Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 163833 - CAN-2005-1689, -117[45] MIT Kerberos Multiple Vulnerabilities
Summary: CAN-2005-1689, -117[45] MIT Kerberos Multiple Vulnerabilities
Alias: None
Product: Fedora Legacy
Classification: Retired
Component: krb5
Version: rhl7.3
Hardware: i386
OS: Linux
Target Milestone: ---
Assignee: Fedora Legacy Bugs
QA Contact:
Depends On:
TreeView+ depends on / blocked
Reported: 2005-07-21 14:35 UTC by John Dalbec
Modified: 2008-05-01 15:38 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2007-08-30 19:57:18 UTC

Attachments (Terms of Use)

Description John Dalbec 2005-07-21 14:35:55 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20050519 Netscape/8.0.1

Description of problem:
(9) MODERATE: MIT Kerberos Multiple Vulnerabilities
MIT Kerberos releases krb5-1.4.1 and prior
kpropd daemon in releases krb5-1.4.1 and prior
klogind and krshd daemons in releases krb5-1.4.1 and prior
Any programs that invoke the krb5_recvauth function

Description:  Kerberos, a network protocol created at MIT, is used to
provide strong authentication for client/server applications. The MIT
Kerberos implementation is widely used by many network vendors and
Linux/Unix flavors.

(a) The krb5_recvauth function, which processes an authentication
message stream, contains a double-free vulnerability i.e. under certain
conditions, the function frees the same memory twice. This can be
potentially exploited by an unauthenticated attacker to execute
arbitrary code with the privileges of the program invoking the
krb5_recvauth function. The main program that uses the vulnerable
function is kpropd (Kerberos Propagation Daemon). This program runs on
the slave Kerberos Key Distribution Centers (KDC) and receives updates
from the Master KDC. Compromising kpropd may result in compromising the
entire organization ("Kerberos realm"). Other programs that are known
to use the vulnerable function are: klogind and krshd, the kerberized
versions of rlogin and rsh. Note that the double free memory bugs are
generally harder to leverage to execute arbitrary code, and the exploit
code tends to be platform dependent (as opposed to be universal). Hence,
a widespread exploitation of this flaw is less probable.

(b) The KDC authenticates a client, and provides the client with
"tickets" that can be used to access other kerberized services. The KDC
contains heap corruption and single byte heap overflow vulnerabilities
that may be exploited by an unauthenticated attacker to possibly execute
arbitrary code on the KDC server or to cause a denial-of service to the
KDC server. The KDC server compromise can also result in compromising
the entire organization ("Kerberos realm"). An attacker controlled KDC
server can be further used to compromise the Kerberos clients.  Exploit
code is not currently available. The technical details required to
leverage these flaws can be obtained by examining the patch files.

Status: MIT Kerberos krb5-1.4.2 will fix these vulnerabilities. Third
party programs can be re-compiled with the patches provided in the
advisories. A workaround for the krb5_recvauth overflow is to block the
ports used by kpropd, klogind and krshd at the network perimeter which
are 754/tcp, 543/tcp and 544/tcp respectively.

Council Site Actions: Three of the reporting council sites responded to
this item.  Two of these sites have already patched their systems. One
site is still evaluating their risk/exposure level and will patch if
necessary. They said they block kpropd, klogind and krshd at their
security perimeters.

MIT Advisories  
CERT Advisories  
krb5_recvauth Function Reference 
Kerberos RFC  
SecurityFocus BID 

05.28.19 CVE: CAN-2005-1689
Platform: Cross Platform
Title: Kerberos 5 KRB5_Recvauth Remote Pre-Authentication Double-Free
Description: MIT Kerberos is a network authentication protocol. It is
prone to a remote double-free issue that exists in the
"revcauth_common()" helper function. The issue manifests when the
"sendauth" version and "application" version strings that are received
from a remote source are checked. MIT Kerberos versions 5.0 -1.4.1 and
earlier are affected.

05.28.20 CVE: CAN-2005-1175
Platform: Cross Platform
Title: MIT Kerberos 5 Key Distribution Center Remote Heap Overflow
Description: MIT Kerberos 5 Key Distribution Center (KDC)
implementation is affected by a remote single-byte heap overflow
vulnerability due to insufficient boundary checks performed by the
software before copying user-supplied data into sensitive process
buffers. An attacker could leverage this issue to cause a denial of
service condition or execute arbitrary code. MIT Kerberos 5 versions
krb5-1.4.1 and earlier are vulnerable.

05.28.21 CVE: CAN-2005-1174
Platform: Cross Platform
Title: MIT Kerberos 5 Key Distribution Center Remote Denial of Service
Description: Kerberos is a network authentication protocol. KDC is
reported to be vulnerable to a denial of service issue due. The issue
arises when the application handles a principle name consisting of
zero components. All MIT Kerberos 5 releases up to and including
krb5-1.4.1 are reported to be vulnerable.

Version-Release number of selected component (if applicable):

How reproducible:
Didn't try

Additional info:

Comment 1 Jesse Keating 2007-08-30 19:57:18 UTC
Fedora Legacy project has ended.  These will not be fixed by Fedora Legacy.

Note You need to log in before you can comment on or make changes to this bug.