SECURITY BLOG SECURITY DASHBOARD PARTNERS PRODUCTS SERVICES COMPANY HOME

Network Security Consulting Advisories Article

MIT Kerberos kadmind Change Password Feature Remote Code Execution Vulnerability

http://www.securityfocus.com/bid/47310

Security Info

Bugtraq ID:	47310
Class:	Failure to Handle Exceptional Conditions
CVE:	CVE-2011-0285
Remote:	Yes
Local:	No
Published:	Apr 11 2011 12:00AM
Updated:	Apr 22 2011 11:34AM
Credit:	Felipe Ortega
Vulnerable:	Ubuntu Ubuntu Linux 9.10 sparc Ubuntu Ubuntu Linux 9.10 powerpc Ubuntu Ubuntu Linux 9.10 lpia Ubuntu Ubuntu Linux 9.10 i386 Ubuntu Ubuntu Linux 9.10 ARM Ubuntu Ubuntu Linux 9.10 amd64 Ubuntu Ubuntu Linux 9.10 Ubuntu Ubuntu Linux 10.10 powerpc Ubuntu Ubuntu Linux 10.10 i386 Ubuntu Ubuntu Linux 10.10 ARM Ubuntu Ubuntu Linux 10.10 amd64 Ubuntu Ubuntu Linux 10.04 sparc Ubuntu Ubuntu Linux 10.04 powerpc Ubuntu Ubuntu Linux 10.04 LTS Ubuntu Ubuntu Linux 10.04 i386 Ubuntu Ubuntu Linux 10.04 ARM Ubuntu Ubuntu Linux 10.04 amd64 SuSE openSUSE 11.4 SuSE openSUSE 11.3 S.u.S.E. openSUSE 11.2 Red Hat Fedora 15 Red Hat Enterprise Linux Workstation 6 Red Hat Enterprise Linux Server 6 Red Hat Enterprise Linux HPC Node Optional 6 Red Hat Enterprise Linux HPC Node 6 Red Hat Enterprise Linux Desktop Optional 6 Red Hat Enterprise Linux Desktop 6 MIT Kerberos 5 1.8.4 MIT Kerberos 5 1.8.3 MIT Kerberos 5 1.8.2 MIT Kerberos 5 1.8.1 MIT Kerberos 5 1.7.2 MIT Kerberos 5 1.7.1 MIT Kerberos 5 5-1.9 MIT Kerberos 5 5-1.8.3 MIT Kerberos 5 5-1.8.2 MIT Kerberos 5 5-1.8.1 MIT Kerberos 5 5-1.8 MIT Kerberos 5 5-1.7.1 MIT Kerberos 5 5-1.7 MIT Kerberos 5 1.9 MIT Kerberos 5 1.8 MIT Kerberos 5 1.7 MandrakeSoft Linux Mandrake 2010.1 x86_64 MandrakeSoft Linux Mandrake 2010.1 MandrakeSoft Enterprise Server 5 x86_64 MandrakeSoft Enterprise Server 5 Debian Linux 5.0 sparc Debian Linux 5.0 s/390 Debian Linux 5.0 powerpc Debian Linux 5.0 mipsel Debian Linux 5.0 mips Debian Linux 5.0 m68k Debian Linux 5.0 ia-64 Debian Linux 5.0 ia-32 Debian Linux 5.0 hppa Debian Linux 5.0 armel Debian Linux 5.0 arm Debian Linux 5.0 amd64 Debian Linux 5.0 alpha Debian Linux 5.0

Not Vulnerable:

Security Discussion

MIT Kerberos is prone to a remote code-execution vulnerability in 'kadmind'.

An attacker may exploit this issue to execute arbitrary code with superuser privileges. Failed attempts will cause the affected application to crash, denying service to legitimate users. A successful exploit will completely compromise affected computers.

MIT Kerberos 5 1.7 and later are vulnerable.

NOTE (April 13, 2011): This BID was originally titled 'MIT Kerberos kadmind Version String Processing Remote Denial Of Service Vulnerability', but has been renamed to better reflect the nature of the issue.

Proof of Concept and Security Exploits

The following proof-of-concept command is available:

# nmap -n -sV krb01

Security Solution(s)

Solution:
Updates are available. Please see the references for more information.

MandrakeSoft Enterprise Server 5 x86_64

Mandriva lib64krb53-devel-1.8.1-0.6mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-server-ldap-1.8.1-0.6mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-1.8.1-0.6mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-workstation-1.8.1-0.6mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-pkinit-openssl-1.8.1-0.6mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64krb53-1.8.1-0.6mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-server-1.8.1-0.6mdvmes5.2.x86_64.rpm
http://www.mandriva.com/en/download/

MandrakeSoft Enterprise Server 5

Mandriva libkrb53-1.8.1-0.6mdvmes5.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-workstation-1.8.1-0.6mdvmes5.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva libkrb53-devel-1.8.1-0.6mdvmes5.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-pkinit-openssl-1.8.1-0.6mdvmes5.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-server-ldap-1.8.1-0.6mdvmes5.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-1.8.1-0.6mdvmes5.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-server-1.8.1-0.6mdvmes5.2.i586.rpm
http://www.mandriva.com/en/download/

MIT Kerberos 5 1.8

MIT 2011-004-patch-r18
http://web.mit.edu/kerberos/advisories/2011-004-patch-r18.txt

MandrakeSoft Linux Mandrake 2010.1 x86_64

Mandriva krb5-server-ldap-1.8.1-5.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64krb53-1.8.1-5.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-workstation-1.8.1-5.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-server-1.8.1-5.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-pkinit-openssl-1.8.1-5.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-1.8.1-5.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/download/

Mandriva lib64krb53-devel-1.8.1-5.5mdv2010.2.x86_64.rpm
http://www.mandriva.com/en/download/

MIT Kerberos 5 1.9

MIT 2011-004-patch
http://web.mit.edu/kerberos/advisories/2011-004-patch.txt

MandrakeSoft Linux Mandrake 2010.1

Mandriva libkrb53-devel-1.8.1-5.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-server-1.8.1-5.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-pkinit-openssl-1.8.1-5.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva libkrb53-1.8.1-5.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-1.8.1-5.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-workstation-1.8.1-5.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/download/

Mandriva krb5-server-ldap-1.8.1-5.5mdv2010.2.i586.rpm
http://www.mandriva.com/en/download/

MIT Kerberos 5 5-1.9

MIT 2011-004-patch
http://web.mit.edu/kerberos/advisories/2011-004-patch.txt

MIT Kerberos 5 1.8.1

MIT 2011-004-patch-r18
http://web.mit.edu/kerberos/advisories/2011-004-patch-r18.txt

MIT Kerberos 5 1.8.2

MIT 2011-004-patch-r18
http://web.mit.edu/kerberos/advisories/2011-004-patch-r18.txt

MIT Kerberos 5 1.8.3

MIT 2011-004-patch-r18
http://web.mit.edu/kerberos/advisories/2011-004-patch-r18.txt

MIT Kerberos 5 1.8.4

MIT 2011-004-patch-r18
http://web.mit.edu/kerberos/advisories/2011-004-patch-r18.txt

Security References(s)

References:

#621726 krb5-admin-server: kadmind dies after nmap -sV (Felipe Ortega)
Kerberos Homepage (MIT)
MITKRB5-SA-2011-004 kadmind invalid pointer free() [CVE-2011-0285] (Tom Yu )
MIT krb5 Security Advisory 2011-004 (MIT)

Emagined Security Blog featuring Dr. Eugene Schultz

Secure Web Programming
by Vizual Services