Alerta de Segurança Debian

DSA-266-1 krb5 -- várias vulnerabilidades

Data do Alerta:

24 Mar 2003

Pacotes Afetados:

Vulnerável:

Sim

Referência à base de dados de segurança:

No dicionário CVE do Mitre: CVE-2003-0028, CVE-2003-0072, CVE-2003-0082, CVE-2003-0138, CVE-2003-0139.
Alertas, notas de incidentes e vulnerabilidades do CERT: VU#623217, VU#442569, VU#516825, CA-2003-10.

Informações adicionais:

Várias vulnerabilidades foram descobertas no krb5, uma implementação do MIT Kerberos.

Um defeito de criptografia na versão 4 do protocolo Kerberos permite que um atacante use um ataque de texto-plano selecionado para imitar qualquer principal num domínio. Defeitos adicionais de criptografia na implementação do krb4 incluídas na distribuição MIT krb5 permitem o uso de ataques de cortar-e-colar para fabricar bilhetes krb4 para clientes principal não autorizados se chaves três-DES forem usadas para registrar serviços krb4. Esses ataques podem subverter toda a infra-estrutura de autenticação Kerberos de um site.
A versão 5 do Kerberos não contém essa vulnerabilidade na criptografia. Sites que estão com Kerberos v4 totalmente desabilitado, incluindo a desativação de qualquer serviço de tradução krb5 para krb4, não estão vulneráveis.
A implementação MIT Kerberos 5 inclui uma biblioteca derivada do SUNRPC. Ela contém checagens de comprimento, que são vulneráveis a um estouro de inteiro, que pode ser explorado para criar negações de serviço ou para obter acesso não autorizado a informações sensíveis.
Existem problemas de buffer overrun e underrun no manuseio do principal de nomes em casos incomuns do Kerberos, tais como nomes sem componentes, nomes com um componente vazio, ou o serviço principal de nomes baseado em host, sem componentes host.

Esta versão do pacote krb5 muda o comportamento padrão e desabilita a autenticação cross-realm da versão 4 do Kerberos. Devido a natureza do problema, a autenticação cross-realm da versão 4 do Kerberos não pode ser segura e sites devem evitar seu uso. Uma nova opção (-X) é fornecida nos comandos krb5kdc e krb524d para reabilitar a autenticação cross-realm para aqueles sites que devem usar esta funcionalidade mas desejam ter as outras atualizações de segurança.

Para a distribuição estável (woody) esse problema foi corrigido na versão 1.2.4-5woody4.

A antiga distribuição estável (potato) não contém os pacotes krb5.

Para a distribuição estável (sid) esse problema será corrigido em breve.

Nós recomendamos que você atualize seu pacote krb5.

Corrigido em:

Debian GNU/Linux 3.0 (woody)

Fonte:: http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody4.dsc; http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody4.diff.gz; http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4.orig.tar.gz
Componente independente de arquitetura:: http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody4_all.deb
Alpha:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_alpha.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_alpha.deb
ARM:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_arm.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_arm.deb
Intel IA-32:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_i386.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_i386.deb
Intel IA-64:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_ia64.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_ia64.deb
HPPA:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_hppa.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_hppa.deb
Motorola 680x0:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_m68k.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_m68k.deb
Big endian MIPS:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_mips.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_mips.deb
Little endian MIPS:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_mipsel.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_mipsel.deb
PowerPC:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_powerpc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_powerpc.deb
IBM S/390:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_s390.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_s390.deb
Sun Sparc:: http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_sparc.deb; http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_sparc.deb

Checksums MD5 dos arquivos listados estão disponíveis no alerta original.