LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Advisory Watch: August 29th, 2014
Linux Security Week: August 25th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
FreeBSD: heimdal Cross-realm trust vulnerability Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
FreeBSD It is possible for the Key Distribution Center (KDC) of a realm to forge part or all of the `transited' field to fake zone trustedness.

FreeBSD-SA-04:08.heimdal                                    Security Advisory
                                                          The FreeBSD Project

Topic:          heimdal cross-realm trust vulnerability

Category:       core
Module:         crypto_heimdal
Announced:      2004-05-05
Credits:        Heimdal project
Affects:        FreeBSD 4 with Kerberos 5 installed, and FreeBSD 5
Corrected:      2004-05-05 19:49:41 UTC (RELENG_4, 4.10-PRERELEASE)
                2004-05-05 19:55:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p6)
                2004-05-05 20:48:19 UTC (RELENG_4_10, 4.10-RELEASE-RC)
                2004-05-05 20:01:06 UTC (RELENG_4_9, 4.9-RELEASE-p6)
                2004-05-05 20:06:30 UTC (RELENG_4_8, 4.8-RELEASE-p19)
CVE Name:       CAN-2004-0371
FreeBSD only:   NO

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
http://www.freebsd.org/security/>.

I.   Background

Heimdal implements the Kerberos 5 network authentication protocols.
Principals (i.e. users and services) represented in Kerberos are
grouped into separate, autonomous realms.  Unidirectional or
bidirectional trust relationships may be established between realms to
allow the principals in one realm to recognize the authenticity of
principals in another.  These trust relationships may be transitive.
An authentication path is the ordered list of realms (and therefore
KDCs) that were involved in the authentication process.  The
authentication path is recorded in Kerberos tickets as the `transited'
field.

It is possible for the Key Distribution Center (KDC) of a realm to
forge part or all of the `transited' field.  KDCs should validate this
field before accepting authentication results, checking that each
realm in the authentication path is trusted and that the path conforms
to local policy.  Applications are required to perform this type of
checking if the KDC has not already done so.

Prior to FreeBSD 5.1, Kerberos 5 was an optional component of FreeBSD,
and was not installed by default.

II.  Problem Description

Some versions of Heimdal do not perform appropriate checking of the
`transited' field.

III. Impact

For sites that have established trust relationships with other realms,
it is possible for the administrator(s) of those other realms to
impersonate any Kerberos principal in any other realm.

IV.  Workaround

Disable all inter-realm trust relationships.  The Heimdal advisory
listed in the References section below provides details for checking
for trust relationships and disabling them.

V.   Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.8,
4.9, 5.1, and 5.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.8, 4.9, 5.1 with Heimdal 0.5.1]
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch.asc

[FreeBSD 5.2 with Heimdal 0.6]
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch
# fetch  ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libcrypto
# make obj && make depend && make
# cd /usr/src/kerberos5
# make obj && make depend && make && make install

Be sure to restart any running services that use Kerberos, such as
kdc(8) or sshd(8).  Perhaps the simplest way to ensure all such
applications are restarted is to reboot the system.

VI.  Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch                                                           Revision
  Path
- -------------------------------------------------------------------------
RELENG_4
  src/crypto/heimdal/kdc/config.c                             1.1.1.2.2.4
  src/crypto/heimdal/kdc/kdc.8                                1.1.1.2.2.5
  src/crypto/heimdal/kdc/kdc_locl.h                           1.1.1.2.2.4
  src/crypto/heimdal/kdc/kerberos5.c                          1.1.1.2.2.5
  src/crypto/heimdal/lib/krb5/krb5-protos.h                   1.1.1.3.2.5
  src/crypto/heimdal/lib/krb5/rd_req.c                        1.1.1.3.2.3
  src/crypto/heimdal/lib/krb5/transited.c                     1.1.1.3.2.3
RELENG_5_2
  src/UPDATING                                                 1.282.2.14
  src/crypto/heimdal/kdc/config.c                             1.1.1.7.2.1
  src/crypto/heimdal/kdc/kdc.8                                1.1.1.7.2.1
  src/crypto/heimdal/kdc/kdc_locl.h                           1.1.1.6.2.1
  src/crypto/heimdal/kdc/kerberos5.c                          1.1.1.8.2.1
  src/crypto/heimdal/lib/krb5/krb5-protos.h                   1.1.1.9.2.1
  src/crypto/heimdal/lib/krb5/rd_req.c                        1.1.1.6.6.1
  src/crypto/heimdal/lib/krb5/transited.c                     1.1.1.6.2.1
  src/sys/conf/newvers.sh                                       1.56.2.13
RELENG_4_10
  src/crypto/heimdal/kdc/config.c                         1.1.1.2.2.3.8.1
  src/crypto/heimdal/kdc/kdc.8                            1.1.1.2.2.4.8.1
  src/crypto/heimdal/kdc/kdc_locl.h                       1.1.1.2.2.3.8.1
  src/crypto/heimdal/kdc/kerberos5.c                      1.1.1.2.2.4.8.1
  src/crypto/heimdal/lib/krb5/krb5-protos.h               1.1.1.3.2.4.8.1
  src/crypto/heimdal/lib/krb5/rd_req.c                   1.1.1.3.2.2.10.1
  src/crypto/heimdal/lib/krb5/transited.c                 1.1.1.3.2.2.8.1
RELENG_4_9
  src/UPDATING                                              1.73.2.89.2.7
  src/crypto/heimdal/kdc/config.c                         1.1.1.2.2.3.6.1
  src/crypto/heimdal/kdc/kdc.8                            1.1.1.2.2.4.6.1
  src/crypto/heimdal/kdc/kdc_locl.h                       1.1.1.2.2.3.6.1
  src/crypto/heimdal/kdc/kerberos5.c                      1.1.1.2.2.4.6.1
  src/crypto/heimdal/lib/krb5/krb5-protos.h               1.1.1.3.2.4.6.1
  src/crypto/heimdal/lib/krb5/rd_req.c                    1.1.1.3.2.2.8.1
  src/crypto/heimdal/lib/krb5/transited.c                 1.1.1.3.2.2.6.1
  src/sys/conf/newvers.sh                                   1.44.2.32.2.7
RELENG_4_8
  src/UPDATING                                             1.73.2.80.2.22
  src/crypto/heimdal/kdc/config.c                         1.1.1.2.2.3.4.1
  src/crypto/heimdal/kdc/kdc.8                            1.1.1.2.2.4.4.1
  src/crypto/heimdal/kdc/kdc_locl.h                       1.1.1.2.2.3.4.1
  src/crypto/heimdal/kdc/kerberos5.c                      1.1.1.2.2.4.4.1
  src/crypto/heimdal/lib/krb5/krb5-protos.h               1.1.1.3.2.4.4.1
  src/crypto/heimdal/lib/krb5/rd_req.c                    1.1.1.3.2.2.6.1
  src/crypto/heimdal/lib/krb5/transited.c                 1.1.1.3.2.2.4.1
  src/sys/conf/newvers.sh                                  1.44.2.29.2.20
- -------------------------------------------------------------------------

VII. References

http://www.pdc.kth.se/heimdal/advisory/2004-04-01/>

 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.