WelcomeEnterpriseSmall BusinessHome & Home OfficePartnersAbout Symantec

Multiple Vendor kadmind Remote Buffer Overflow Vulnerability

Risk
High

Date Discovered
10-21-2002

Description
A vulnerability has been discovered in the kadmind daemon.

It has been reported that kadmind is vulnerable to a remotely exploitable buffer overflow. This issue is due to insufficient bounds checking. Exploiting this issue could potentially allow an attacker to execute arbitrary code with the privileges of the kadmind process.

This issue is reported to exist in the Kerberos 4 administration protocol. Kerberos 5 includes support for the Kerberos 4 administration daemon. Various Kerberos implementations are reported to be affected by this vulnerability.

Platforms Affected
Conectiva Linux 8.0
Debian Linux 3.0
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.4
Gentoo Linux 1.2
Gentoo Linux 1.4 _rc1
MandrakeSoft Linux Mandrake 8.1
MandrakeSoft Linux Mandrake 8.1 ia64
MandrakeSoft Linux Mandrake 8.2
MandrakeSoft Linux Mandrake 8.2 ppc
RedHat Linux 6.2
RedHat Linux 6.2 alpha
RedHat Linux 6.2 i386
RedHat Linux 6.2 sparc
RedHat Linux 7.0
RedHat Linux 7.0 alpha
RedHat Linux 7.0 i386
RedHat Linux 7.1
RedHat Linux 7.1 alpha
RedHat Linux 7.1 i386
RedHat Linux 7.1 ia64
RedHat Linux 7.2
RedHat Linux 7.2 i386
RedHat Linux 7.2 ia64
RedHat Linux 7.3
RedHat Linux 7.3 i386
S.u.S.E. Linux 7.2
S.u.S.E. Linux 7.3
S.u.S.E. Linux 8.0

Components Affected
KTH eBones 1.2
KTH Heimdal 0.3 e
KTH Heimdal 0.4 e
KTH Heimdal 0.4 d
KTH Heimdal 0.4 c
KTH Heimdal 0.4 b
KTH Heimdal 0.4 a
KTH Heimdal 0.5
MIT Kerberos 4 4.0
MIT Kerberos 5 1.0
MIT Kerberos 5 1.0.6
MIT Kerberos 5 1.1
MIT Kerberos 5 1.1.1
MIT Kerberos 5 1.2
MIT Kerberos 5 1.2.1
MIT Kerberos 5 1.2.2
MIT Kerberos 5 1.2.3
MIT Kerberos 5 1.2.4
MIT Kerberos 5 1.2.5
MIT Kerberos 5 1.2.6
NetBSD NetBSD 1.5
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5.2
NetBSD NetBSD 1.5.3
NetBSD NetBSD 1.6
OpenBSD OpenBSD 3.0
OpenBSD OpenBSD 3.1

Recommendations
Block external access at the network boundary, unless service is required by external parties.
If possible restrict remote connectivity to trusted hosts and internal networks only. Block access to TCP/UDP on port 751 for the Kerberos 4 administration daemon and TCP/UDP on port 749 for Kerberos 5 administration if Kerberos 4 administration is supported.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Exploitation attempts may be indicated by intrusion detection systems. Audit IDS logs regularly.

Run all server processes as non-privileged users with minimal access rights.
When possible, run server process as low privileged users to limit the consequence of exploitation.

Disable any unneccessary default services.
Disable all services not explicitly required by the system. Disable the Kerberos 4 administration protocol if it is not needed.

CERT has released an advisory which contains information about various vendors and implementations that are reported to be affected by this vulnerability.

NetBSD has released an advisory. NetBSD-current, NetBSD 1.6 and NetBSD 1.5 branches dated 2002-10-22 and later have fixes for this vulnerability. Users are advised to upgrade the crypto/dist/heimdal/kadmin directory in CVS. Further information is available in the referenced advisory.

FreeBSD have addressed this issue as of October 23rd, 2002 for the base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons. The heimdal and krb5 ports were corrected as of October 24th, 2002. A vendor advisory is reported to be forthcoming.

MIT has released an advisory. Detailed patch information is available in the referenced advisory.

Apple has announced that the Kerberos Administration Daemon was included in Mac OS X 10.0, but was removed in Mac OS X versions 10.1 and later.

Debian has released an advisory (DSA-178) which addresses this and other vulnerabilities. See the attached advisory for details on obtaining fixes.

Conectiva 8.0 ships with MIT Kerberos 5 packages which include the affected kadmind4 daemon. The daemon is not installed by default or used as a service. A Conectiva advisory and fixes are reported to be forthcoming.

SuSE Linux versions 7.2 and ship with Heimdal Kerberos. However, Kerberos 4 support is not enabled.

Gentoo Linux has released an advisory and made fixes available. To update systems, Gentoo Linux users are advised to perform the following update procedures:

emerge rsync
emerge kth-krb
emerge heimdal
emerge clean

Patches have been released which address this issue:


KTH eBones 1.2:
KTH Heimdal 0.3 e:
KTH Heimdal 0.4 e:

KTH Upgrade heimdal-docs_0.2l-7.4_all.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-docs_0.2l-7.4_all.deb
KTH Upgrade heimdal-docs_0.4e-7.woody.4_all.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-docs_0.4e-7.woody.4_all.deb
KTH Upgrade heimdal-kdc_0.2l-7.4_alpha.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_alpha.deb
KTH Upgrade heimdal-kdc_0.2l-7.4_arm.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_arm.deb
KTH Upgrade heimdal-kdc_0.2l-7.4_i386.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_i386.deb
KTH Upgrade heimdal-kdc_0.2l-7.4_m68k.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_m68k.deb
KTH Upgrade heimdal-kdc_0.2l-7.4_powerpc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_powerpc.deb
KTH Upgrade heimdal-kdc_0.2l-7.4_sparc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.2l-7.4_sparc.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_alpha.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_alpha.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_arm.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_arm.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_hppa.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_hppa.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_i386.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_i386.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_ia64.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_ia64.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_m68k.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_m68k.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_mips.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_mips.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_mipsel.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_mipsel.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_powerpc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_powerpc.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_s390.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_s390.deb
KTH Upgrade heimdal-kdc_0.4e-7.woody.4_sparc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-kdc_0.4e-7.woody.4_sparc.deb
KTH Upgrade heimdal-lib_0.4e-7.woody.4_all.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-lib_0.4e-7.woody.4_all.deb
KTH Upgrade heimdal-servers-x_0.2l-7.4_alpha.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_alpha.deb
KTH Upgrade heimdal-servers-x_0.2l-7.4_arm.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_arm.deb
KTH Upgrade heimdal-servers-x_0.2l-7.4_i386.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_i386.deb
KTH Upgrade heimdal-servers-x_0.2l-7.4_m68k.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_m68k.deb
KTH Upgrade heimdal-servers-x_0.2l-7.4_powerpc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_powerpc.deb
KTH Upgrade heimdal-servers-x_0.2l-7.4_sparc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.2l-7.4_sparc.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_alpha.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_alpha.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_arm.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_arm.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_hppa.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_hppa.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_i386.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_i386.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_ia64.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_ia64.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_m68k.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_m68k.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_mips.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_mips.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_mipsel.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_mipsel.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_powerpc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_powerpc.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_s390.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_s390.deb
KTH Upgrade heimdal-servers-x_0.4e-7.woody.4_sparc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers-x_0.4e-7.woody.4_sparc.deb
KTH Upgrade heimdal-servers_0.2l-7.4_alpha.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_alpha.deb
KTH Upgrade heimdal-servers_0.2l-7.4_arm.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_arm.deb
KTH Upgrade heimdal-servers_0.2l-7.4_i386.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_i386.deb
KTH Upgrade heimdal-servers_0.2l-7.4_m68k.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_m68k.deb
KTH Upgrade heimdal-servers_0.2l-7.4_powerpc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_powerpc.deb
KTH Upgrade heimdal-servers_0.2l-7.4_sparc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.2l-7.4_sparc.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_alpha.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_alpha.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_arm.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_arm.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_hppa.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_hppa.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_i386.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_i386.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_ia64.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_ia64.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_m68k.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_m68k.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_mips.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_mips.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_mipsel.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_mipsel.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_powerpc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_powerpc.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_s390.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_s390.deb
KTH Upgrade heimdal-servers_0.4e-7.woody.4_sparc.deb
http://security.debian.org/pool/updates/main/h/heimdal/heimdal-servers_0.4e-7.woody.4_sparc.deb

KTH Heimdal 0.4 d:
KTH Heimdal 0.4 c:
KTH Heimdal 0.4 b:
KTH Heimdal 0.4 a:
KTH Heimdal 0.5:
MIT Kerberos 4 4.0:
MIT Kerberos 5 1.0:
MIT Kerberos 5 1.0.6:
MIT Kerberos 5 1.1:
MIT Kerberos 5 1.1.1:
MIT Kerberos 5 1.2:
MIT Kerberos 5 1.2.1:
MIT Kerberos 5 1.2.2:
MIT Kerberos 5 1.2.3:
MIT Kerberos 5 1.2.4:
MIT Kerberos 5 1.2.5:
MIT Kerberos 5 1.2.6:
MIT Patch 2002-002-kadm4_patch.txt
http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt

NetBSD NetBSD 1.5:
NetBSD NetBSD 1.5.1:
NetBSD NetBSD 1.5.2:
NetBSD NetBSD 1.5.3:
NetBSD NetBSD 1.6:
OpenBSD OpenBSD 3.0:
OpenBSD Patch 033_kadmin.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.0/common/033_kadmin.patch

OpenBSD OpenBSD 3.1:
OpenBSD Patch 016_kadmin.patch
ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/016_kadmin.patch

References
Source: NetBSD 2002-026 Buffer overflow in kadmind daemon
URL: http://online.securityfocus.com/advisories/4589

Source: Gentoo 200210-008 kth-krb & heimdal
URL: http://online.securityfocus.com/advisories/4606

Source: CERT CA-2002-29 Buffer Overflow in Kerberos Administration Daemon
URL: http://online.securityfocus.com/advisories/4604

Source: Debian DSA 178-1 New Heimdal packages fix remote command execution
URL: http://online.securityfocus.com/advisories/4575

Source: MITKRB5-SA-2002-002: Buffer overflow in kadmind4
URL: msg://bugtraq/ldvhefdpzni.fsf@saint-elmos-fire.mit.edu

Source: Updated: MITKRB5-SA-2002-002: Buffer overflow in kadmind4
URL: msg://bugtraq/ldvn0p22h4o.fsf@saint-elmos-fire.mit.edu

Source: kadmind source
URL: http://www.openbsd.org/cgi-bin/cvsweb/src/kerberosV/src/kadmin/version4.c

Source: OpenBSD 3.0 release errata & patch list
URL: http://www.openbsd.org/errata30.html#kadmin

Source: OpenBSD 3.1 release errata & patch list
URL: http://www.openbsd.org/errata31.html#kadmin

Credits
Discovery of vulnerability credited to Johan Danielsson and Love Hornquist-Astrand.

Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from symsecurity@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and SymSecurity are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Site Map · Legal Notices · Privacy Policy · · Contact Us · Global Sites · License Agreements
©1995 - 2009 Symantec Corporation