keyhole logo

Heimdal security advisories

Heimdal advisories

2012-01-11 - libkrb5 checksum - denial of serice

libkrb5 checksum - denial of serice

Description:

By chooice a specific PAC, the attacker and cause a overwriting the heap with data the attacker don't control.

Applies to versions:

2012-01-10 - telnet vulnerability client and server

telnet vulnerability client and server

Description:

Buffer overrun by copying untrusted data from network stack in libtelnet

Applies to versions:

See also:

CVE-2011-4862

2010-05-27 - Tries to follow NULL pointers in KDC and GSS-API Kerberos acceptor (server).

Tries to follow NULL pointers in KDC and GSS-API Kerberos acceptor (server).

Description:

There OPTIONAL values in Kerberos protocols, in the ASN.1 encoder they are encoded as a pointer to a structure. When the peer is not sending the OPTIONAL argument, the pointer set to NULL instead of a pointer to a structure.

In two places we failes to check for NULL pointer before trying to de-reference the NULL pointer, which results in crashing.

Thanks to Tom Yu of MIT Kerberos for tell us about the problem.

Applies to versions:

See also:

CVE-2010-1321

2010-03-21 - Length checking wrong

Length checking wrong

Description:

The decryption functions didn't do length checking correctly, which can result in crashes or other problems.

The HMAC code cleared too much memory, this can result in crashes or other problems.

Thanks to Tom Yu of MIT and Andrew Tridge of Samba for tell us about the problem.

Applies to versions:

2006-08-08 - multiple local privilege escalation vulnerabilities

multiple local privilege escalation vulnerabilities

Description:

This problem applies to systems where setuid/seteuid call call fail due to resource exhaustion. One operating system that is true is Linux. The programs that this this problem applies to are ftpd and rcp. The problem only apply to rcp if it installed setuid root (not done by default).

Patch (heimdal-0.7.2-setuid-patch) for Heimdal 0.7.2 fixes this problem.

One workaround is to make sure set{e,}uid doesn't fail. Also disabling ftpd and removing the setuid bit from rcp will solve the problem.

Thanks to Tom Yu at MIT and Michael Calmer and Marcus Meissner at SUSE for tell us about the problem. Either of CVE-2006-3083 or CVE-2006-3084 describes this problems.

Applies to versions:

See also:

CVE-2006-3083 CVE-2006-3084

2006-02-06 - rshd privilege escalation vulnerability

rshd privilege escalation vulnerability

Description:

The rshd server in Heimdal has a privilege escalation bug when storing forwarded credentials. The code allowes a user to overwrite a file with its credential cache, and get ownership of the file.

The only workaround for this bug is to disable the rshd server program.

Applies to versions:

2005-06-20 - telnetd vulnerabilities

telnetd vulnerabilities

Description:

The telnetd server program in Heimdal has buffer overflows in the function getterminaltype, which may lead to remote code execution.

The only workaround for this bug is to not use the telnetd server program.

Applies to versions:

2005-04-20 - telnet vulnerabilities

telnet vulnerabilities

Description:

The telnet client program in Heimdal has buffer overflows in the functions slc_add_reply() and env_opt_add(), which may lead to remote code execution.

The only workaround for this bug is to not use the telnet client.

Applies to versions:

2004-09-13 - ftpd root escalation

ftpd root escalation

Description:

A number of problems in ftpd may be used to get root access from an ftp session. Przemyslaw Frasunek has written a technical description (detailing tnftpd, but the principle is the same).

The only workaround for this bug is to disable ftpd.

See also Gentoo bug 61412

Applies to versions:

See also:

CVE-2004-0794

2004-05-06 - Kerberos 4 buffer overrun in Heimdal kadmin

Kerberos 4 buffer overrun in Heimdal kadmin

Description:

All releases prior to 0.6.2 have a possible buffer overrun problem in the Kerberos 4 kadmin compatibility module. It would probably be possible to implement a remote exploit for this, depending on architechture.

0.6.2 fixes this problem, as well as making Kerberos 4 kadmin default off.

We suggest that you turn off Kerberos 4 kadmin, with the --no-kerberos4 option to kadmind. If you have a good reason to still use the Kerberos 4 kadmin protocol, you should still do this before an upgrade to 0.6.2.

To check for a vulnerable kadmind you have to check for version and also whether it was built with Kerberos 4 support at all:

$ /usr/heimdal/libexec/kadmind --version
kadmind (Heimdal 0.6.1)
Copyright 1999-2004 Kungliga Tekniska Hgskolan
Send bug-reports to heimdal-bugs@pdc.kth.se
$ /usr/heimdal/libexec/kadmind --help
Usage: kadmind [-dhv] [--config-file=file] [-c file] [--key-file=file] [-k file]
[--keytab=keytab] [--realm=realm] [-r realm] [--check-library=library]
[--check-function=function] [--debug] [--no-kerberos4] [--ports=port]
[-p port] [--help] [--version] 
-c file, --config-file=file location of config file
-k file, --key-file=file    location of master key file
--keytab=keytab             what keytab to use
-r realm, --realm=realm     realm to use
--check-library=library     library to load password check function from
--check-function=function   password check function to load
-d, --debug                 enable debugging
--no-kerberos4              don't respond to kerberos 4 requests
-p port, --ports=port       ports to listen to
	

Binaries without Kerberos 4 support will not show the --no-kerberos4 option.

Applies to versions:

See also:

CAN-2004-0434

2004-04-01 - Cross-realm trust vulnerability in Heimdal

Cross-realm trust vulnerability in Heimdal

Description:

All releases prior to 0.6.1 and 0.5.3 have a cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path.

0.6.1 and 0.5.3 performs proper consistency checks on cross-realm requests, as well as allowing for better control over transit checks.

If you are running a vulnerable KDC version and have established cross-realm trust with anyone, we recommend that you disable this trust and then upgrade to 0.6.1.

Too see if you have any cross-realm trust enabled you can list all krbtgt principals in the database:

kadmin> get -t krbtgt/*
krbtgt/<MY.REALM>@<MY.REALM>
krbtgt/<MY.REALM>@<OTHER.REALM>
krbtgt/<OTHER.REALM>@<MY.REALM>
	  
If you have any <OTHER.REALM> variants, you can temporarily disable them with:
kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM>
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:+disallow-all-tix
	  
You have to repeat this for all such principals as there is no easy way to automate this. If you have a huge number to update, you will probably have to dump the database, edit the dump, and reload.

After upgrading the KDC you can reenable them with:

kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM>
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes [disallow-all-tix]:-disallow-all-tix
	  

Applies to versions:

See also:

CAN-2004-0371