Note: This is an archival copy of Security Sun Alert 201799 as previously published on http://sunsolve.sun.com.
Latest version of this security advisory is available from http://support.oracle.com as Sun Alert 1001337.1.
Article ID : 1001337.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2006-01-31
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerabilities in the Kerberos Key Distribution Center (KDC) Daemon

Category
Security

Release Phase
Resolved

Product
Solaris 9 Operating System
Solaris 10 Operating System
Sun Enterprise Authentication Mechanism 1.0
Solaris 7 Operating System
Solaris 8 Operating System

Bug Id
6261685

Date of Workaround Release
12-JUL-2005

Date of Resolved Release
04-OCT-2005

Impact

An unprivileged (either authenticated or unauthenticated) remote user may be able to execute arbitrary code with root privileges on Kerberos Key Distribution Center (KDC) systems and thus compromise an entire Kerberos realm due to a heap buffer overflow.

The unprivileged remote user may also be able to trigger an invalid free() and thus crash the KDC daemon (krb5dkc(1M)) on KDC systems thereby creating a Denial of Service (DoS).

These issues are described in MIT krb5 Security Advisory 2005-002, at

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-002-kdc.txt

These issues are also described in

CERT Vulnerability VU#259798 at http://www.kb.cert.org/vuls/id/259798

CERT Vulnerability VU#885830 at http://www.kb.cert.org/vuls/id/885830

and:

CAN-2005-1174 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1174

CAN-2005-1175 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1175


Contributing Factors

These issues can occur in the following releases:

SPARC Platform

  • SEAM 1.0 (for Solaris 7) without patch 112536-06
  • SEAM 1.0.1 (for Solaris 8) without patch 112237-13
  • SEAM 1.0.2 (for Solaris 9) without patch 112908-20
  • Solaris 8 without patch 112237-13
  • Solaris 8 with the Solaris Supplemental Encryption packages and without patch 112390-11
  • Solaris 9 without patch 112908-20
  • Solaris 10 without patch 120469-01

x86 Platform

  • SEAM 1.0 (for Solaris 7) without patch 112537-06
  • SEAM 1.0.1 (for Solaris 8) without patch 112238-12
  • SEAM 1.0.2 (for Solaris 9) without patch 115168-08
  • Solaris 8 without patch 112238-12
  • Solaris 8 with the Solaris Supplemental Encryption packages without patch 112240-10
  • Solaris 9 without patch 115168-08
  • Solaris 10 without patch 120470-01

Notes:

  1. Only systems configured to utilize Kerberos and are configured as a Key Distribution Center (KDC) host are affected by these issues.
  2. Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled product available for Solaris 7, 8 and 9. For more information on SEAM, please see the SEAM(5) man page.
  3. Different components of the SEAM product have migrated to Solaris over time and thus both Solaris 9 and SEAM 1.0.2 are impacted. This is also the reason that there is no SEAM product for Solaris 10.

To determine if a system is configured to utilize Kerberos, the following command can be run:

    $ grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___

If the command returns no output or the "krb5.conf" file is not found, then the system is not configured for Kerberos.

To determine if a Kerberos configured system is a Key Distribution Center (KDC) host, check to see if the KDC daemon (see krb5kdc(1M)) is running:

    $ pgrep krb5kdc || echo "krb5kdc(1M) daemon is NOT running"

To determine if SEAM has been installed, the following command can be run:

    $ pkginfo SUNWkr5sv

If the SUNWkr5sv package is present, SEAM is installed on the system.


Symptoms

There are no reliable symptoms that would indicate the described issues have been exploited to execute arbitrary commands as root on a Kerberos host.


Workaround

In order to prevent users from being able to kill the KDC daemon, sites can disable the KDC daemon from listening for TCP client connections. This can be done by modifying the kdc.conf(4) file and changing the entry for "kdc_tcp_ports" to a value of zero. The KDC daemon, krb5kdc(1M) will need to be restarted after making the above modification.

Note: This change does not protect a system from the heap buffer overflow issue.


Resolution

These issues are addressed in the following releases:

SPARC Platform

  • Solaris 7 with patch 112536-06 or later
  • Solaris 8 with the Solaris Supplemental Encryption packages and with patch 112390-11 or later
  • Solaris 8 with patch 112237-13 or later
  • Solaris 9 with patch 112908-20 or later
  • Solaris 10 with patch 120469-01 or later

x86 Platform

  • Solaris 7 with patch 112537-06 or later
  • Solaris 8 with the Solaris Supplemental Encryption packages and with patch 112240-10 or later
  • Solaris 8 with patch 112238-12 or later
  • Solaris 9 with patch 115168-08 or later
  • Solaris 10 with patch 120470-01 or later


Modification History
Date: 02-AUG-2005

02-Aug-2005:

  • Update Contributing Factors and Resolution sections

Date: 16-AUG-2005

16-Aug-2005:

  • Updated Contributing Factors and Resolution sections

Date: 14-SEP-2005

14-Sep-2005:

  • Update Contributing Factors and Resolution sections; re-release as Resolved

Date: 29-SEP-2005

29-Sep-2005:

  • Updated Contributing Factors and Resolution sections

Date: 04-OCT-2005

04-Oct-2005:

  • Updated Contributing Factors and Resolution sections; re-release as Resolved


References

112390-11
120469-01
120470-01
112240-10
112238-12
112237-13
112536-06
112537-06




Attachments
This solution has no attachment