MDVSA-2010:246

Package name

krb5

Date

2010-11-30

Advisory ID

MDVSA-2010:246

Affected versions

MES5 i586 , MES5 x86_64 , 2010.1 i586 , 2010.1 x86_64

Problem description

Multiple vulnerabilities were discovered and corrected in krb5:

An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC. Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token. An unauthenticated remote attacker has a 1/256
chance of forging KRB-SAFE messages in an application protocol if the
targeted pre-existing session uses an RC4 session key. Few application
protocols use KRB-SAFE messages (CVE-2010-1323).

An unauthenticated remote attacker can forge GSS tokens that
are intended to be integrity-protected but unencrypted, if the
targeted pre-existing application session uses a DES session key. An
authenticated remote attacker can forge PACs if using a KDC that does
not filter client-provided PAC data. This can result in privilege
escalation against a service that relies on PAC contents to make
authorization decisions. An unauthenticated remote attacker has a 1/256
chance of swapping a client-issued KrbFastReq into a different KDC-REQ,
if the armor key is RC4. The consequences are believed to be minor
(CVE-2010-1324).

An authenticated remote attacker that controls a legitimate service
principal has a 1/256 chance of forging the AD-SIGNEDPATH signature
if the TGT key is RC4, allowing it to use self-generated evidence
tickets for S4U2Proxy, instead of tickets obtained from the user or
with S4U2Self. Configurations using RC4 for the TGT key are believed
to be rare. An authenticated remote attacker has a 1/256 chance of
forging AD-KDC-ISSUED signatures on authdata elements in tickets
having an RC4 service key, resulting in privilege escalation against
a service that relies on these signatures. There are no known uses
of the KDC-ISSUED authdata container at this time (CVE-2010-4020.

An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ
it has intercepted. The attacker could then use this ticket for
S4U2Proxy to impersonate the targeted client even if the client never
authenticated to the subverted service. The vulnerable configuration
is believed to be rare (CVE-2010-4021).

The updated packages have been patched to correct this issue.

Updated packages

MES5 i586

 cafa2595564ca56d375c34706d052cbd  mes5/i586/krb5-1.8.1-0.3mdvmes5.1.i586.rpm
 9e964b4e75ef29006b4d9c9c7d4b0580  mes5/i586/krb5-pkinit-openssl-1.8.1-0.3mdvmes5.1.i586.rpm
 c745399130544a19ae434c93a25e705d  mes5/i586/krb5-server-1.8.1-0.3mdvmes5.1.i586.rpm
 b9f780014082d8779b2c70814cb61152  mes5/i586/krb5-server-ldap-1.8.1-0.3mdvmes5.1.i586.rpm
 2da137c3dd3765452349d0514d0183f1  mes5/i586/krb5-workstation-1.8.1-0.3mdvmes5.1.i586.rpm
 85c4e6711c347bd7b9562d951c951e94  mes5/i586/libkrb53-1.8.1-0.3mdvmes5.1.i586.rpm
 bdb842aaaffdad42969416f3e61bbce9  mes5/i586/libkrb53-devel-1.8.1-0.3mdvmes5.1.i586.rpm 
 3cc5cc2331d3ff2805850d14fcbccf35  mes5/SRPMS/krb5-1.8.1-0.3mdvmes5.1.src.rpm

MES5 x86_64

 ffdd682d681783fddeada0cd0e605757  mes5/x86_64/krb5-1.8.1-0.3mdvmes5.1.x86_64.rpm
 e7b85d0d7387bd68303bc9364a711fef  mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.3mdvmes5.1.x86_64.rpm
 7717e0e24d81862ae84ff03720ca5619  mes5/x86_64/krb5-server-1.8.1-0.3mdvmes5.1.x86_64.rpm
 a5043665e33fbbe7c2a9fd6bf05fe808  mes5/x86_64/krb5-server-ldap-1.8.1-0.3mdvmes5.1.x86_64.rpm
 f367fd174eeef3097e766e8183e81c68  mes5/x86_64/krb5-workstation-1.8.1-0.3mdvmes5.1.x86_64.rpm
 f6c823372133d690539facf101d8e224  mes5/x86_64/lib64krb53-1.8.1-0.3mdvmes5.1.x86_64.rpm
 0640da1f402bdd872d8e40b8f4c62736  mes5/x86_64/lib64krb53-devel-1.8.1-0.3mdvmes5.1.x86_64.rpm 
 3cc5cc2331d3ff2805850d14fcbccf35  mes5/SRPMS/krb5-1.8.1-0.3mdvmes5.1.src.rpm

2010.1 i586

 317a56866c53118e056d608da7816501  2010.1/i586/krb5-1.8.1-5.2mdv2010.1.i586.rpm
 68e604c5a993bd22e070497c3715bfd8  2010.1/i586/krb5-pkinit-openssl-1.8.1-5.2mdv2010.1.i586.rpm
 3a476ea497511ba4bfc0f9f43b70119f  2010.1/i586/krb5-server-1.8.1-5.2mdv2010.1.i586.rpm
 157af42ca6878241e980f58bd88907ed  2010.1/i586/krb5-server-ldap-1.8.1-5.2mdv2010.1.i586.rpm
 8d9eda88b29423366de6010987760e66  2010.1/i586/krb5-workstation-1.8.1-5.2mdv2010.1.i586.rpm
 9939fd490b146b8e26daf85b04532e61  2010.1/i586/libkrb53-1.8.1-5.2mdv2010.1.i586.rpm
 1970bef02c46809aef5ca1b44c8069c1  2010.1/i586/libkrb53-devel-1.8.1-5.2mdv2010.1.i586.rpm 
 b0409a3b64885ed84ef9cc04968be3f7  2010.1/SRPMS/krb5-1.8.1-5.2mdv2010.1.src.rpm

2010.1 x86_64

 71db4c06e7e87c9faa0318ddc0562707  2010.1/x86_64/krb5-1.8.1-5.2mdv2010.1.x86_64.rpm
 04cd23f2d43a498ccba0868195f23490  2010.1/x86_64/krb5-pkinit-openssl-1.8.1-5.2mdv2010.1.x86_64.rpm
 b66e2c6625cc69131e4d1b44d7c05534  2010.1/x86_64/krb5-server-1.8.1-5.2mdv2010.1.x86_64.rpm
 ceb54db5b54e163c548cd84249266192  2010.1/x86_64/krb5-server-ldap-1.8.1-5.2mdv2010.1.x86_64.rpm
 1508414b03cf6b12f583249c4b0be6ee  2010.1/x86_64/krb5-workstation-1.8.1-5.2mdv2010.1.x86_64.rpm
 e75aa825ac83bddfc61a00dd7daf33fb  2010.1/x86_64/lib64krb53-1.8.1-5.2mdv2010.1.x86_64.rpm
 83acc481c2ab4cdb18df2a1719e6a57a  2010.1/x86_64/lib64krb53-devel-1.8.1-5.2mdv2010.1.x86_64.rpm 
 b0409a3b64885ed84ef9cc04968be3f7  2010.1/SRPMS/krb5-1.8.1-5.2mdv2010.1.src.rpm

References

• http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4021
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4020
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1323
• http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1324