determine if the SEAM unbundled product is installed on a host, the following command can be used:

    $pkginfo SUNWkr5ma
    system      SUNWkr5ma      Kerberos V5 Master KDC

Note 3: This issue only occurs if the system is configured as a Key Distribution Center (KDC).

To determine if the system is configured as a Key Distribution Center, the following command can be used:

    % ps -ef | grep kadmin
    root   321     1  0   Dec 10 ?        0:00
    /usr/krb5/lib/kadmind

If the above command shows that the daemon kadmind(1M) is running, then the machine is configured as the Key Distribution Center (KDC).


Symptoms

There are no reliable symptoms that would indicate this issue has been exploited to execute arbitrary code with elevated privileges on a system.


Workaround

To work around the described issue, kadmind(1M) could be disabled, however this would take down all administrative functionality of the Kerberos environment. The Kerberos realm itself would remain usable while kadmind(1M) is down.

To disable kadmind(1M) on Solaris 8 and Solaris 9 systems, the following command can be used:

    # pkill kadmind

Resolution

This issue is addressed in the following release:

SPARC Platform

  • SEAM 1.0.1 (for Solaris 8) with patch 110060-22 or later
  • Solaris 9 with patch 112925-07 or later
  • Solaris 10 with patch 120473-12 or later

x86 Platform

  • SEAM 1.0.1 (for Solaris 8) with patch 110061-22 or later
  • Solaris 9 with patch 116044-04 or later
  • Solaris 10 with patch 120037-22 or later


Modification History
Date: 12-JUL-2007
  • Updated Contributing Factors and Resolution sections

Date: 18-JUL-2007
  • Updated Contributing Factors and Resolution sections

Date: 31-JUL-2007
  • Updated Contributing Factors and Resolution sections

Date: 15-AUG-2007
  • State: Resolved
  • Updated Contributing Factors and Resolution sections


References

120473-12
120037-22
110060-22
110061-22
112925-07
116044-04




Attachments
This solution has no attachment