IY85474: MIT KERBEROS VULNERABILITY NO # MITKRB5-SA-2005-002

Subscribe

You can track all active APARs for this component.

APAR status

  • Closed as program error.

Error description

  • The MIT krb5 Key Distribution Center (KDC) implementation can
    corrupt the heap by attempting to free memory at a random
    address when it receives a certain unlikely (but valid) request
    via a TCP connection. This attempt to free unallocated memory
    can result in a KDC crash and consequent denial of service.
    [CAN-2005-1174, VU#259798]. Additionally, the same request, when
    received by the KDC via either TCP or UDP, can trigger a bug in
    the krb5 library which results in a single-byte overflow of a
    heap buffer.  Application servers are vulnerable to a highly
    improbable attack, provided that the attacker controls a realm
    sharing a cross-realm key with the target realm. [CAN-2005-1175,
    VU#885830]. An unauthenticated attacker may be able to use these
    vulnerabilities to execute arbitrary code on the KDC host,
    potentially compromising an entire Kerberos realm.  No exploit
    code is known to exist at this time.  Exploitation of these
    vulnerabilities is believed to be difficult.
    

Local fix

  • WORKAROUNDS: Disabling TCP support in the KDC avoids one
      vulnerability [CAN-2005-1174].  The single-byte overflow
      [CAN-2005-1175] is still possible even without KDC TCP support
      enabled.  Running the KDC from init or from some similar
      automatic respawning facility may reduce the durations of
    denials of service,   but this approach may make it difficult to
    detect deliberate attacks targeted at code execution.
    

Problem summary

  • Security flaw due to buffer overrun in krb library in KDC
    

Problem conclusion

  • Problem fixed by code change
    

Temporary fix

Comments

APAR Information

  • APAR number

    IY85474

  • Reported component name

    IBM DCE V3.2 AI

  • Reported component ID

    5765E8300

  • Reported release

    320

  • Status

    CLOSED PER

  • PE

    NoPE

  • HIPER

    NoHIPER

  • Special Attention

    NoSpecatt

  • Submitted date

    2006-05-29

  • Closed date

    2006-05-30

  • Last modified date

    2006-05-30

  • APAR is sysrouted FROM one or more of the following:

  • APAR is sysrouted TO one or more of the following:

Fix information

  • Fixed component name

    IBM DCE V3.2 AI

  • Fixed component ID

    5765E8300

Applicable component levels

  • R320 PSY

       UP



Rate this page:

(0 users)Average rating

Add comments

Document information


More support for:

Distributed Computing Environment

Software version:

320

Reference #:

IY85474

Modified date:

2006-05-30

Translate my page

Machine Translation

Content navigation