From tlyu at MIT.EDU Sat Jul 1 01:41:15 2006 From: tlyu at MIT.EDU (Tom Yu) Date: Sat, 01 Jul 2006 01:41:15 -0400 Subject: krb5-1.5 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.5. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.5 ================================= You may retrieve the Kerberos 5 Release 1.5 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.5 release is: http://web.mit.edu/kerberos/krb5-1.5/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES ============= Kerberos 5 Release 1.5 includes many significant changes to the Kerberos build system, to GSS-API, and to the Kerberos KDC and administration system. These changes build up infrastructure as part of our efforts to make Kerberos more extensible and flexible. While we are confident that these changes will improve Kerberos in the long run, significant code restructuring may introduce portability problems or change behavior in ways that break applications. It is always important to test a new version of critical security software like Kerberos before deploying it in your environment to confirm that the new version meets your environment's requirements. Because of the significant restructuring, it is more important than usual to perform this testing and to report problems you find. Highlights of major changes include: * KDB abstraction layer, donated by Novell. * plug-in architecture, allowing for extension modules to be loaded at run-time. * multi-mechanism GSS-API implementation ("mechglue"), donated by Sun Microsystems * Simple and Protected GSS-API negotiation mechanism ("SPNEGO") implementation, donated by Sun Microsystems * Per-directory ChangeLog files have been deleted. Releases now include auto-generated revision history logs in the combined file doc/CHANGES. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (SunOS) iD8DBQFEpgr/SO8fWy4vZo4RAmQAAJ9ue8L5tsiwua0uHHRCb11fWqs7sgCfZ8iz /tDMX1rv7eCTGqzzaDyw2z4= =hRgk -----END PGP SIGNATURE----- From tlyu at MIT.EDU Tue Aug 8 15:06:42 2006 From: tlyu at MIT.EDU (Tom Yu) Date: Tue, 08 Aug 2006 15:06:42 -0400 Subject: MITKRB-SA-2006-001: multiple local privilege escalation vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2006-001 Original release: 2006-08-08 Topic: multiple local privilege escalation vulnerabilities Severity: serious SUMMARY ======= In certain application programs packaged in the MIT Kerberos 5 source distribution, calls to setuid() and seteuid() are not always checked for success. A local user could exploit one of these vulnerabilities to result in privilege escalation. No exploit code is known to exist at this time. It is believed that the primary risk is to Linux systems, due to the behavior of their implementation of the setuid() and seteuid() system calls. IMPACT ====== Actual impact depends on implementation details within a specific operating system. Vulnerabilities result when the OS implementations of setuid() or seteuid() can fail due to resource exhaustion when changing to an unprivileged user ID. We believe that only unchecked calls to setuid(), and not calls to seteuid(), are vulnerable on Linux. On AIX, Kerberos applications provided by IBM are not vulnerable. If, in place of or in addition to IBM-provided Kerberos applications, MIT krb5 code is installed on an AIX system, the affected MIT krb5 applications are vulnerable to the setuid() issues listed in CVE-2006-3083. We believe that no other operating systems are affected. [CVE-2006-3083, VU#580124] The following vulnerabilities may result from unchecked calls to setuid(), and are believed to only exist on Linux and AIX: * Unchecked calls to setuid() in krshd may allow a local privilege escalation leading to execution of programs as root. * Unchecked calls to setuid() in the v4rcp may allow a local privilege escalation leading to reading, writing, or creating files as root. v4rcp is the remote end of a krb4-authenticated rcp operation, but may be executed directly by an attacker, as it is a setuid program. [CVE-2006-3084, VU#401660] The following vulnerabilities may result from unchecked calls to seteuid(). These vulnerabilities are not yet known to exist on any operating system: * Unchecked calls to seteuid() in ftpd may allow a local privilege escalation leading to reading, writing, or creating files as root. * Unchecked calls to seteuid() in the ksu program may allow a local privilege escalation resulting in filling a file with null bytes as root and then deleting it (the "kdestroy" operation). AFFECTED SOFTWARE ================= * The above-listed programs are vulnerable in all releases of MIT krb5, up to and including krb5-1.5. The krb5-1.5.1 and krb5-1.4.4 releases will contain fixes for these problems. FIXES ===== * The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes for these vulnerabilities. * Disable krshd and ftpd, and remove the setuid bit from the ksu binary and the v4rcp binary. * For the krb5-1.5 release, apply the patch at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt A PGP-signed version of this patch is at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt.asc This patch was generated against the krb5-1.5 release, and may apply to earlier releases with some fuzz. The patch also updates some calls to other setuid-like system calls on less-common operating systems, though these calls are less likely to be vulnerable. * For the krb5-1.4.3 release, apply the patch at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt A PGP-signed version of this patch is at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt This patch was generated against the krb5-1.4.3 release, and may apply to earlier releases with some fuzz. The patch also updates some calls to other setuid-like system calls on less-common operating systems, though these calls are less likely to be vulnerable. REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2006-3083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083 CERT: VU#580124 http://www.kb.cert.org/vuls/id/580124 CVE: CVE-2006-3084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084 CERT: VU#401660 http://www.kb.cert.org/vuls/id/401660 ACKNOWLEDGMENTS =============== Thanks to Michael Calmer and Marcus Meissner at SUSE for reporting this problem. Thanks to Shiva Persaud at IBM for information on AIX. DETAILS ======= Typically, setuid(), seteuid(), and similar system calls cannot fail except in cases of inadequate privilege or system misconfiguration. Unlike other operating systems, Linux and AIX system calls which change the real user ID can fail if the change would cause the target user ID to exceed its quota of allowed processes. A local attacker may be able to exhaust a process quota in a way which artificially creates such a failure condition. This may result in privilege escalation when a program making an unchecked call to one of these system calls expects to continue execution with reduced privilege following the affected call, but instead continues to run as a privileged user. Specific places where various system calls are not checked include: appl/bsd/krcp.c: setreuid (uncompiled code), setuid (irrelevant because not installed setuid) appl/bsd/krshd.c: setuid appl/bsd/krsh.c: setuid (irrelevant because not installed setuid) appl/bsd/v4rcp.c: setuid appl/gssftp/ftpd/ftpd.c: seteuid client/ksu/main.c: seteuid lib/krb4/kuserok.c: seteuid (but likely irrelevant) REVISION HISTORY ================ 2006-08-08 original release Copyright (C) 2006 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (SunOS) iQCVAwUBRNjfg6bDgE/zdoE9AQLnKQP8DAikPgsCxRiOVj2QnX66VnBl2Nsm7irs NeO/8yiP9QpliPk4h/6p9Q1Wc70H/C4ICWgufVDiIHbnUc4MGS4GVUzZtvQelrC1 4WTZyxLFfEZQzbNk6FUBw3W0P38IrUX2FQsLTp9R4S3iWFMI5Udkb5XX60zwo9w2 79rpIw5g8vY= =x/vF -----END PGP SIGNATURE----- From tlyu at MIT.EDU Wed Aug 16 18:37:03 2006 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 16 Aug 2006 18:37:03 -0400 Subject: UPDATED: MITKRB5-SA-2006-001: multiple local privilege escalation vulnerabilities Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MIT krb5 Security Advisory 2006-001 Original release: 2006-08-08 Last update: 2006-08-16 Topic: multiple local privilege escalation vulnerabilities Severity: serious SUMMARY ======= [patch corrected since original release] In certain application programs packaged in the MIT Kerberos 5 source distribution, calls to setuid() and seteuid() are not always checked for success. A local user could exploit one of these vulnerabilities to result in privilege escalation. No exploit code is known to exist at this time. It is believed that the primary risk is to Linux systems, due to the behavior of their implementation of the setuid() and seteuid() system calls. IMPACT ====== Actual impact depends on implementation details within a specific operating system. Vulnerabilities result when the OS implementations of setuid() or seteuid() can fail due to resource exhaustion when changing to an unprivileged user ID. We believe that only unchecked calls to setuid(), and not calls to seteuid(), are vulnerable on Linux. On AIX, Kerberos applications provided by IBM are not vulnerable. If, in place of or in addition to IBM-provided Kerberos applications, MIT krb5 code is installed on an AIX system, the affected MIT krb5 applications are vulnerable to the setuid() issues listed in CVE-2006-3083. We believe that no other operating systems are affected. [CVE-2006-3083, VU#580124] The following vulnerabilities may result from unchecked calls to setuid(), and are believed to only exist on Linux and AIX: * Unchecked calls to setuid() in krshd may allow a local privilege escalation leading to execution of programs as root. * Unchecked calls to setuid() in the v4rcp may allow a local privilege escalation leading to reading, writing, or creating files as root. v4rcp is the remote end of a krb4-authenticated rcp operation, but may be executed directly by an attacker, as it is a setuid program. [CVE-2006-3084, VU#401660] The following vulnerabilities may result from unchecked calls to seteuid(). These vulnerabilities are not yet known to exist on any operating system: * Unchecked calls to seteuid() in ftpd may allow a local privilege escalation leading to reading, writing, or creating files as root. * Unchecked calls to seteuid() in the ksu program may allow a local privilege escalation resulting in filling a file with null bytes as root and then deleting it (the "kdestroy" operation). AFFECTED SOFTWARE ================= * The above-listed programs are vulnerable in all releases of MIT krb5, up to and including krb5-1.5. The krb5-1.5.1 and krb5-1.4.4 releases will contain fixes for these problems. FIXES ===== * The upcoming krb5-1.5.1 and krb5-1.4.4 releases will include fixes for these vulnerabilities. * Disable krshd and ftpd, and remove the setuid bit from the ksu binary and the v4rcp binary. * For the krb5-1.5 release, apply the patch at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt A PGP-signed version of this patch is at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.5.txt.asc This patch was generated against the krb5-1.5 release, and may apply to earlier releases with some fuzz. The patch also updates some calls to other setuid-like system calls on less-common operating systems, though these calls are less likely to be vulnerable. Note that the original version of this patch contained an error in the patch to ksu which introduced a minor bug; this erroneous ksu patch may be identified by diff header "*** clients/ksu/main.c (revision 18419)" * For the krb5-1.4.3 release, apply the patch at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt A PGP-signed version of this patch is at http://web.mit.edu/kerberos/advisories/2006-001-patch_1.4.3.txt This patch was generated against the krb5-1.4.3 release, and may apply to earlier releases with some fuzz. The patch also updates some calls to other setuid-like system calls on less-common operating systems, though these calls are less likely to be vulnerable. Note that the original version of this patch contained an error in the patch to ksu which introduced a minor bug; this erroneous ksu patch may be identified by diff header "*** clients/ksu/main.c (revision 18419)" REFERENCES ========== This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVE: CVE-2006-3083 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083 CERT: VU#580124 http://www.kb.cert.org/vuls/id/580124 CVE: CVE-2006-3084 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084 CERT: VU#401660 http://www.kb.cert.org/vuls/id/401660 ACKNOWLEDGMENTS =============== Thanks to Michael Calmer and Marcus Meissner at SUSE for reporting this problem. Thanks to Shiva Persaud at IBM for information on AIX. Thanks to Sachin Punadikar for reporting the error in the ksu patch. DETAILS ======= Typically, setuid(), seteuid(), and similar system calls cannot fail except in cases of inadequate privilege or system misconfiguration. Unlike other operating systems, Linux and AIX system calls which change the real user ID can fail if the change would cause the target user ID to exceed its quota of allowed processes. A local attacker may be able to exhaust a process quota in a way which artificially creates such a failure condition. This may result in privilege escalation when a program making an unchecked call to one of these system calls expects to continue execution with reduced privilege following the affected call, but instead continues to run as a privileged user. Specific places where various system calls are not checked include: appl/bsd/krcp.c: setreuid (uncompiled code), setuid (irrelevant because not installed setuid) appl/bsd/krshd.c: setuid appl/bsd/krsh.c: setuid (irrelevant because not installed setuid) appl/bsd/v4rcp.c: setuid appl/gssftp/ftpd/ftpd.c: seteuid client/ksu/main.c: seteuid lib/krb4/kuserok.c: seteuid (but likely irrelevant) REVISION HISTORY ================ 2006-08-16 updated patch to correct ksu error 2006-08-08 original release Copyright (C) 2006 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (SunOS) iQCVAwUBROOaEKbDgE/zdoE9AQJJpwP/ZLA21YIZuGU9wuJeYiRM9QdvnMZE/+My xY1FeWPVx6puQ1Zkh12Vn30gQH8a6ZnFjunAlkx0TQjUM9iqtlA9PUwjwBYCywcm p6qdS91ESpgqsYoDZVDajqxDhvlWyEYfsT8vzfcep+BGG2iqIicdvz95n9HuwRKG rWIgVg83BLM= =jv57 -----END PGP SIGNATURE----- From tlyu at MIT.EDU Wed Aug 23 21:03:33 2006 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 23 Aug 2006 21:03:33 -0400 Subject: krb5-1.5.1 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.5.1. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.5.1 =================================== You may retrieve the Kerberos 5 Release 1.5.1 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.5.1 release is: http://web.mit.edu/kerberos/krb5-1.5/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES ============= The only significant change in krb5-1.5.1 is to fix the security vulnerabilities decribed in MITKRB5-SA-2006-001, which are local privilege escalation vulnerabilities in applications running on Linux and AIX. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (SunOS) iQCVAwUBROz66KbDgE/zdoE9AQJm0QP/VSciSlhcQWA3SOJtWcsIlqCYTuds2vvg oO5qxVf/mPocN/42cafsEXjxx2ngenihDAahl+KBQ/kvvoYiviasXpuOMnxK2Z/N j6ut4WhrJYyRxYS0C/KRZX7kdMXkJeGEquaN81glyMECU8HzfDWl03L1FhevRkj4 Zw7OTbCxDZw= =SX6p -----END PGP SIGNATURE----- From tlyu at MIT.EDU Wed Aug 23 21:03:37 2006 From: tlyu at MIT.EDU (Tom Yu) Date: Wed, 23 Aug 2006 21:03:37 -0400 Subject: krb5-1.4.4 is released Message-ID: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The MIT Kerberos Team announces the availability of MIT Kerberos 5 Release 1.4.4. Please see below for a list of some major changes included, or consult the README file in the source tree for a more detailed list of significant changes. RETRIEVING KERBEROS 5 RELEASE 1.4.4 =================================== You may retrieve the Kerberos 5 Release 1.4.4 source from the following URL: http://web.mit.edu/kerberos/dist/ The homepage for the krb5-1.4.4 release is: http://web.mit.edu/kerberos/krb5-1.4/ Further information about Kerberos 5 may be found at the following URL: http://web.mit.edu/kerberos/ MAJOR CHANGES ============= The only significant change in krb5-1.4.4 is to fix the security vulnerabilities decribed in MITKRB5-SA-2006-001, which are local privilege escalation vulnerabilities in applications running on Linux and AIX. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.3 (SunOS) iD8DBQFE7PruSO8fWy4vZo4RAoqAAJwMAU2f2fq7uDTVW5xXs/KE3NfTYACgjdeB Wimg0fmIJpLq85ptubEz0yI= =9+NL -----END PGP SIGNATURE-----