CERT/CC Vulnerability Note VU#442569

Overview

Several cryptographic vulnerabilities exist in the basic Kerberos version 4 protocol that could allow an attacker to impersonate any user in a Kerberos realm and gain any privilege authorized through that Kerberos realm.

Description

The MIT Kerberos Development team has discovered a serious cryptographic flaw in the Kerberos version 4 protocol. This flaw could allow an attacker to compromise the entire affected Kerberos realm. In addition to the vulnerability described in VU#623217, an additional vulnerability was discovered in the MIT Kerberos implementation of triple-DES encryption of service tickets.

From the MIT advisory:

"As a result of concerns about single DES weaknesses, MIT implemented support for Kerberos 4 tickets encrypted in triple DES service keys. This support shares all the cryptographic weaknesses of single DES Kerberos 4. In addition, since it uses CBC mode rather than PCBC mode, it introduces new weaknesses not found in other Kerberos 4 implementations. When certain alignment constraints are met, it is possible to splice two tickets together, allowing an attacker to get a ticket with a known session key for a client without knowing that client's long term key. This attack does require sniffing a ticket for that client."

As a result, MIT implementations of Kerberos version 5 or derived implementations that include support for triple-DES keys in Kerberos version 4 are vulnerable.

Impact

In addition to the impacts described for VU#623217, an attacker may impersonate any principal to a service keyed with triple-DES Kerberos version 4 keys, given the ability to capture network traffic containing tickets for the target client principal.

Solution

Apply a patch from the vendor

The MIT Kerberos team has released MIT krb5 Security Advisory 2003-004 regarding this vulnerability. Sites are strongly encouraged to apply the patches referenced in the advisory.

Workarounds

In the absence of patching, the following workarounds have been proposed by the MIT Kerberos team:

1) V4 Cross Realm Considered Harmful
Kerberos implementations should gain an option to disable Kerberos 4 cross-realm authentication both in the KDC and in any implementations of the krb524 protocol. This configuration should be the default.
2) Application Migration
Application vendors and sites should migrate from Kerberos version 4 to Kerberos version 5. The OpenAFS community has introduced features that allow Kerberos 5 to be used for AFS in OpenAFS 1.2.8. Patches are available to add Kerberos 5 support to OpenSSH. Several other implementations of the SSH protocol also support Kerberos 5. Applications such as IMAP, POP and LDAP already support Kerberos 5.
3) TGT Key Separation
One motivation for the V4 triple DES support is that if a single DES key exists for the TGT principal then an attacker can attack that key both for v4 and v5 tickets. Kerberos implementations should gain support for a DES TGT key that is used for v4 requests but not v5 requests.
4) Remove Triple DES Kerberos 4 Support
The cut and paste attack is a critical failure in MIT's attempt at Kerberos 4 Triple DES. Even without cross-realm authentication, this can be exploited in real-world situations. As such the support for 3DES service keys should be disabled.

Vendor Information

442569

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Conectiva Affected

Debian Affected

Gentoo Linux Affected

MandrakeSoft Affected

Red Hat Inc. Affected

Wirex Affected

Hitachi Not Affected

Ingrian Networks Not Affected

Juniper Networks Not Affected

Lotus Software Not Affected

Microsoft Corporation Not Affected

Xerox Not Affected

3Com Unknown

AT&T Unknown

Apple Computer Inc. Unknown

Avaya Unknown

BSDI Unknown

Cisco Systems Inc. Unknown

Cray Inc. Unknown

D-Link Systems Unknown

Data General Unknown

F5 Networks Unknown

Foundry Networks Inc. Unknown

FreeBSD Unknown

Fujitsu Unknown

Guardian Digital Inc. Unknown

Hewlett-Packard Company Unknown

IBM-zSeries Unknown

Intel Unknown

KTH Kerberos Unknown

Lucent Technologies Unknown

MiT Kerberos Development Team Unknown

MontaVista Software Unknown

Multi-Tech Systems Inc. Unknown

NEC Corporation Unknown

NETBSD Unknown

NeXT Unknown

NetScreen Unknown

Network Appliance Unknown

Nokia Unknown

Nortel Networks Unknown

OpenAFS Unknown

OpenBSD Unknown

Openwall GNU/*/Linux Unknown

Redback Networks Inc. Unknown

Riverstone Networks Unknown

SGI Unknown

Sequent Unknown

Sony Corporation Unknown

SuSE Inc. Unknown

Sun Microsystems Inc. Unknown

The SCO Group (SCO Linux) Unknown

The SCO Group (SCO UnixWare) Unknown

Unisys Unknown

Wind River Systems Inc. Unknown

View all 55 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt

Acknowledgements

The CERT/CC thanks Sam Hartman, Ken Raeburn, and Tom Yu of the Kerberos group at MIT for their detailed analysis and report of this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2003-0139
Severity Metric:	8.91
Date Public:	2003-03-15
Date First Published:	2003-03-20
Date Last Updated:	2003-05-09 19:11 UTC
Document Revision:	14

Software Engineering Institute

CERT Coordination Center

MIT Kerberos vulnerable to ticket splicing when using Kerberos4 triple DES service tickets

Vulnerability Note VU#442569