COMMAND

    kerberos

SYSTEMS AFFECTED

    KRB4 KDC

PROBLEM

    Tom Yu found  following.  A  buffer overrun capable  of creating a
    denial  of  service  exists  in  implementations of Kerberos 4 KDC
    programs.  This is  IN ADDITION to the  krb_rd_req() vulnerability
    that was previously announced. Many Kerberos 4 KDC implementations
    derived from MIT sources are believed to be vulnerable.

    Another denial of service  vulnerability exists in the  krb5-1.1.x
    KDC implementations (and krb5-1.2-beta1, but not krb5-1.0.x)  that
    can  cause  the  Kerberos  4  compatibility  code  to  perform   a
    double-free, possibly resulting in a crash of the KDC process.

    A remote user may be able to cause the KDC to issue bogus tickets,
    or to  return an  error of  the form  "principal unknown"  for all
    principals, necessitating a  restart of the  KDC to resume  proper
    operation.  A remote user may  also be able to cause a  krb5-1.1.x
    KDC  to  experience  a  segmentation  violation  or  malloc   pool
    corruption, causing the KDC process to crash.

    A static buffer can be overrun  by corrupt requests sent to a  KDC
    process.  It is believed that this overrun does not lead to a root
    compromise, but it can lead  to a denial of service  by corrupting
    long-term state in the KDC  process.  The krb5-1.1.x KDC  contains
    in its  Kerberos 4  compatibility mode  some code  which tickles a
    memory  management  bug  in  the  library.   This  can result in a
    double-free of memory and corruption of the malloc pool,  possibly
    leading to  a crash  of the  KDC.   Whether or  not a crash occurs
    depends on the idiosyncrasies of the malloc implementation used.

    Source distributions which may contain vulnerable code include:

        - MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1, krb5-1.1.1
        - MIT Kerberos 4 patch 10, and probably earlier releases as well
        - KerbNet (Cygnus implementation of Kerberos 5)
        - Cygnus Network Security (CNS -- Cygnus implementation of Kerberos 4)
        - KTH-krb4 before version 0.10

    Source  distributions  that  are  believed  not  to  be vulnerable
    include:

        - KTH-krb4 -- version 0.10 and above
        - Heimdal (KTH implementation of Kerberos 5) -- any version

SOLUTION

    The best course of action is to  patch your KDC.  If you have  not
    done so already, install the patches to deal with the krb_rd_req()
    vulnerability  that  was  previously  announced.   Patches and the
    original announcement may be found at:

        http://web.mit.edu/kerberos/www/advisories/index.html

    MIT  will  release  krb5-1.2,   which  will  have  these   changes
    incorporated.  The krb5-1.2-beta1 release does not have this  fix,
    though the upcoming krb5-1.2-beta2 release, tentatively  scheduled
    for the week of June 5, will.  The two recent beta patch releases,
    krb5-1.0.7-beta2 and krb5-1.1.2-beta1, which were intended to  fix
    the krb4 buffer overrun problems,  have not been patched for  this
    problem yet.

    For  FreeBSD  upgrade  your  vulnerable  FreeBSD  3.x  system to a
    version  of  FreeBSD  dated  after  the  correction  date (FreeBSD
    3.5-STABLE  dated  after  the  correction  date,  4.0-RELEASE   or
    4.0-STABLE). Correction date  is 2000-07-12.   Be sure to  install
    the Kerberos code  when performing an  upgrade (whether by  source
    or by a  binary upgrade) to  ensure that the  old binaries are  no
    longer present on the system.