LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: July 28th, 2014
Linux Advisory Watch: July 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
NetBSD: kerberos cryptographic weakness Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
NetBSD A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm.

		 NetBSD Security Advisory 2003-006
		 =================================

Topic:		Cryptographic weaknesses in Kerberos v4 protocol


Version:	NetBSD-current:	source prior to March 20, 2003
		NetBSD 1.6:	affected
		NetBSD-1.5.3:	affected
		NetBSD-1.5.2:	affected
		NetBSD-1.5.1:	affected
		NetBSD-1.5:	affected
		pkgsrc:		prior to kth-krb4-1.2.1 or heimdal-0.5.1

Severity:	Every user on a Kerberos 4 network can be compromised

Fixed:		NetBSD-current:		March 20, 2003
		NetBSD-1.6 branch:	March 22, 2003 (1.6.1 will include the fix)
		NetBSD-1.5 branch:	April 1, 2003 
		pkgsrc:			kth-krb4-1.2.2, heimdal-0.5.2


Abstract
========

A cryptographic weakness in version 4 of the Kerberos protocol allows
an attacker to use a chosen-plaintext attack to impersonate any
principal in a realm.  This attack subverts a site's entire Kerberos
authentication infrastructure.

Kerberos version 5 does not contain this cryptographic vulnerability.

Sites are not vulnerable if they have Kerberos v4 completely disabled,
including the disabling of any krb5 to krb4 translation services.


Technical Details
=================

An attacker controlling a krb4 shared cross-realm key can
impersonate any principal in the remote realm to any service in the
remote realm.  This can lead to a root-level compromise of a KDC,
along with compromise of any hosts that rely on authentication
provided by that KDC.

This attack may be performed against cross-realm principals, thus
allowing an attacker to hop realms and compromise any realm that
transitively shares a cross-realm key with the attacker's local
realm.

Related, but more difficult attacks may be possible without
requiring the control of a shared cross-realm key.  At the very
least, an attacker capable of creating arbitrary principal names in
the target realm may be able to perform the attack.

A leak has occurred of an unpublished paper containing enough
details about the vulnerability that an attacker familiar with the
krb4 protocol can easily construct an exploit.  No exploit is known
to be circulating at this time, though.

These are PROTOCOL vulnerabilities; fixes inherently involve
restricting the functionality of the protocol.

The fixes are required for the KDC machine - patches are not needed
on the clients, if v4 is disabled on the server.


Solutions and Workarounds
=========================

If you can't upgrade to a newer version, make sure you disable all
cross-realm functionality, remove or randomize the cross-realm key.

You can use ``kinit --version'' do determine if you have a vulnerable system

current:

	kinit (Heimdal 0.5nb2, KTH-KRB 1.2)
	Copyright (c) 1999-2002 Kungliga Tekniska Högskolan
	Send bug-reports to heimdal-bugs@pdc.kth.se

	is secure/safe.


The following instructions describe how to upgrade your affected
binaries by updating your source tree and rebuilding and
installing a new version of Heimdal.

* NetBSD-current:

	Systems running NetBSD-current dated from before 2003-03-20
	should be upgraded to NetBSD-current dated 2003-03-21 or later.

	The following directories need to be updated from the
	netbsd-current CVS branch (aka HEAD):
		crypto/dist/heimdal/kdc
		include/heimdal

	To update from CVS, re-build, and re-install your KDC binaries.
		# cd src
		# cvs update -d -P crypto/dist/heimdal/kdc include/heimdal
		# cd crypto/dist/heimdal/kdc

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.6:

	The binary distribution of NetBSD 1.6 is vulnerable.   

	Systems running NetBSD 1.6 sources dated from before
	2003-03-22 should be upgraded from NetBSD 1.6 sources dated
	2003-03-23 or later.

	NetBSD 1.6.1 will include the fix.

	The following directories need to be updated from the
	netbsd-1-6 CVS branch:
		crypto/dist/heimdal/kdc
		include/heimdal

	To update from CVS, re-build, and re-install your KDC binaries.

		# cd src
		# cvs update -d -P -r netbsd-1-6 crypto/dist/heimdal/kdc \
			include/heimdal
		# cd crypto/dist/heimdal/kdc

		# make USETOOLS=no cleandir dependall
		# make USETOOLS=no install


* NetBSD 1.5, 1.5.1, 1.5.2, 1.5.3:

	The binary distribution of NetBSD 1.5.3 is vulnerable.   

	Systems running NetBSD 1.5, 1.5.1, 1.5.2, or 1.5.3 sources dated
	from before 2003-03-31 should be upgraded from NetBSD 1.5.*
	sources dated 2003-04-01 or later.

	The following directories need to be updated from the
	netbsd-1-5 CVS branch:
		crypto/dist/heimdal/kdc
		include/heimdal

	To update from CVS, re-build, and re-install your KDC binaries.

		# cd src
		# cvs update -d -P -r netbsd-1-5 crypto/dist/heimdal/kdc \
			include/heimdal
		# cd crypto/dist/heimdal/kdc

		# make cleandir dependall
		# make install



Thanks To
=========

Sam Hartman and Tom Yu for notifying us in the first place and
providing text for the advisory.

Steve Bellovin provided some hints that led MIT people to discover
this vulnerability.

Love Hornquist-Astrand for coordination of information exchange.


Revision History
================

	2003-04-04	Initial release


More Information
================

Advisories may be updated as new information becomes available.
The most recent version of this advisory (PGP signed) can be found at 
   ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2003-006.txt.asc

Information about NetBSD and NetBSD security can be found at 
http://www.NetBSD.ORG/ and  http://www.NetBSD.ORG/Security/.


Copyright 2003, The NetBSD Foundation, Inc.  All Rights Reserved.
Redistribution permitted only in full, unmodified form.

$NetBSD: NetBSD-SA2003-006.txt,v 1.6 2003/04/04 06:12:17 wiz Exp $



 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Hackers Plundered Israeli Defense Firms that Built ‘Iron Dome’ Missile Defense System
Internet of things big security worry, says HP
Boffins build FREE SUPERCOMPUTER from free cloud server trials
Insecure Connections: Enterprises hacked after neglecting third-party risks
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.