> -----Original Message-----
> From: US-CERT Technical Alerts [mailto:technical-alerts@xxxxxxxxxxx]
> Sent: Wednesday, April 04, 2007 3:58 AM
> To: technical-alerts@xxxxxxxxxxx
> Subject: US-CERT Technical Cyber Security Alert TA07-093B --
> MIT Kerberos Vulnerabilities
>
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
>
> National Cyber Alert System
>
> Technical Cyber Security Alert TA07-093B
>
>
> MIT Kerberos Vulnerabilities
>
> Original release date: April 03, 2007
> Last revised: --
> Source: US-CERT
>
>
> Systems Affected
>
> * MIT Kerberos
>
> Other products based on the GSS-API or the RPC libraries provided
> with MIT Kerberos may also be affected.
>
>
> Overview
>
> The MIT Kerberos 5 implementation contains several vulnerabilities.
> One of these vulnerabilities (VU#220816) could allow a remote,
> unauthenticated attacker to log in via telnet (23/tcp) with
> elevated privileges. The other vulnerabilities (VU#704024,
> VU#419344) could allow a remote, authenticated attacker to execute
> arbitrary code on a Key Distribution Center (KDC).
>
>
> I. Description
>
> There are three vulnerabilities that affect MIT Kerberos 5:
>
> * VU#220816 - MIT Kerberos 5 telnet daemon allows login as
> arbitrary user
>
> The telnet daemon included with the MIT Kerberos administration
> daemon contains a vulnerability that may allow a remote,
> unauthorized user to log on to the system with elevated
> privileges.
>
> * VU#704024 - MIT Kerberos 5 administration daemon stack overflow
> in krb5_klog_syslog()
>
> The MIT Kerberos administration daemon contains a vulnerability
> in the way the krb5_klog_syslog() function handles specially
> crafted strings that may allow a remote, authenticated attacker
> to execute arbitrary code. Other server applications that call
> krb5_klog_syslog() may also be affected. This vulnerability can
> be triggered by sending a specially crafted Kerberos message to a
> vulnerable system.
>
> * VU#419344 - MIT Kerberos 5 GSS-API library double-free
> vulnerability
>
> A vulnerability exists in the way that the GSS-API library
> provided with MIT krb5 handles messages with an invalid direction
> encoding, resulting in a double free which may allow a remote,
> authenticated attacker to execute arbitrary code. Other server
> applications that utilize the RPC library or the GSS-API library
> provided with MIT Kerberos may also be affected. This
> vulnerability can be triggered by sending a specially crafted
> Kerberos message to a vulnerable system.
>
>
> II. Impact
>
> In the case of VU#220816 a remote attacker could log on to the
> system via telnet and gain elevated privileges.
>
> In the case of VU#704024 and VU#419344, a remote, authenticated
> attacker may be able to execute arbitrary code on KDCs, systems
> running kadmind, and application servers that use the RPC or
> GSS-API libraries. An attacker could also cause a denial of service
> on any of these systems. As a secondary impact, either one of these
> vulnerabilities could result in the compromise of both the KDC and
> an entire Kerberos realm.
>
>
> III. Solution
>
> Check with your vendors for patches or updates. For information
> about a vendor, please see the systems affected section in the
> individual vulnerability notes or contact your vendor directly.
>
> Alternatively, apply the appropriate source code patches referenced
> in MITKRB5-SA-2007-001, MITKRB5-SA-2007-002, and
> MITKRB5-SA-2007-003 and recompile.
>
> These vulnerabilities will also be addressed in krb5-1.6.1.
>
>
> IV. References
>
> * US-CERT Vulnerability Note VU#220816 -
> <>
>
> * US-CERT Vulnerability Note VU#704024 -
> <>
>
> * US-CERT Vulnerability Note VU#419344 -
> <>
>
> * MIT krb5 Security Advisory 2007-001 -
>
> <
> 1-telnetd.txt>
>
> * MIT krb5 Security Advisory 2007-002 -
>
> <
> 2-syslog.txt>
>
> * MIT krb5 Security Advisory 2007-003 -
>
> <>
>
>
> ____________________________________________________________________
>
> The most recent version of this document can be found at:
>
> <>
> ____________________________________________________________________
>
> Feedback can be directed to US-CERT Technical Staff. Please send
> email to <cert@xxxxxxxx> with "TA07-093B Feedback VU#202816" in the
> subject.
> ____________________________________________________________________
>
> For instructions on subscribing to or unsubscribing from this
> mailing list, visit <>.
> ____________________________________________________________________
>
> Produced 2007 by US-CERT, a government organization.
>
> Terms of use:
>
> <>
> ____________________________________________________________________
>
>
> Revision History
>
> April 03, 2007: Initial release
>
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (GNU/Linux)
>
> iQEVAwUBRhLoz+xOF3G+ig+rAQKUCwgArJjoYEKXFOd5SEpKJSaZGh+bRkOCe8PO
> y/wKWTdHFcRBnIAsw9g5d92czxhF37nNtX7Y2UsJ5k59OGNu+t9pTea7FeSegAUA
> zxmA9NcU/hnRubV1n6f7hDMefW1PT//olPOCLlqDxZuQrzza8jm1XPWtXqEFI0U6
> xWODIcC2SJ3lref3rhuRyA1KHsT+WjgSwduMm7xg8cRRcoXGgMFUN1/nwBszJfvC
> U+joiJlB5dsyiXtL657N4YmsGxQfcpe5nxRsMSsxwOxJxEmFHdkN29b66BMFNrfa
> NDOINNgrkvaKyVKG4fCa3ie1BnNdXPpc8txzQ6b4rv+n9Ph91N+yOw==
> =CH5D
> -----END PGP SIGNATURE-----
>
