Unix/Linux shops -- beware of Kerberos hole

The Kerberos Administration daemon (kadmind), which is used in connection with Kerberos authentication, contains a buffer overflow vulnerability in many implementations, mostly affecting Linux/Unix. Since kadmind is the daemon that handles the password changes and other modification requests to the Kerberos database, it is a vital element of many, but not all, security systems based on Kerberos. A Symantec report says that this threat is due to "insufficient bounds checking" and that an exploitation of this vulnerability could allow the attacker to run arbitrary code on the system. CERT Advisory CA-2002-29, "Buffer Overflow in Kerberos Administration Daemon," indicates that this problem is found in both the MIT and the KTH versions of Kerberos. Specifically, there is a buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. Applicability This vulnerability has been confirmed as existing in MIT Kerberos version 4 and version 5 through krb5-1.2.6, KTH eBones prior to version 1.2.1, and KTH Heimdal prior to version 0.5.1. Although this appears to be just a Kerberos 4 problem, many implementations of Kerberos 5 have been installed in a manner to support the earlier version and are thus also affected because of the Kerberos 4 component. Symantec reports that some versions of Conectiva, Red Hat, Gentoo, Mandrake, SuSE, and Debian Linux shipped with vulnerable versions of Kerberos, as did NetBSD, OpenBSD, and IBM's pSeries Parallel System Support Programs, as well as multiple versions of FreeBSD Unix. Some of these operating systems that did include a vulnerable version of Kerberos may not have had it installed by default and therefore may not be vulnerable. The list of specific versions affected or potentially vulnerable is long and may grow, so you might want to check the Symantec report to get a handle on the scope of the problem. Microsoft uses a proprietary version of Kerberos in Windows, and it is not vulnerable to this exploit, so no action is required for Windows systems. Openwall reports that it does not provide Kerberos support, so Openwall GNU/Linux is not vulnerable. Sun's Enterprise Authentication Mechanism (Kerberos 5) doesn't support Kerberos v4 protocols and is therefore not affected. See SEAM for more information. Wind River BSD is not vulnerable. Apple Computer reports that the vulnerability applies to OS X 10.0, but kadmind was removed from version 10.1 and later versions, so it does not affect them. Risk level -- serious Exploiting this vulnerability would give a remote attacker root privileges and complete control over the Kerberos authentication scheme for the affected systems. The Debian Security Advisories on Kerberos 4 and 5 confirm that exploit code is in circulation for this vulnerability, so it is a serious security hole and not just a theoretical problem.

Mitigating factors If you don't use Kerberos, kadmind probably isn't enabled. If it is, you can remove it to eliminate this threat. Kerberos 5 doesn't appear to be vulnerable by itself, but some implementations also support version 4 protocols, making them vulnerable. Fix Disable support for Kerberos 4 authentication if it is not explicitly in use on your network. For MIT Kerberos 5, disable kadmind4 at compile time. Information about this is posted here. For KTH Heimdal, the instructions for disabling Kerberos 4 are posted here. Symantec and CERT recommend restricting remote connectivity as a workaround. Block TCP/UDP access on port 751 for Kerberos 4 and on port 749 for Kerberos 5 where Kerberos 4 is supported along with version 5. This will not completely block exploitation but will limit damages by preventing password changes and other administrative actions. You can also apply patches where practical. Patches are available for KTH Heimdal software at the Debian GNU/Linux Security site's DSA-183-1 Security Advisory krb 5 and at DSA-184-1 for krb4. You can also go to the Symantec report for direct links to many patches for KTH. Please note that there may be updates to the various security advisories as additional information and more patches are released. For instance, FreeBSD had reportedly already addressed the base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons flaw at the time of this writing, but no vendor advisory was posted yet. It will almost certainly be posted by the time this article is published. Several of the other FTP or advisory links were not immediately active but should be by the time you read this. Check with your vendor or see the CERT Advisory CA-2002-29 for another list of available patches. Final word Kerberos is a protocol designed at MIT and intended to make it easy to authenticate users across a series of networks based on a single sign-in. Penetrating the Kerberos security system at one point can potentially open a lot of resources to the attacker. For some basic details of how Kerberos works, see the MIT Kerberos site. Unlike basic firewall protection, the use of Kerberos authentication can protect networks from unauthorised insiders as well as outsiders, which makes it a valuable security mechanism. Kerberos is a free security tool offered by MIT, but there are also commercial versions. Microsoft introduced Kerberos support in Windows 2000 but did so in a proprietary way, which made it difficult for other vendors' networks to be connected to the Microsoft systems using Kerberos. The upside is that, in this case, this vulnerability doesn't affect Microsoft networks because they use the company's specialised version of Kerberos. However, this vulnerability does affect a lot of systems, and the exploit code is known to be circulating. You need to patch systems where appropriate, disable the daemons if not needed, and consider blocking access to manage this threat until you can remove support for Kerberos 4 or otherwise correct the problem. Remember that firewall port blocking is only a partial protection for vulnerable systems and is not a real fix.

---