MIT krb5 Security Advisory 2004-004

Original release: 2004-12-20

Topic: heap buffer overflow in libkadm5srv

Severity: serious

The MIT Kerberos 5 administration library (libkadm5srv) contains a
heap buffer overflow in password history handling code which could be
exploited to execute arbitrary code on a Key Distribution Center (KDC)
host. The overflow occurs during a password change of a principal
with a certain password history state. An administrator must have
performed a certain password policy change in order to create the
vulnerable state. (See MITIGATING FACTORS below.)

No exploits are known to exist at this time, though a public
discussion of the bug took place during the first weeks of December
2004, containing sufficient detail that someone could infer how to
perform an attack. Exploitation of this vulnerability is believed to
be difficult, due to the limited extent of the overflow.

IMPACT
======

An authenticated user, not necessarily one with administrative
privileges, could execute arbitrary code on the KDC host, compromising
an entire Kerberos realm. [CAN-2004-1189]

MITIGATING FACTORS
==================

* Typically, only a principal satisfying the following conditions can
trigger the buffer overflow upon password change:

+ have changed its password fewer times than the history count in
its password policy

+ had its password policy’s history count subsequently reduced to
equal the number of times it has changed its password

* There are other means of producing the vulnerable state, though they
are significantly more complex and much less likely. All of these
other methods involve a reduction of the password history count in a
password policy.

* A workaround exists (see FIXES).

AFFECTED SOFTWARE
=================

* KDC software on all releases of MIT krb5, up to and including
krb5-1.3.5. The vulnerable library is libkadm5srv. Programs which
use the vulnerable functionality of the library include:

+ kadmind (administration daemon)

+ kadmin.local (KDC-local administration client)

+ kadmind4 (krb4 compatibility administration daemon)

FIXES
=====

* WORKAROUND: Until your KDC programs and libraries have been patched,
do not decrease the password history count on any policy in your
Kerberos realm. Also, if you have already decreased the password
history count on a policy at some point in the past, you should
raise it to the maximum value that it has had in the past.

* The upcoming krb5-1.4 release (currently in beta test) will contain
fixes for this problem. The krb5-1.4-beta3 release contains fixes
for this problem.

* The upcoming krb5-1.3.6 patch release contains fixes for this
problem.

* Apply the following patch to src/lib/kadm5/srv/svr_principal.c, and
recompile the affected libraries and binaries. This patch was
generated against krb5-1.3.5, and may apply, with some offset, to
earlier releases.

This patch may also be found here.

The associated detached PGP signature can be found here.