SecurityTracker.com
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 


Category:   Application (Security)  >   Kerberos Vendors:   MIT
(Oracle Issues Fix for Solaris) MIT Kerberos Checksum Handling Errors May Let Remote or Remote Authenticated Users Forge/Modify Certain Data
SecurityTracker Alert ID:  1029132
SecurityTracker URL:  http://securitytracker.com/id/1029132
CVE Reference:   CVE-2010-1324, CVE-2010-1323, CVE-2010-4020, CVE-2010-4021   (Links to External Site)
Date:  Oct 4 2013
Impact:   Modification of authentication information, Modification of system information
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5-1.7, 5-1.8
Description:   Several vulnerabilities were reported in Kerberos. A remote or remote authenticated user can forge certain signatures and modify checksums.

The software incorrectly accepts an unkeyed checksum with DES session keys for version 2 (RFC 4121) of the GSS-API krb5 mechanism , an unkeyed checksum for PAC signatures, and RFC 3961 key-derivation checksums using RC4 keys when verifying the req-checksum in a KrbFastArmoredReq [CVE-2010-1324].

A remote user can forge GSS tokens if the targeted pre-existing application session uses a DES session key. A remote authenticated user can forge PACs when using a KDC that does not filter client-provided PAC data to obtain elevated privileges. A remote user can swap a client-issued KrbFastReq into a different KDC-REQ if the armor key is RC4 (1/256 chance).

The software incorrectly accepts unkeyed checksums in the SAM-2 preauthentication challenge and incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying KRB-SAFE messages [CVE-2010-1323].

A remote user can modify a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. A remote user can forge KRB-SAFE messages in an application protocol if the targeted pre-existing session uses an RC4 session key.

The software incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH and AD-KDC-ISSUED authorization data [CVE-2010-4020].

A remote authenticated user that controls a legitimate service principal can forge the AD-SIGNEDPATH signature if the TGT key is RC4 (1/256 chance). The remote user can use self-generated "evidence" tickets for S4U2Proxy instead of tickets obtained from the user or with S4U2Self. A remote authenticated user can forge AD-KDC-ISSUED signatures on authdata elements in tickets having an RC4 service key to gain elevated privileges.

The software (version krb5-1.7 only) may issue tickets not requested by a client, based on an attacker-chosen KrbFastArmoredReq [CVE-2010-4021].

A remote authenticated user that controls a legitimate service principal can obtain a valid service ticket to itself containing valid KDC-generated authorization data for a client whose TGS-REQ it has intercepted. The user can then use this ticket for S4U2Proxy to impersonate the targeted client even if the client never authenticated to the subverted service.

Impact:   A remote or remote authenticated user can forge certain signatures and modify checksums.
Solution:   Oracle has issued a fix for Solaris.

The Oracle advisory is available at:

https://blogs.oracle.com/sunsecurity/entry/multiple_vulnerabilities_in_kerberos

Vendor URL:  web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt (Links to External Site)
Cause:   Access control error, Authentication error
Underlying OS:  UNIX (Solaris - SunOS)
Underlying OS Comments:  11.1

Message History:   This archive entry is a follow-up to the message listed below.
Nov 30 2010 MIT Kerberos Checksum Handling Errors May Let Remote or Remote Authenticated Users Forge/Modify Certain Data



 Source Message Contents



[Original Message Not Available for Viewing]


Go to the Top of This SecurityTracker Archive Page





Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2019, SecurityGlobal.net LLC