Note: This is an archival copy of Security Sun Alert 201582 as previously published on http://sunsolve.sun.com.|
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001187.1.
Solaris 9 Operating System
Solaris 8 Operating System
Date of Workaround Release
Date of Resolved Release
Due to a heap buffer overflow, an authenticated user (not necessarily one with administrative privileges), could execute arbitrary code on the Kerberos Key Distribution Center (KDC) host, compromising an entire Kerberos realm.
This issue is described in the following documents:
MIT krb5 Security Advisory at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
CVE CAN-2004-1189 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2004-1189
This issue can occur in the following releases:
This issue may occur if the machine is configured as the Key Distribution Center (KDC). To verify this, the following command can be run:
% ps -ef | grep kadmin root 321 1 0 Dec 10 ? 0:00 /usr/krb5/lib/kadmind
If the above command shows that the daemon kadmind(1M) is running, then the machine is configured as the Key Distribution Center (KDC).
There are no predictable symptoms that would indicate the described issue has been exploited.
It is advised that the history count is NOT decreased on any policy in the Kerberos realm. If the count has been decreased, it is advised to change it back to the previous higher value. (Kerberos password history count is the number of previous passwords that have been used by the principal that cannot be used).
To administer Kerberos, use kadmin(1M). To get the current history count, the following command can be run at the kadmin(1M) prompt:
kadmin: get_policy <name of the policy> Policy: ... ... Number of old keys kept: 3 ...
Here, the history count is the number of "old keys" kept. If the history count is changed from a higher number to the (current) lower number, change it back to the previous higher number. This can be done by running the following command at the kadmin(1M) prompt:
kadmin: modify_policy -history <number> default
Please refer to kadmin(1M) man pages for further details.
This issue is resolved in the following releases:
This solution has no attachment