Kerberos Detected

Updated 5/29/01
CVE 2000-0389
CVE 2000-0390
CVE 2000-0391
CVE 2001-0036

Impact

If any services which use a vulnerable version of Kerberos are enabled, remote root access may be possible due to a buffer overflow condition. If the Key Distribution Center is affected, the entire Kerberos domain could be compromised.

Background

Kerberos is used to provide strong authentication and encryption between a client and a server. A Kerberos Distribution Center, consisting of an authentication server and a ticket granting server, is involved in the authentication process. Cryptography is used to verify the identity of the user and the server, and to encrypt the session between them.

The Problem


Buffer overflow in Kerberos ftpd

5/29/01
The FTP daemon included in MIT Kerberos version 5 contains a buffer overflow which could allow a remote attacker to execute arbitrary commands with root privileges. In order to exploit this vulnerability, the attacker would either need access to an account on the system, or anonymous FTP would have to be enabled.

krb5-1.2.2 and earlier are affected by this vulnerability.


Vulnerabilities in MIT/Cygnus versions

Four buffer overflow conditions have been discovered in Kerberos. The most serious one could allow remote root access if any of the following services are running.

Another buffer overflow condition could allow a local attacker to gain root access by exploiting v4rcp or ksu.

The following implementations of Kerberos are affected by these vulnerabilities:


Vulnerabilities in KTH version

Three vulnerabilities have been discovered in the KTH version of Kerberos, which is included in OpenBSD and FreeBSD operating systems. Two of these vulnerabilities can be used in conjuction with each other to gain root access on an affected system. The first vulnerability allows a remote telnet user to pass environment variables through the telnet session without requiring a local user account. By resetting the krb4_proxy variable, an attacker could cause the Kerberos authentication requests to go to a fake server, thus fooling the system into accepting a false reply. The second vulnerability, a buffer overflow condition in the code which processes authentication replies, could be used with the first vulnerability to gain root access.

The third vulnerability could allow arbitrary files to be overwritten on the system. Ticket files are created in the /tmp directory with predictable file names. A user with an account on the system could guess the file name of a future ticket file, and symbolically link that file name to an arbitrary file on the system. When the ticket file is created, the arbitrary file is overwritten.

Resolution

To fix the vulnerability in krb5 ftpd, upgrade to Kerberos version krb5-1.2.3 when it becomes available. If unavailable, upgrade to krb5-1.2.2, apply ftpbuf_122_patch, and recompile. Alternatively, this problem can be fixed by disabling the FTP service.

To fix the other problems in the MIT version, upgrade to Kerberos version krb5-1.2, or install the appropriate patches to fix the problem.

Alternatively, the problems in some of the services can be fixed with the following workarounds:

To fix the vulnerability in the KTH version, FreeBSD users should apply the patch referenced in FreeBSD Security Advisory 01:25. OpenBSD users and all other users should refer to the fixes posted to Bugtraq.

Where can I read more about this?

For more information on the ftpd vulnerability, see the Kerberos advisory.

More information on the other problems in MIT Kerberos is available from CERT Advisory 2000-06 or the Kerberos advisory.

More information on the vulnerabilities in the KTH version is available from FreeBSD Security Advisory 01:25 or Bugtraq.