SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kerberos Vendors:   Royal Institute of Technology
(FreeBSD Issues Fix) Heimdal Kerberos Cross-Realm Validation Flaw May Permit User Impersonation
SecurityTracker Alert ID:  1010076
SecurityTracker URL:  http://securitytracker.com/id/1010076
CVE Reference:   CVE-2004-0371   (Links to External Site)
Date:  May 6 2004
Impact:   Host/resource access via network, Modification of user information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): prior to 0.6.1 and 0.5.3
Description:   A cross-realm vulnerability was reported in Heimdal Kerberos. A remote user can impersonate another user.

The vendor reported that a user with with control of a Kerberos realm can impersonate any target user in the cross-realm trust path. The software does not properly perform consistency checks on cross-realm requests.

The advisory is available at:

http://www.pdc.kth.se/heimdal/advisory/2004-04-01/

Impact:   A user with with control of a Kerberos realm can impersonate any target user in the cross-realm trust path.
Solution:   FreeBSD has released a fix and indicates that you should do one of the following [quoted]:

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2, RELENG_4_9, or RELENG_4_8 security branch dated after the correction date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.8, 4.9, 5.1, and 5.2 systems.

a) Download the relevant patch from the location below, and verify the detached PGP signature using your PGP utility.

[FreeBSD 4.8, 4.9, 5.1 with Heimdal 0.5.1]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch.asc

[FreeBSD 5.2 with Heimdal 0.6]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libcrypto
# make obj && make depend && make
# cd /usr/src/kerberos5
# make obj && make depend && make && make install

Be sure to restart any running services that use Kerberos, such as kdc(8) or sshd(8). Perhaps the simplest way to ensure all such applications are restarted is to reboot the system.

Vendor URL:  www.pdc.kth.se/heimdal/ (Links to External Site)
Cause:   Authentication error
Underlying OS:  UNIX (FreeBSD)
Underlying OS Comments:  4.8, 4.9, 4.10, 5.1, 5.2

Message History:   This archive entry is a follow-up to the message listed below.
Apr 2 2004 Heimdal Kerberos Cross-Realm Validation Flaw May Permit User Impersonation



 Source Message Contents

Subject:  FreeBSD Security Advisory FreeBSD-SA-04:08.heimdal


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=============================================================================
FreeBSD-SA-04:08.heimdal                                    Security Advisory
                                                          The FreeBSD Project

Topic:          heimdal cross-realm trust vulnerability

Category:       core
Module:         crypto_heimdal
Announced:      2004-05-05
Credits:        Heimdal project
Affects:        FreeBSD 4 with Kerberos 5 installed, and FreeBSD 5
Corrected:      2004-05-05 19:49:41 UTC (RELENG_4, 4.10-PRERELEASE)
                2004-05-05 19:55:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p6)
                2004-05-05 20:48:19 UTC (RELENG_4_10, 4.10-RELEASE-RC)
                2004-05-05 20:01:06 UTC (RELENG_4_9, 4.9-RELEASE-p6)
                2004-05-05 20:06:30 UTC (RELENG_4_8, 4.8-RELEASE-p19)
CVE Name:       CAN-2004-0371
FreeBSD only:   NO

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.

I.   Background

Heimdal implements the Kerberos 5 network authentication protocols.
Principals (i.e. users and services) represented in Kerberos are
grouped into separate, autonomous realms.  Unidirectional or
bidirectional trust relationships may be established between realms to
allow the principals in one realm to recognize the authenticity of
principals in another.  These trust relationships may be transitive.
An authentication path is the ordered list of realms (and therefore
KDCs) that were involved in the authentication process.  The
authentication path is recorded in Kerberos tickets as the `transited'
field.

It is possible for the Key Distribution Center (KDC) of a realm to
forge part or all of the `transited' field.  KDCs should validate this
field before accepting authentication results, checking that each
realm in the authentication path is trusted and that the path conforms
to local policy.  Applications are required to perform this type of
checking if the KDC has not already done so.

Prior to FreeBSD 5.1, Kerberos 5 was an optional component of FreeBSD,
and was not installed by default.

II.  Problem Description

Some versions of Heimdal do not perform appropriate checking of the
`transited' field.

III. Impact

For sites that have established trust relationships with other realms,
it is possible for the administrator(s) of those other realms to
impersonate any Kerberos principal in any other realm.

IV.  Workaround

Disable all inter-realm trust relationships.  The Heimdal advisory
listed in the References section below provides details for checking
for trust relationships and disabling them.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.8,
4.9, 5.1, and 5.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.8, 4.9, 5.1 with Heimdal 0.5.1]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch.asc

[FreeBSD 5.2 with Heimdal 0.6]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libcrypto
# make obj && make depend && make
# cd /usr/src/kerberos5
# make obj && make depend && make && make install

Be sure to restart any running services that use Kerberos, such as
kdc(8) or sshd(8).  Perhaps the simplest way to ensure all such
applications are restarted is to reboot the system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/crypto/heimdal/kdc/config.c                             1.1.1.2.2.4
  src/crypto/heimdal/kdc/kdc.8                                1.1.1.2.2.5
  src/crypto/heimdal/kdc/kdc_locl.h                           1.1.1.2.2.4
  src/crypto/heimdal/kdc/kerberos5.c                          1.1.1.2.2.5
  src/crypto/heimdal/lib/krb5/krb5-protos.h                   1.1.1.3.2.5
  src/crypto/heimdal/lib/krb5/rd_req.c                        1.1.1.3.2.3
  src/crypto/heimdal/lib/krb5/transited.c                     1.1.1.3.2.3
RELENG_5_2
  src/UPDATING                                                 1.282.2.14
  src/crypto/heimdal/kdc/config.c                             1.1.1.7.2.1
  src/crypto/heimdal/kdc/kdc.8                                1.1.1.7.2.1
  src/crypto/heimdal/kdc/kdc_locl.h                           1.1.1.6.2.1
  src/crypto/heimdal/kdc/kerberos5.c                          1.1.1.8.2.1
  src/crypto/heimdal/lib/krb5/krb5-protos.h                   1.1.1.9.2.1
  src/crypto/heimdal/lib/krb5/rd_req.c                        1.1.1.6.6.1
  src/crypto/heimdal/lib/krb5/transited.c                     1.1.1.6.2.1
  src/sys/conf/newvers.sh                                       1.56.2.13
RELENG_4_10
  src/crypto/heimdal/kdc/config.c                         1.1.1.2.2.3.8.1
  src/crypto/heimdal/kdc/kdc.8                            1.1.1.2.2.4.8.1
  src/crypto/heimdal/kdc/kdc_locl.h                       1.1.1.2.2.3.8.1
  src/crypto/heimdal/kdc/kerberos5.c                      1.1.1.2.2.4.8.1
  src/crypto/heimdal/lib/krb5/krb5-protos.h               1.1.1.3.2.4.8.1
  src/crypto/heimdal/lib/krb5/rd_req.c                   1.1.1.3.2.2.10.1
  src/crypto/heimdal/lib/krb5/transited.c                 1.1.1.3.2.2.8.1
RELENG_4_9
  src/UPDATING                                              1.73.2.89.2.7
  src/crypto/heimdal/kdc/config.c                         1.1.1.2.2.3.6.1
  src/crypto/heimdal/kdc/kdc.8                            1.1.1.2.2.4.6.1
  src/crypto/heimdal/kdc/kdc_locl.h                       1.1.1.2.2.3.6.1
  src/crypto/heimdal/kdc/kerberos5.c                      1.1.1.2.2.4.6.1
  src/crypto/heimdal/lib/krb5/krb5-protos.h               1.1.1.3.2.4.6.1
  src/crypto/heimdal/lib/krb5/rd_req.c                    1.1.1.3.2.2.8.1
  src/crypto/heimdal/lib/krb5/transited.c                 1.1.1.3.2.2.6.1
  src/sys/conf/newvers.sh                                   1.44.2.32.2.7
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.22
  src/crypto/heimdal/kdc/config.c                         1.1.1.2.2.3.4.1
  src/crypto/heimdal/kdc/kdc.8                            1.1.1.2.2.4.4.1
  src/crypto/heimdal/kdc/kdc_locl.h                       1.1.1.2.2.3.4.1
  src/crypto/heimdal/kdc/kerberos5.c                      1.1.1.2.2.4.4.1
  src/crypto/heimdal/lib/krb5/krb5-protos.h               1.1.1.3.2.4.4.1
  src/crypto/heimdal/lib/krb5/rd_req.c                    1.1.1.3.2.2.6.1
  src/crypto/heimdal/lib/krb5/transited.c                 1.1.1.3.2.2.4.1
  src/sys/conf/newvers.sh                                  1.44.2.29.2.20
- -------------------------------------------------------------------------

VII. References

<URL:http://www.pdc.kth.se/heimdal/advisory/2004-04-01/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAmVTvFdaIBMps37IRAkhZAKCQZmbxNkicz82VEcPeDO/840uNxwCfQ/0U
NYT36OgpzsBI9Jc0cpDXTA4=
=i17O
-----END PGP SIGNATURE-----
_______________________________________________
freebsd-security-notifications@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security-notifications
To unsubscribe, send any mail to "freebsd-security-notifications-unsubscribe@freebsd.org"

 
 


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2021, SecurityGlobal.net LLC