---------- Forwarded Message ----------
Subject: [FreeBSD-Announce] FreeBSD Security Advisory
FreeBSD-SA-04:08.heimdal
Date: Thursday 06 May 2004 00:26
From: FreeBSD Security Advisories <[EMAIL PROTECTED]>
To: FreeBSD Security Advisories <[EMAIL PROTECTED]>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
=============================================================================
FreeBSD-SA-04:08.heimdal Security Advisory
The FreeBSD Project
Topic: heimdal cross-realm trust vulnerability
Category: core
Module: crypto_heimdal
Announced: 2004-05-05
Credits: Heimdal project
Affects: FreeBSD 4 with Kerberos 5 installed, and FreeBSD 5
Corrected: 2004-05-05 19:49:41 UTC (RELENG_4, 4.10-PRERELEASE)
2004-05-05 19:55:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p6)
2004-05-05 20:48:19 UTC (RELENG_4_10, 4.10-RELEASE-RC)
2004-05-05 20:01:06 UTC (RELENG_4_9, 4.9-RELEASE-p6)
2004-05-05 20:06:30 UTC (RELENG_4_8, 4.8-RELEASE-p19)
CVE Name: CAN-2004-0371
FreeBSD only: NO
For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
<URL:http://www.freebsd.org/security/>.
I. Background
Heimdal implements the Kerberos 5 network authentication protocols.
Principals (i.e. users and services) represented in Kerberos are
grouped into separate, autonomous realms. Unidirectional or
bidirectional trust relationships may be established between realms to
allow the principals in one realm to recognize the authenticity of
principals in another. These trust relationships may be transitive.
An authentication path is the ordered list of realms (and therefore
KDCs) that were involved in the authentication process. The
authentication path is recorded in Kerberos tickets as the `transited'
field.
It is possible for the Key Distribution Center (KDC) of a realm to
forge part or all of the `transited' field. KDCs should validate this
field before accepting authentication results, checking that each
realm in the authentication path is trusted and that the path conforms
to local policy. Applications are required to perform this type of
checking if the KDC has not already done so.
Prior to FreeBSD 5.1, Kerberos 5 was an optional component of FreeBSD,
and was not installed by default.
II. Problem Description
Some versions of Heimdal do not perform appropriate checking of the
`transited' field.
III. Impact
For sites that have established trust relationships with other realms,
it is possible for the administrator(s) of those other realms to
impersonate any Kerberos principal in any other realm.
IV. Workaround
Disable all inter-realm trust relationships. The Heimdal advisory
listed in the References section below provides details for checking
for trust relationships and disabling them.
V. Solution
Perform one of the following:
1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction
date.
2) To patch your present system:
The following patches have been verified to apply to FreeBSD 4.8,
4.9, 5.1, and 5.2 systems.
a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.
[FreeBSD 4.8, 4.9, 5.1 with Heimdal 0.5.1]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch #
fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch.asc
[FreeBSD 5.2 with Heimdal 0.6]
# fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch #
fetch
ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch.asc
b) Execute the following commands as root:
# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libcrypto
# make obj && make depend && make
# cd /usr/src/kerberos5
# make obj && make depend && make && make install
Be sure to restart any running services that use Kerberos, such as
kdc(8) or sshd(8). Perhaps the simplest way to ensure all such
applications are restarted is to reboot the system.
VI. Correction details
The following list contains the revision numbers of each file that was
corrected in FreeBSD.
Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/crypto/heimdal/kdc/config.c 1.1.1.2.2.4
src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.5
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.4
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.5
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.5
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.3
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.3
RELENG_5_2
src/UPDATING 1.282.2.14
src/crypto/heimdal/kdc/config.c 1.1.1.7.2.1
src/crypto/heimdal/kdc/kdc.8 1.1.1.7.2.1
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.6.2.1
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.8.2.1
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.9.2.1
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.6.6.1
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.6.2.1
src/sys/conf/newvers.sh 1.56.2.13
RELENG_4_10
src/crypto/heimdal/kdc/config.c 1.1.1.2.2.3.8.1
src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.4.8.1
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.3.8.1
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.4.8.1
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.4.8.1
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.2.10.1
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.2.8.1
RELENG_4_9
src/UPDATING 1.73.2.89.2.7
src/crypto/heimdal/kdc/config.c 1.1.1.2.2.3.6.1
src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.4.6.1
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.3.6.1
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.4.6.1
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.4.6.1
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.2.8.1
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.2.6.1
src/sys/conf/newvers.sh 1.44.2.32.2.7
RELENG_4_8
src/UPDATING 1.73.2.80.2.22
src/crypto/heimdal/kdc/config.c 1.1.1.2.2.3.4.1
src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.4.4.1
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.3.4.1
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.4.4.1
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.4.4.1
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.2.6.1
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.2.4.1
src/sys/conf/newvers.sh 1.44.2.29.2.20
- -------------------------------------------------------------------------
VII. References
<URL:http://www.pdc.kth.se/heimdal/advisory/2004-04-01/>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)
iD8DBQFAmVTvFdaIBMps37IRAkhZAKCQZmbxNkicz82VEcPeDO/840uNxwCfQ/0U
NYT36OgpzsBI9Jc0cpDXTA4=
=i17O
-----END PGP SIGNATURE-----
_______________________________________________
[EMAIL PROTECTED] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-announce
To unsubscribe, send any mail to "[EMAIL PROTECTED]"
-------------------------------------------------------
--
"Her development, her freedom, her independence, must come from and through
herself. First, by asserting herself as a personality, and not as a sex
commodity. Second, by refusing the right of anyone over her body; by
refusing to bear children, unless she wants them, by refusing to be a
servant to God, the State, society, the husband, the family, etc., by making
her life simpler, but deeper and richer. That is, by trying to learn the
meaning and substance of life in all its complexities; by freeing herself
from the fear of public opinion and public condemnation."
[Emma Goldman, Anarchism and Other Essays, p. 211]
Hoscakalin,
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Liste arsivi: http://lists.enderunix.org ve
http://www.mail-archive.com/[EMAIL PROTECTED]
http://ipucu.EnderUNIX.org - ihtiyac duyacaginiz kisa bilgiler bu sitede!
