Debians sikkerhedsbulletin
DSA-266-1 krb5 -- flere sårbarheder
- Rapporteret den:
- 24. mar 2003
- Berørte pakker:
- krb5
- Sårbar:
- Ja
- Referencer i sikkerhedsdatabaser:
- I Mitres CVE-ordbog: CVE-2003-0028, CVE-2003-0072, CVE-2003-0082, CVE-2003-0138, CVE-2003-0139.
CERTs noter om sårbarheder, bulletiner og hændelser: VU#623217, VU#442569, VU#516825, CA-2003-10. - Yderligere oplysninger:
-
Flere sårbarheder er opdaget i krb5, en implementation af MIT Kerberos.
- En kryptograferingssårbarhed i version 4 af Kerberos-protokollen tillader
en angriber at anvende et "chosen-plaintext"-angreb til at give sig ud for
en principal i et "realm". Yderligere kryptografiske svagheder i
krb4-implementationen som findes i MITs krb5-distribution, giver mulighed
for klippe-klistre-angreb til fabrikation af krb4-"tickets" til
uautoriserede klient-principaler, hvis tredobbelte DES-nøgler anvendes
til at fæste ("key") krb4-tjenester. Disse angreb kan undergrave et steds
komplette infrastruktur til autentifikation.
Kerberos version 5 indeholder ikke denne kryptografiske sårbarhed. Steder er ikke sårbare hvis Kerberos v4 er slået helt fra, deriblandt også har slået alle krb5 til krb5-oversættelsestjenester fra.
- MITs Kerberos 5-implementation indeholder et RPC-bibliotek afledt af SUNRPC. Implementationen indeholder længdekontroller, som er sårbare overfor et heltalsoverløb, som det kan være muligt at udnytte til at fremstille lammelsesangreb (denial of service) eller opnå uautoriseret adgang til følsomme oplysninger.
- Problemer med bufferoverløb og -underløb findes i Kerberos håndtering af principal-navne under usædvanlige omstændigheder, såsom navne med nul-komponenter, navne med et tomt komponent eller værtsbaserede principal-navne uden værtsnavnekomponent på tjenester.
Denne version af krb5-pakken, ændrer standardmåden programmet opfører sig på og tillader ikke "cross-realm"-autentifikation for Kerberos version 4. På grund af det fundamentale ved problemet, kan "cross-realm"-autentifikation i Kerberos version 4 ikke gøres sikker og man bør undgå at bruge det. En ny indstilling (-X) stilles til rådighed for kommandoerne krb5kdc og krb524d, for at slå version 4-"cross-realm"-autentifikaation til for de steder, som skal bruge denne funktionalitet, men ønsker de andre sikkerhedsrettelser.
I den stabile distribution (woody) er dette problem rettet i version 1.2.4-5woody4.
Den gamle stabile distribution (potato) indeholder ikke krb5-pakker.
I den ustabile distribution (sid) vil dette problem snart blive rettet.
Vi anbefaler at du opgraderer din krb5-pakke.
- En kryptograferingssårbarhed i version 4 af Kerberos-protokollen tillader
en angriber at anvende et "chosen-plaintext"-angreb til at give sig ud for
en principal i et "realm". Yderligere kryptografiske svagheder i
krb4-implementationen som findes i MITs krb5-distribution, giver mulighed
for klippe-klistre-angreb til fabrikation af krb4-"tickets" til
uautoriserede klient-principaler, hvis tredobbelte DES-nøgler anvendes
til at fæste ("key") krb4-tjenester. Disse angreb kan undergrave et steds
komplette infrastruktur til autentifikation.
- Rettet i:
-
Debian GNU/Linux 3.0 (woody)
- Kildekode:
- http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody4.dsc
- http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody4.diff.gz
- http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4.orig.tar.gz
- http://security.debian.org/pool/updates/main/k/krb5/krb5_1.2.4-5woody4.diff.gz
- Arkitekturuafhængig komponent:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.2.4-5woody4_all.deb
- Alpha:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_alpha.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_alpha.deb
- ARM:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_arm.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_arm.deb
- Intel IA-32:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_i386.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_i386.deb
- Intel IA-64:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_ia64.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_ia64.deb
- HPPA:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_hppa.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_hppa.deb
- Motorola 680x0:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_m68k.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_m68k.deb
- Big endian MIPS:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_mips.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_mips.deb
- Little endian MIPS:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_mipsel.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_mipsel.deb
- PowerPC:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_powerpc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_powerpc.deb
- IBM S/390:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_s390.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_s390.deb
- Sun Sparc:
- http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.2.4-5woody4_sparc.deb
- http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.2.4-5woody4_sparc.deb
MD5-kontrolsummer for de listede filer findes i den originale sikkerhedsbulletin.