Code can be smuggled into MIT's Kerberos
MIT has found a number of critical holes in its implementation of the Kerberos v5 network authentication solution that allow attackers to get control of the Kerberos server and to access the key database. Access to other systems may also be possible. In addition, it is also possible to interrupt the authentication of all systems that are using Kerberos with the result that no one would be able to login.
The flaws were discovered in the administration daemon kadmind and are based on flaws in communication via the RPC and the GSS-API (Generic Security Services). Attackers can apparently use kadmind to write malicious code into memory and execute it. The security advisory says that no prior authentication is necessary for this attack.
Kadmind in krb5-1.4 to krb5-1.4.4, krb5-1.5 to krb5-1.5.1 is affected, as are all products of other vendors who use the RPC library and the GSS-API in these versions. Versions before krb5-1.4 are not vulnerable. Patches for the RPC and for the GSS-API are available as source code; in addition, version 1.5.2 containing a remedy for the hole, will be released soon.
Sun is one of the vendors that includes a vulnerable GSS-API on Solaris 8, 9, and 10. In a preliminary security advisory, the vendor points out that none of the Solaris components use the GSS-API, not even kadmind. However, Sun writes that it cannot ensure that other products do not link to the library. Sun did not say when it would be releasing a patch.
- kadmind (via RPC library) calls uninitialized function pointer, MIT's security advisory
- kadmind (via GSS-API mechglue) frees uninitialized pointers, MIT's security advisory
- Third-party Applications Using GSS-API May Be Vulnerable to Compromise, Sun's security advisory