Overview
Multiple Kerberos distributions contain a remotely exploitable buffer overflow in the Kerberos administration daemon. A remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system.
Description
A remotely exploitable buffer overflow exists in the Kerberos administration daemon in both the MIT and KTH Kerberos implementations. The administration daemon handles requests for changes to the Kerberos database and runs on the master Key Distribution Center (KDC) system of a Kerberos realm. The master KDC contains the authoritative copy of the Kerberos database, thus it is a critical part of a site's Kerberos infrastructure. The buffer overflow can be triggered when the daemon parses an un-checked length value contained in an administrative request read from the network. An attacker does not have to authenticate in order to exploit this vulnerability, and the Kerberos administration daemon runs with root privileges. Further information is available in MIT krb5 Security Advisory 2002-002. MIT has also provided a description of the attack signature against kadmind4. |
Impact
An unauthenticated, remote attacker could execute arbitrary code with root privileges. |
Solution
|
|
Vendor Information
Apple Computer Inc. Affected
Notified: October 24, 2002 Updated: October 30, 2002
Status
Affected
Vendor Statement
The Kerberos Administration Daemon was included in Mac OS X 10.0, but removed in Mac OS X 10.1 and later.
We encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Conectiva Affected
Notified: October 24, 2002 Updated: November 06, 2002
Status
Affected
Vendor Statement
Our MIT Kerberos 5 packages in Conectiva Linux 8 do contain the vulnerable kadmind4 daemon, but it is not used by default nor is it installed as a service.
Updated packages are being uploaded to our ftp server and should be available in a few hours at:
ftp://atualizacoes.conectiva.com.br/8/
The krb5-server-1.2.3-3U8_3cl.i386.rpm package contains a patched kadmind4 daemon. An announcement will be sent to our security mailing list a few hours after the upload is complete.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see Conectiva Linux Announcement CLSA-2002:534 (English).
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Debian Affected
Notified: October 24, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
Please reference Debian Security Advisories DSA-183 (krb5), DSA-184 (krb4), and DSA-185 (Heimdal).
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
In the initial (2002-10-25) version of CERT Advisory CA-2002-29, we mistakenly included a reference to Debian Security Advisory DSA-178. This was an error, DSA-178 does not address the vulnerability described in CA-2002-29 and VU#875073. Debian Security Advisory DSA-185 includes the Heimdal fixes in DSA-178 in addition to the fix for the vulnerability described in CA-2002-29 and VU#875073.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
FreeBSD Affected
Notified: October 24, 2002 Updated: November 13, 2002
Status
Affected
Vendor Statement
Both the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons were vulnerable and have been corrected as of 23 October 2002. In addition, the heimdal and krb5 ports contained the same vulnerability and have been corrected as of 24 October 2002. A Security Advisory is in progress.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see FreeBSD-SA-02:40.kadmind.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Gentoo Linux Affected
Updated: November 08, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
- - --------------------------------------------------------------------
GENTOO LINUX SECURITY ANNOUNCEMENT 200210-011
- - --------------------------------------------------------------------
PACKAGE : krb5
SUMMARY?: buffer overflow
DATE ?? : 2002-10-28 14:10 UTC
EXPLOIT : remote
- - --------------------------------------------------------------------
A stack buffer overflow in the implementation of the Kerberos v4
compatibility administration daemon (kadmind4) in the MIT krb5
distribution can be exploited to gain unauthorized root access to a
KDC host. The attacker does not need to authenticate to the daemon to
successfully perform this attack. At least one exploit is known to
exist in the wild, and at least one attacker is reasonably competent
at cleaning up traces of intrusion.
Read the full advisory at
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt
SOLUTION
It is recommended that all Gentoo Linux users who are running
app-crypt/krb5 and earlier update their systems as follows:
emerge rsync
emerge krb5
emerge clean
- - --------------------------------------------------------------------
aliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz
- - --------------------------------------------------------------------
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE9vUr1fT7nyhUpoZMRAhvRAJ9zxSpTuroJ57RA9lVFegHfCODgkgCbBGRb
4qBVkt0y6Ndn9pVFt0zrplo=
=SacS
-----END PGP SIGNATURE-----
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Hewlett-Packard Company Affected
Notified: October 24, 2002 Updated: February 14, 2003
Status
Affected
Vendor Statement
Source: Hewlett-Packard Company Software Security Response Team
RE: CERT VU#875073 CA-2002-29
cross reference id: SSRT2396
HP's implementation for the following Operating Systems Software are not affected by this potential buffer overflow vulnerability in the kadmind4 daemon.
HP-UX
HP-MPE/ix
HP Tru64 UNIX
HP OpenVMS
HP NonStop Servers
To report potential security vulnerabilities in HP software, send an E-mail message to: security-alert@hp.com
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
HP Secure OS Software for Linux is affected (HPSBTL0211-077).
If you have feedback, comments, or additional information about this vulnerability, please send us email.
IBM Affected
Notified: October 24, 2002 Updated: February 14, 2003
Status
Affected
Vendor Statement
The IBM pSeries Parallel Systems Support Programs (PSSP) implementation of Kerberos V4 (shipped with PSSP) is potentially vulnerable to the Kerberos V4 administration daemon buffer overflow described in CA-2002-29. For more information, see:
http://techsupport.services.ibm.com/server/nav?fetch=/spflashes/home.html
Click on the Service Flash for "Potential Kerberos V4 security vulnerability." This link also contains APAR numbers and solution information.
The IBM Network Authentication Service (NAS) product is not vulnerable to the buffer overflow vulnerability in the kadmind4 daemon. NAS is currently at release 1.3 and is available from the AIX Expansion Pack. The kadmind4 daemon is not part of the NAS product.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
It is possible that PSSP and other IBM and third-party applications using DCE/Kerberos 5 may be vulnerable if they support Kerberos 4 administration.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
KTH Kerberos Affected
Notified: October 24, 2002 Updated: October 30, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
KTH has released updated versions of eBones (Kerberos 4) and Heimdal (Kerberos 5).
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MIT Kerberos Development Team Affected
Notified: October 24, 2002 Updated: October 30, 2002
Status
Affected
Vendor Statement
MIT has released MIT krb5 Security Advisory 2002-002.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MandrakeSoft Affected
Notified: October 24, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
Please reference MandrakeSoft Security Advisory MDKSA-2002:073.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NetBSD Affected
Notified: October 24, 2002 Updated: October 30, 2002
Status
Affected
Vendor Statement
Please see NetBSD-SA2002-026.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
OpenBSD Affected
Notified: October 24, 2002 Updated: November 08, 2002
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please reference Security Fix 001 for OpenBSD 3.2, Security Fix 016 for OpenBSD 3.1, and Security Fix 033 for OpenBSD 3.0.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Red Hat Inc. Affected
Notified: October 24, 2002 Updated: November 07, 2002
Status
Affected
Vendor Statement
Releases of Red Hat Linux version 6.2 and higher include versions of MIT Kerberos that are vulnerable to this issue; however the vulnerable administration server, kadmind4, has never been enabled by default. We are currently working on producing errata packages. When complete these will be available along with our advisory at the URL below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.
http://rhn.redhat.com/errata/RHSA-2002-242.html
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sorceror Linux Affected
Updated: February 14, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
<http://online.securityfocus.com/archive/1/297604/2002-10-22/2002-10-28/2>
If you have feedback, comments, or additional information about this vulnerability, please send us email.
BSDI Not Affected
Notified: October 24, 2002 Updated: October 24, 2002
Status
Not Affected
Vendor Statement
No version of BSD/OS is vulnerable to this problem.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cray Inc. Not Affected
Notified: October 24, 2002 Updated: November 08, 2002
Status
Not Affected
Vendor Statement
Cray, Inc. is not vulnerable as the Kerberos administration daemon is not included in any of our operating systems.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Microsoft Corporation Not Affected
Notified: October 24, 2002 Updated: October 30, 2002
Status
Not Affected
Vendor Statement
Microsoft's implementation of Kerberos is not affected by this vulnerability.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Openwall GNU/*/Linux Not Affected
Notified: October 24, 2002 Updated: October 30, 2002
Status
Not Affected
Vendor Statement
Openwall GNU/*/Linux is not vulnerable. We don't provide Kerberos.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SuSE Inc. Not Affected
Notified: October 24, 2002 Updated: October 30, 2002
Status
Not Affected
Vendor Statement
SuSE Linux 7.2 and later are shipped with Heimdal Kerberos included, but Kerberos 4 support is disabled in all releases. Therefore, SuSE Linux and SuSE Enterprise Linux are not affected by this bug.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
In the initial (emailed) version CERT Advisory CA-2002-29, we mistakenly included a reference to SuSE Security Announcement (SuSE-SA:2002:034). This was an error, SuSE-SA:2002:034 does not address the vulnerability described in CA-2002-29 and VU#875073.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sun Microsystems Inc. Not Affected
Notified: October 24, 2002 Updated: November 08, 2002
Status
Not Affected
Vendor Statement
The Sun Enterprise Authentication Mechanism (SEAM), Sun's implementation of the Kerberos v5 protocols, is not affected by this issue. SEAM does not include support for the Kerberos v4 protocols and kadmind4 does not exist. Additional information regarding SEAM is available from:
http://wwws.sun.com/software/security/kerberos/
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Xerox Not Affected
Notified: October 24, 2002 Updated: February 25, 2003
Status
Not Affected
Vendor Statement
A response to this advisory is available from our web site:
http://www.xerox.com/security.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
AT&T Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Alcatel Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Avaya Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Cisco Systems Inc. Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Computer Associates Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
D-Link Systems Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Data General Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
F5 Networks Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Fujitsu Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Guardian Digital Inc. Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Intel Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Juniper Networks Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Lucent Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
MontaVista Software Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Multinet Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
NEC Corporation Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Network Appliance Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Nortel Networks Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
SGI Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sequent Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Sony Corporation Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
The SCO Group Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisphere Networks Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Unisys Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
Wirex Unknown
Notified: October 24, 2002 Updated: October 30, 2002
Status
Unknown
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
The CERT/CC has no additional comments at this time.
If you have feedback, comments, or additional information about this vulnerability, please send us email.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt
- http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt
- http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt
- http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC24
- http://www.pdc.kth.se/kth-krb/
- http://www.pdc.kth.se/heimdal/
- http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing
- ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.4e.kadmind-patch
Acknowledgements
The CERT/CC thanks the MIT and KTH Kerberos development teams for information used in this document.
This document was written by Art Manion.
Other Information
| CVE IDs: | CVE-2002-1235 |
| CERT Advisory: | CA-2002-29 |
| Severity Metric: | 20.53 |
| Date Public: | 2002-09-30 |
| Date First Published: | 2002-10-23 |
| Date Last Updated: | 2003-02-26 18:07 UTC |
| Document Revision: | 24 |