Security vulnerabilities in MIT Kerberos
The Massachusetts Institute of Technology (MIT) has issued a security advisory describing two security vulnerabilities in its implementation of Kerberos 5. A buffer overflow can occur or arbitrary memory can be overwritten in kadmind in the authentication software. Attackers could remotely exploit this to inject external code.
The first security vulnerability affects the RPC library which is used by kadmind. During authentication using RPCSEC_GSS, the svcauth_gss_validate() function copies user supplied data to a buffer, the size of which is determined from an unchecked value from the RPC query. At this point, authentication has not yet taken place, so remote users who are not logged on can define a too small value for this buffer and thus provoke a buffer overflow.
In addition, the kadm5_modify_policy_internal() function fails to check correctly the value returned by the krb5_db_get_policy() function. If no policy is defined, the pointer returned is a null pointer. The function may subsequently attempt to write data to this null pointer, leading to memory corruption. The MIT developers reckon that this vulnerability would be very difficult to exploit.
The security advisory also includes source code patches for affected versions krb5-1.4 to krb5-1.6.2. They should already be included in the forthcoming versions krb-1.5.5 and 1.6.3. The bugs may also affect Kerberos5 implementations from third parties, which are frequently based on the MIT version. Users should install the patches ASAP and use newly compiled versions of MIT Kerberos or install updated packages from their distributor, which should be available shortly.
- kadmind RPC lib buffer overflow, uninitialized pointer, security advisory from MIT