Fix KDC-REP service name validation

Description:

Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation This is a critical vulnerability. In _krb5_extract_ticket() the KDC-REP service name must be obtained from encrypted version stored in 'enc_part' instead of the unencrypted version stored in 'ticket'. Use of the unecrypted version provides an opportunity for successful server impersonation and other attacks. See the Orpheus Lyre website for more details. (CVE-2017-11103)

Applies to versions:

• Heimdal - 7.3.0
• Heimdal - 7.2.0
• Heimdal - 7.1.0
• Heimdal - 1.5.2
• Heimdal - 1.5.1
• Heimdal - 1.5
• Heimdal - 1.4
• Heimdal - 1.3.3
• Heimdal - 1.3.1
• Heimdal - 1.3.0
• Heimdal - 1.2.1
• Heimdal - 1.2
• Heimdal - 1.1
• Heimdal - 1.0.2
• Heimdal - 1.0.1
• Heimdal - 1.0
• Heimdal - 0.8
• Heimdal - 0.7.2
• Heimdal - 0.7.1
• Heimdal - 0.7
• Heimdal - 0.6.6
• Heimdal - 0.6.5
• Heimdal - 0.6.4
• Heimdal - 0.6.3
• Heimdal - 0.6.2
• Heimdal - 0.6.1
• Heimdal - 0.6
• Heimdal - 0.0a

See also:

CVE-2017-11103

Fix transit path validation

Description:

Commit f469fc6 (2010-10-02) inadvertently caused the previous hop realm to not be added to the transit path of issued tickets. This may, in some cases, enable bypass of capath policy in Heimdal versions 1.5 through 7.2. Note, this may break sites that rely on the bug. With the bug some incomplete [capaths] worked, that should not have. These may now break authentication in some cross-realm configurations. (CVE-2017-6594)

Applies to versions:

• Heimdal - 7.2.0
• Heimdal - 7.1.0
• Heimdal - 1.5.2
• Heimdal - 1.5.1
• Heimdal - 1.5

See also:

CVE-2017-6594

libkrb5 checksum - denial of service

Description:

By choosing a specific PAC, the attacker can cause an overwriting of the heap with data the attacker doesn't control.

Applies to versions:

• Heimdal - 1.5.2
• Heimdal - 1.5.1
• Heimdal - 1.5
• Heimdal - 1.4
• Heimdal - 1.3.3
• Heimdal - 1.3.2
• Heimdal - 1.3.0
• Heimdal - 1.2.1

telnet vulnerability client and server

Description:

Buffer overrun by copying untrusted data from network stack in libtelnet

Applies to versions:

• Heimdal - 1.5.2
• Heimdal - 1.5.1
• Heimdal - 1.5
• Heimdal - 1.4
• Heimdal - 1.3.3
• Heimdal - 1.3.2
• Heimdal - 1.3.0
• Heimdal - 1.2.1

See also:

CVE-2011-4862

Tries to follow NULL pointers in KDC and GSS-API Kerberos acceptor (server).

Description:

There OPTIONAL values in Kerberos protocols, in the ASN.1 encoder they are encoded as a pointer to a structure. When the peer is not sending the OPTIONAL argument, the pointer set to NULL instead of a pointer to a structure.

In two places we failes to check for NULL pointer before trying to de-reference the NULL pointer, which results in crashing.

Thanks to Tom Yu of MIT Kerberos for tell us about the problem.

Applies to versions:

• Heimdal - 1.3.3
• Heimdal - 1.3.2
• Heimdal - 1.3.0
• Heimdal - 1.2.1
• Heimdal - 1.2
• Heimdal - 1.1
• Heimdal - 1.0.2
• Heimdal - 1.0.1
• Heimdal - 1.0
• Heimdal - 0.7.2

See also:

CVE-2010-1321

Length checking wrong

Description:

The decryption functions didn't do length checking correctly, which can result in crashes or other problems.

The HMAC code cleared too much memory, this can result in crashes or other problems.

Thanks to Tom Yu of MIT and Andrew Tridge of Samba for tell us about the problem.

Applies to versions:

• Heimdal - 1.3.2
• Heimdal - 1.3.0
• Heimdal - 1.2.1
• Heimdal - 1.2
• Heimdal - 1.1
• Heimdal - 1.0.2
• Heimdal - 1.0.1
• Heimdal - 1.0

multiple local privilege escalation vulnerabilities

Description:

This problem applies to systems where setuid/seteuid call call fail due to resource exhaustion. One operating system that is true is Linux. The programs that this this problem applies to are ftpd and rcp. The problem only apply to rcp if it installed setuid root (not done by default).

Patch (heimdal-0.7.2-setuid-patch) for Heimdal 0.7.2 fixes this problem.

One workaround is to make sure set{e,}uid doesn't fail. Also disabling ftpd and removing the setuid bit from rcp will solve the problem.

Thanks to Tom Yu at MIT and Michael Calmer and Marcus Meissner at SUSE for tell us about the problem. Either of CVE-2006-3083 or CVE-2006-3084 describes this problems.

Applies to versions:

• Heimdal - 0.7.2
• Heimdal - 0.7.1
• Heimdal - 0.7
• Heimdal - 0.6.6
• Heimdal - 0.6.5
• Heimdal - 0.6.4
• Heimdal - 0.6.3
• Heimdal - 0.6.2
• Heimdal - 0.6.1
• Heimdal - 0.6

See also:

CVE-2006-3083 CVE-2006-3084

rshd privilege escalation vulnerability

Description:

The rshd server in Heimdal has a privilege escalation bug when storing forwarded credentials. The code allowes a user to overwrite a file with its credential cache, and get ownership of the file.

The only workaround for this bug is to disable the rshd server program.

Applies to versions:

• Heimdal - 0.7.1
• Heimdal - 0.7
• Heimdal - 0.6.5
• Heimdal - 0.6.4
• Heimdal - 0.6.3
• Heimdal - 0.6.2
• Heimdal - 0.6.1
• Heimdal - 0.6

telnetd vulnerabilities

Description:

The telnetd server program in Heimdal has buffer overflows in the function getterminaltype, which may lead to remote code execution.

The only workaround for this bug is to not use the telnetd server program.

Applies to versions:

• Heimdal - 0.6.4
• Heimdal - 0.6.3
• Heimdal - 0.6.2
• Heimdal - 0.6.1
• Heimdal - 0.6

telnet vulnerabilities

Description:

The telnet client program in Heimdal has buffer overflows in the functions slc_add_reply() and env_opt_add(), which may lead to remote code execution.

The only workaround for this bug is to not use the telnet client.

Applies to versions:

• Heimdal - 0.6.4
• Heimdal - 0.6.3
• Heimdal - 0.6.2
• Heimdal - 0.6.1
• Heimdal - 0.6

ftpd root escalation

Description:

A number of problems in ftpd may be used to get root access from an ftp session. Przemyslaw Frasunek has written a technical description (detailing tnftpd, but the principle is the same).

The only workaround for this bug is to disable ftpd.

See also Gentoo bug 61412

Applies to versions:

• Heimdal - 0.6.2
• Heimdal - 0.6.1
• Heimdal - 0.6

See also:

CVE-2004-0794

Kerberos 4 buffer overrun in Heimdal kadmin

Description:

All releases prior to 0.6.2 have a possible buffer overrun problem in the Kerberos 4 kadmin compatibility module. It would probably be possible to implement a remote exploit for this, depending on architechture.

0.6.2 fixes this problem, as well as making Kerberos 4 kadmin default off.

We suggest that you turn off Kerberos 4 kadmin, with the --no-kerberos4 option to kadmind. If you have a good reason to still use the Kerberos 4 kadmin protocol, you should still do this before an upgrade to 0.6.2.

To check for a vulnerable kadmind you have to check for version and also whether it was built with Kerberos 4 support at all:

$ /usr/heimdal/libexec/kadmind --version
kadmind (Heimdal 0.6.1)
Copyright 1999-2004 Kungliga Tekniska Hgskolan
Send bug-reports to heimdal-bugs@pdc.kth.se
$ /usr/heimdal/libexec/kadmind --help
Usage: kadmind [-dhv] [--config-file=file] [-c file] [--key-file=file] [-k file]
[--keytab=keytab] [--realm=realm] [-r realm] [--check-library=library]
[--check-function=function] [--debug] [--no-kerberos4] [--ports=port]
[-p port] [--help] [--version] 
-c file, --config-file=file location of config file
-k file, --key-file=file    location of master key file
--keytab=keytab             what keytab to use
-r realm, --realm=realm     realm to use
--check-library=library     library to load password check function from
--check-function=function   password check function to load
-d, --debug                 enable debugging
--no-kerberos4              don't respond to kerberos 4 requests
-p port, --ports=port       ports to listen to
	

Binaries without Kerberos 4 support will not show the --no-kerberos4 option.

Applies to versions:

• Heimdal - 0.6.1
• Heimdal - 0.6

See also:

CAN-2004-0434

Cross-realm trust vulnerability in Heimdal

Description:

All releases prior to 0.6.1 and 0.5.3 have a cross-realm vulnerability allowing someone with control over a realm to impersonate anyone in the cross-realm trust path.

0.6.1 and 0.5.3 performs proper consistency checks on cross-realm requests, as well as allowing for better control over transit checks.

If you are running a vulnerable KDC version and have established cross-realm trust with anyone, we recommend that you disable this trust and then upgrade to 0.6.1.

Too see if you have any cross-realm trust enabled you can list all krbtgt principals in the database:

kadmin> get -t krbtgt/*
krbtgt/<MY.REALM>@<MY.REALM>
krbtgt/<MY.REALM>@<OTHER.REALM>
krbtgt/<OTHER.REALM>@<MY.REALM>
	  

If you have any <OTHER.REALM> variants, you can temporarily disable them with:

kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM>
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes []:+disallow-all-tix
	  

You have to repeat this for all such principals as there is no easy way to automate this. If you have a huge number to update, you will probably have to dump the database, edit the dump, and reload.

After upgrading the KDC you can reenable them with:

kadmin> mod krbtgt/<MY.REALM>@<OTHER.REALM>
Max ticket life [unlimited]:
Max renewable life [unlimited]:
Principal expiration time [never]:
Password expiration time [never]:
Attributes [disallow-all-tix]:-disallow-all-tix
	  

Applies to versions:

• Heimdal - 0.6

See also:

CAN-2004-0371