#228409: Security Vulnerability in the Kerberos kadm5 Library May Allow Execution of Arbitrary Code

Security Vulnerability in the Kerberos kadm5 Library May Allow Execution of Arbitrary Code

Category :	Security
Release Phase :	Resolved
Product :	Solaris 9 Operating System Solaris 10 Operating System Solaris 8 Operating System
Bug Id :	6538001
Date of Workaround Release :	29-MAY-2007
Date of Resolved Release :	13-AUG-2007

Impact

A security vulnerability in the kadm5 library shipped with Solaris may allow a remote authenticated user to command a host running kadmind(1M) and execute arbitrary code with the privileges of the kadmind process (usually 'root'). This issue affects systems configured as Kerberos Key Distribution Centers(KDC).

In addition, this issue may allow the remote user to compromise the Kerberos key database or cause the affected program to crash, causing a Denial of Service(DOS).

This issue is also described in the following documents:

CVE-2007-0957 at

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0957

MIT krb5 Security Advisory 2007-002 at

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-002-syslog.txt

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

SEAM 1.0.1 (for Solaris 8) without patch 110060-22
Solaris 8 without patch 109223-10
Solaris 9 without patches 112921-09, 112923-04 and 112925-07
Solaris 10 without patch 120473-10

x86 Platform

SEAM 1.0.1 (for Solaris 8) without patch 110061-22
Solaris 8 without patch 109224-10
Solaris 9 without patches 116044-04, 116045-02, 116046-09 and 116175-05
Solaris 10 without patch 120037-20

Note: This issue can only occur if the system is configured as a Kerberos Key Distribution Center(KDC).

To determine if a system is configured as a KDC, the following command can be run:

    % ps -ef | grep kadmin
    root   321     1  0   Dec 10 ?    0:00 /usr/krb5/lib/kadmind

If the above command shows that the kadmind(1M) daemon is running, then the machine is configured as a KDC and is vulnerable.

Symptoms

There are no predictable symptoms that would indicate this issue has been exploited to execute arbitrary code with elevated privileges on a system.

Workaround

While it is possible to disable kadmind(1M), this would take down all administrative functionality of the Kerberos environment. The Kerberos realm itself would remain usable while kadmind is down.

Resolution

This issue is addressed in the following releases:

SPARC Platform

SEAM 1.0.1 (for Solaris 8) with patch 110060-22 or later
Solaris 8 with patch 109223-10 or later
Solaris 9 with patches 112921-09, 112923-04 and 112925-07 or later (for all patches)
Solaris 10 with patch 120473-10 or later

x86 Platform

SEAM 1.0.1 (for Solaris 8) with patch 110061-22 or later
Solaris 8 with patch 109224-10 or later
Solaris 9 with patches 116044-04, 116045-02, 116046-09 and 116175-05 or later (for all patches)
Solaris 10 with patch 120037-20 or later

Note: When SEAM 1.0.1 is run on a Solaris 8 system, both the SEAM 1.0.1 and Solaris 8 patches listed above should be installed to resolve this issue.

Modification History

Date: 18-JUN-2007

Updated Contributing Factors and Resolution sections

Date: 31-JUL-2007

Updated Contributing Factors, Relief/Workaround and Resolution sections

Date: 13-AUG-2007

Updated Contributing Factors and Resolution sections
State: Resolved

Attachments

This solution has no attachment

Login Required

Login Required