Debians sikkerhedsbulletin

DSA-266-1 krb5 -- flere sårbarheder

Rapporteret den:

24. mar 2003

Berørte pakker:

Sårbar:

Referencer i sikkerhedsdatabaser:

I Mitres CVE-ordbog: CVE-2003-0028, CVE-2003-0072, CVE-2003-0082, CVE-2003-0138, CVE-2003-0139.
CERTs noter om sårbarheder, bulletiner og hændelser: VU#623217, VU#442569, VU#516825, CA-2003-10.

Yderligere oplysninger:

Flere sårbarheder er opdaget i krb5, en implementation af MIT Kerberos.

En kryptograferingssårbarhed i version 4 af Kerberos-protokollen tillader en angriber at anvende et "chosen-plaintext"-angreb til at give sig ud for en principal i et "realm". Yderligere kryptografiske svagheder i krb4-implementationen som findes i MITs krb5-distribution, giver mulighed for klippe-klistre-angreb til fabrikation af krb4-"tickets" til uautoriserede klient-principaler, hvis tredobbelte DES-nøgler anvendes til at fæste ("key") krb4-tjenester. Disse angreb kan undergrave et steds komplette infrastruktur til autentifikation.
Kerberos version 5 indeholder ikke denne kryptografiske sårbarhed. Steder er ikke sårbare hvis Kerberos v4 er slået helt fra, deriblandt også har slået alle krb5 til krb5-oversættelsestjenester fra.
MITs Kerberos 5-implementation indeholder et RPC-bibliotek afledt af SUNRPC. Implementationen indeholder længdekontroller, som er sårbare overfor et heltalsoverløb, som det kan være muligt at udnytte til at fremstille lammelsesangreb (denial of service) eller opnå uautoriseret adgang til følsomme oplysninger.
Problemer med bufferoverløb og -underløb findes i Kerberos håndtering af principal-navne under usædvanlige omstændigheder, såsom navne med nul-komponenter, navne med et tomt komponent eller værtsbaserede principal-navne uden værtsnavnekomponent på tjenester.

Denne version af krb5-pakken, ændrer standardmåden programmet opfører sig på og tillader ikke "cross-realm"-autentifikation for Kerberos version 4. På grund af det fundamentale ved problemet, kan "cross-realm"-autentifikation i Kerberos version 4 ikke gøres sikker og man bør undgå at bruge det. En ny indstilling (-X) stilles til rådighed for kommandoerne krb5kdc og krb524d, for at slå version 4-"cross-realm"-autentifikaation til for de steder, som skal bruge denne funktionalitet, men ønsker de andre sikkerhedsrettelser.

I den stabile distribution (woody) er dette problem rettet i version 1.2.4-5woody4.

Den gamle stabile distribution (potato) indeholder ikke krb5-pakker.

I den ustabile distribution (sid) vil dette problem snart blive rettet.

Vi anbefaler at du opgraderer din krb5-pakke.

Rettet i:

Debian GNU/Linux 3.0 (woody)

Kildekode:: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody4.dsc; http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody4.diff.gz; http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4.orig.tar.gz
Arkitekturuafhængig komponent:: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody4_all.deb
Alpha:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_sparc.deb

MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.