Security Watch

Read about the latest developments in security every month in Security Watch

BUFFER OVERFLOW IN KERBEROS ADMINISTRATION DAEMON
Kerberos is a widely used network protocol that uses strong cryptography to authenticate clients and servers. The Kerberos administration daemon (typically called kadmind) handles password change and other requests to modify the Kerberos database. The daemon runs on the master Key Distribution Center (KDC) server of a Kerberos realm.
The code that provides legacy support for the Kerberos 4 administration protocol contains a remotely exploitable buffer overflow. The vulnerable code does not adequately validate data read from a network request. This data is subsequently used as an argument to a memcpy() call, which can overflow a buffer allocated on the stack. An attacker does not have to authenticate in order to exploit this vulnerability, and the Kerberos administration daemon runs with root privileges.

An unauthenticated, remote attacker could execute arbitrary code with root privileges. If an attacker is able to gain control of a master KDC, the integrity of the entire Kerberos realm is compromised, including user and host identities and other systems that accept Kerberos authentication.

Systems Affected

• MIT Kerberos version 4 and version 5 up to and including krb5-1.2.6
• KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version 0.5.1
• Other Kerberos implementations derived from vulnerable MIT or KTH code

Solution/Patches
Apply the appropriate patch or upgrade as specified by your vendor. Disable support for the Kerberos 4 administration protocol if it is not needed. In KTH Heimdal, it is necessary to recompile kadmind in order to disable support for the Kerberos 4 administration protocol. For information about disabling all Kerberos 4 support in KTH Heimdal at compile time, see http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing

Block access to the Kerberos administration service from networks like the Internet. Allow access to the service from trusted administrative hosts. By default, the Kerberos 4 administration daemon listens on 751/tcp and 751/udp, and the Kerberos 5 administration daemon listens on 749/tcp and 749/udp. It may be necessary to block access to the Kerberos 5 administration service if the daemon also supports the Kerberos 4 administration protocol.

Apple Computer, Inc.
The Kerberos Administration Daemon was included in Mac OS X 10.0, but removed in Mac OS X 10.1 and later.

IBM
The IBM pSeries Parallel Systems Support Programs (PSSP) implementation of Kerberos V4 (shipped with PSSP) is potentially vulnerable to the Kerberos V4 administration daemon buffer overflow.

The IBM Network Authentication Service (NAS) product is not vulnerable to the buffer overflow vulnerability in the kadmind4 daemon.

Microsoft Corporation
Microsoft's implementation of Kerberos is not affected by this vulnerability.

MIT Kerberos
MIT has released MIT krb5 Security Advisory 2002-002 that includes a patch and a description of an attack signature and can be accessed at web.mit.edu

NetBSD
NetBSD has released NetBSD-SA2002-026: ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc

OpenBSD
OpenBSD has released Security Fix 016 for OpenBSD 3.1 and Security Fix 033 for OpenBSD 3.0.

OpenBSD 3.1
www.openbsd.org/errata31.html#kadmin

OpenBSD 3.0
www.openbsd.org/errata30.html#kadmin

CISCO WARNS OF FLAW IN CATOS
A flaw has been discovered in the embedded HTTP server used by the CatOS software in Cisco's Catalyst switches. If the HTTP server is enabled a buffer overflow can be remotely exploited which will cause the switch to fail and reload. The vulnerability can be exploited repeatedly and result in a denial of service.

If the HTTP server is enabled on a Cisco Catalyst switch running an affected CiscoView image, an overly long HTTP query can be received by the embedded HTTP server that will cause a buffer overflow and result in a software reset of the switch. Once the switch has recovered and has resumed normal processing it is vulnerable again. It remains vulnerable until the HTTP server is disabled.

Systems Affected
This vulnerability is only present in Cisco Catalyst switches running Cisco CatOS software versions 5.4 through 7.3 that contain an embedded HTTP server to support CiscoView network management software. The affected software images contain "cv" in the image name as seen here: cat6000-supcv.5-5-16.bin.

The exploitation of this issue can result in a software forced reset of this device. Repeated exploitation may lead to a denial of service until the workaround for this vulnerability has been implemented or a fixed version of software has been loaded onto the device.

Solution/Patches
Disable the HTTP server on the Cisco switch.

This example shows how to disable the HTTP server:

Console (enable) set ip http server disable
HTTP server disabled.
The default setting for the HTTP server is disabled.
Users can also choose to block access to port 80 for their Cisco switch. This can be done with any device with traffic filtering capabilties.
Upgrades available at the Software Center on Cisco's worldwide website at http://www.cisco.com/kobayashi/sw-center/sw-lan.shtml

For more, go to: http://www.cisco.com/warp/public/707/catos-http-overflow-vuln.shtml

MACROMEDIA JRUN BUFFER OVERFLOW VULNERABILITY
Due to insufficient bounds checking of URLs in incoming Web requests Macromedia JRun is prone to a remotely exploitable buffer overflow condition. The exploitation may allow a remote attacker to execute arbitrary code with the JRun server process.

This issue is specific to JRun running on Microsoft Windows platforms.

System Affected

• IBM AIX 4.2/4.3
• Microsoft IIS 4.0/5.0/5.1
• Microsoft Windows 2000 Workstation/SP1/SP2
• Microsoft Windows 95/98
• Microsoft Windows NT 4.0/SP1-SP6a
• RedHat Linux 6.0/6.1 (i386/alpha/sparc)
• SGI IRIX 6.5
• Sun Solaris 2.6/7.0/8.0

Components Affected

• Macromedia JRun 3.0/3.1/4.0

Solution/Patches
Block external access to the server at the network boundary; allow access only if service is required by external parties. Filter network traffic at border routers and network firewalls. Deploy network intrusion detection systems (NIDS) to monitor network traffic for malicious activity. Audit NIDS and Web server logs for signs of malicious network activity. Run all server processes as non-privileged users with minimal access rights. Patches to address this issue are available at www.macromedia.com