FreeBSD Security Advisory FreeBSD-SA-04:08.heimdal

From: FreeBSD Security Advisories (security-advisories_at_freebsd.org)
Date: 05/05/04

  • Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-04:09.kadmind" 
    Date: Wed, 5 May 2004 14:26:52 -0700 (PDT)
To: FreeBSD Security Advisories <security-advisories@freebsd.org>

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    =============================================================================
    FreeBSD-SA-04:08.heimdal Security Advisory
                                                              The FreeBSD Project

    Topic: heimdal cross-realm trust vulnerability

    Category: core
    Module: crypto_heimdal
    Announced: 2004-05-05
    Credits: Heimdal project
    Affects: FreeBSD 4 with Kerberos 5 installed, and FreeBSD 5
    Corrected: 2004-05-05 19:49:41 UTC (RELENG_4, 4.10-PRERELEASE)
                    2004-05-05 19:55:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p6)
                    2004-05-05 20:48:19 UTC (RELENG_4_10, 4.10-RELEASE-RC)
                    2004-05-05 20:01:06 UTC (RELENG_4_9, 4.9-RELEASE-p6)
                    2004-05-05 20:06:30 UTC (RELENG_4_8, 4.8-RELEASE-p19)
    CVE Name: CAN-2004-0371
    FreeBSD only: NO

    For general information regarding FreeBSD Security Advisories,
    including descriptions of the fields above, security branches, and the
    following sections, please visit
    <URL:http://www.freebsd.org/security/>.

    I. Background

    Heimdal implements the Kerberos 5 network authentication protocols.
    Principals (i.e. users and services) represented in Kerberos are
    grouped into separate, autonomous realms. Unidirectional or
    bidirectional trust relationships may be established between realms to
    allow the principals in one realm to recognize the authenticity of
    principals in another. These trust relationships may be transitive.
    An authentication path is the ordered list of realms (and therefore
    KDCs) that were involved in the authentication process. The
    authentication path is recorded in Kerberos tickets as the `transited'
    field.

    It is possible for the Key Distribution Center (KDC) of a realm to
    forge part or all of the `transited' field. KDCs should validate this
    field before accepting authentication results, checking that each
    realm in the authentication path is trusted and that the path conforms
    to local policy. Applications are required to perform this type of
    checking if the KDC has not already done so.

    Prior to FreeBSD 5.1, Kerberos 5 was an optional component of FreeBSD,
    and was not installed by default.

    II. Problem Description

    Some versions of Heimdal do not perform appropriate checking of the
    `transited' field.

    III. Impact

    For sites that have established trust relationships with other realms,
    it is possible for the administrator(s) of those other realms to
    impersonate any Kerberos principal in any other realm.

    IV. Workaround

    Disable all inter-realm trust relationships. The Heimdal advisory
    listed in the References section below provides details for checking
    for trust relationships and disabling them.

    V. Solution

    Perform one of the following:

    1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2,
    RELENG_4_9, or RELENG_4_8 security branch dated after the correction
    date.

    2) To patch your present system:

    The following patches have been verified to apply to FreeBSD 4.8,
    4.9, 5.1, and 5.2 systems.

    a) Download the relevant patch from the location below, and verify the
    detached PGP signature using your PGP utility.

    [FreeBSD 4.8, 4.9, 5.1 with Heimdal 0.5.1]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch.asc

    [FreeBSD 5.2 with Heimdal 0.6]
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch
    # fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch.asc

    b) Execute the following commands as root:

    # cd /usr/src
    # patch < /path/to/patch
    # cd /usr/src/secure/lib/libcrypto
    # make obj && make depend && make
    # cd /usr/src/kerberos5
    # make obj && make depend && make && make install

    Be sure to restart any running services that use Kerberos, such as
    kdc(8) or sshd(8). Perhaps the simplest way to ensure all such
    applications are restarted is to reboot the system.

    VI. Correction details

    The following list contains the revision numbers of each file that was
    corrected in FreeBSD.

    Branch Revision
      Path
    - -------------------------------------------------------------------------
    RELENG_4
      src/crypto/heimdal/kdc/config.c 1.1.1.2.2.4
      src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.5
      src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.4
      src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.5
      src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.5
      src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.3
      src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.3
    RELENG_5_2
      src/UPDATING 1.282.2.14
      src/crypto/heimdal/kdc/config.c 1.1.1.7.2.1
      src/crypto/heimdal/kdc/kdc.8 1.1.1.7.2.1
      src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.6.2.1
      src/crypto/heimdal/kdc/kerberos5.c 1.1.1.8.2.1
      src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.9.2.1
      src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.6.6.1
      src/crypto/heimdal/lib/krb5/transited.c 1.1.1.6.2.1
      src/sys/conf/newvers.sh 1.56.2.13
    RELENG_4_10
      src/crypto/heimdal/kdc/config.c 1.1.1.2.2.3.8.1
      src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.4.8.1
      src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.3.8.1
      src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.4.8.1
      src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.4.8.1
      src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.2.10.1
      src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.2.8.1
    RELENG_4_9
      src/UPDATING 1.73.2.89.2.7
      src/crypto/heimdal/kdc/config.c 1.1.1.2.2.3.6.1
      src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.4.6.1
      src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.3.6.1
      src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.4.6.1
      src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.4.6.1
      src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.2.8.1
      src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.2.6.1
      src/sys/conf/newvers.sh 1.44.2.32.2.7
    RELENG_4_8
      src/UPDATING 1.73.2.80.2.22
      src/crypto/heimdal/kdc/config.c 1.1.1.2.2.3.4.1
      src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.4.4.1
      src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.3.4.1
      src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.4.4.1
      src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.4.4.1
      src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.2.6.1
      src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.2.4.1
      src/sys/conf/newvers.sh 1.44.2.29.2.20
    - -------------------------------------------------------------------------

    VII. References

    <URL:http://www.pdc.kth.se/heimdal/advisory/2004-04-01/>
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.4 (FreeBSD)

    iD8DBQFAmVTvFdaIBMps37IRAkhZAKCQZmbxNkicz82VEcPeDO/840uNxwCfQ/0U
    NYT36OgpzsBI9Jc0cpDXTA4=
    =i17O
    -----END PGP SIGNATURE-----
    _______________________________________________
    freebsd-security@freebsd.org mailing list
    http://lists.freebsd.org/mailman/listinfo/freebsd-security
    To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"

  • Next message: FreeBSD Security Advisories: "FreeBSD Security Advisory FreeBSD-SA-04:09.kadmind"

    Relevant Pages