[USN-224-1] Kerberos vulnerabilities
==============================================
Ubuntu Security Notice USN-224-1 December 06, 2005
krb4, krb5 vulnerabilities
CVE-2005-0468, CVE-2005-0469, CVE-2005-1174, CVE-2005-1175,
CVE-2005-1689
==============================================
A security issue affects the following Ubuntu releases:
Ubuntu 4.10 (Warty Warthog)
Ubuntu 5.04 (Hoary Hedgehog)
The following packages are affected:
kerberos4kth-clients
krb5-clients
krb5-kdc
krb5-rsh-server
krb5-telnetd
On Ubuntu 4.10, the problem can be corrected by upgrading the affected package to version 1.2.2-10ubuntu0.1 (kerberos4kth-clients), and 1.3.4-3ubuntu0.2 (krb5-clients, krb5-kdc, krb5-rsh-server, krb5-telnetd).
On Ubuntu 5.04, the problem can be corrected by upgrading the affected package to version 1.2.2-10ubuntu0.1 kerberos4kth-client ), and 1.3.6-1ubuntu0.1 (krb5-clients, krb5-kdc, krb5-rsh-server, krb5-telnetd).
In general, a standard system upgrade is sufficient to effect the
necessary changes.
Details follow:
Gaël Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client.
(CVE-2005-0468)
Gaël Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client.
(CVE-2005-0469)
Daniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server.
(CVE-2005-1175)
Magnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package).
post by : Muh Furqon T
