SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kerberos Vendors:   MIT
(OpenBSD Issues Fix) Kerberos 4 Security Protocol Weaknesses May Let Certain Remote Users Create Tickets
SecurityTracker Alert ID:  1006372
SecurityTracker URL:  http://securitytracker.com/id/1006372
CVE Reference:   CVE-2003-0138   (Links to External Site)
Updated:  Jan 20 2004
Original Entry Date:  Mar 24 2003
Impact:   Modification of authentication information, Modification of system information, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): krb5, prior to release 1.3
Description:   A vulnerability was reported in the Kerberos 4 security protocol. A remote user with access to a shared key for cross-realm authentication or with the ability to create arbitrary principals in a realm or with the ability to monitor the network could create a ticket for user in that realm to impersonate the user.

MIT reported that there is a cryptographic weakness in version 4 of the Kerberos protocol (affecting krb5 implementations) that allows a remote user to conduct a "chosen-plaintext attack" to impersonate an arbitrary principal in a realm. MIT also reported that other cryptographic weaknesses in the MIT krb5 distribution's krb4 protocol implementation allow a remote user to use a "cut-and-paste attack" to create apparently valid krb4 tickets for unauthorized client principals when triple-DES keys are used for krb4 services.

The report indicates that the Kerberos version 5 protocol does not contain these flaws. Users that have completely disabled Kerberos v4 are not vulnerable.

Impact:   A remote user that controls a krb4 shared cross-realm key can impersonate an arbitrary principal in the realm. MIT reports that this may lead to a root-level compromise of a KDC and any related hosts.

A remote user could then attack cross-realm principals to compromise additional realms.

A remote user without access to a shared cross-realm key may be able to create arbitrary principal names and use those to launch an attack.

A remote user with the ability to sniff network traffic can impersonate any principal to a service keyed with triple-DES krb4 keys.

Solution:   OpenBSD has released a patch that will cause Kerberos v4 requests from foreign realms to be ignored unless support for this is explicitly enabled.

Patch for OpenBSD 3.1:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/026_kerberos.patch

Patch for OpenBSD 3.2:

ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/013_kerberos.patch

These patches have already been applied to the 3.1 and 3.2 -stable branches, according to the vendor.

Vendor URL:  web.mit.edu/kerberos/www/advisories/index.html (Links to External Site)
Cause:   Access control error, Authentication error, Randomization error, State error
Underlying OS:  UNIX (OpenBSD)
Underlying OS Comments:  3.0, 3.1

Message History:   This archive entry is a follow-up to the message listed below.
Mar 17 2003 Kerberos 4 Security Protocol Weaknesses May Let Certain Remote Users Create Tickets



 Source Message Contents

Subject:  patches available for the Kerberos v4 protocol bug


There is a cryptographic weaknesses in the Kerberos v4 protocol
(this is not something that is fixable in Kerberos v4). Sites still
using Kerberos v4 should migrate to Kerberos v5.

Kerberos v5 does not have this weakness, but since it contains v4
to v5 translation services it is still possible to exploit the v4
protocol defect.

For more information, please see:
    http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt

The following patches cause Kerberos v4 requests from foreign realms
to be ignored unless support for this is explicitly enabled.

Patch for OpenBSD 3.1:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/026_kerberos.patch

Patch for OpenBSD 3.2:
    ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/013_kerberos.patch

The aforementioned patches have already been applied to the 3.1 and
3.2 -stable branches.



 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC