Users login

Create an account »

JOIN XATRIX

Users login

Home » Security Advisories» FreeBSD » heimdal cross-realm trust vulnerability

heimdal cross-realm trust vulnerability

Some versions of Heimdal do not perform appropriate checking of the `transited' field.

  • Vendor: FreeBSD
  • Vendor ID: SA-04:08
  • Date: May 05, 2004


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

=====================================================================
FreeBSD-SA-04:08.heimdal Security Advisory
The FreeBSD Project

Topic: heimdal cross-realm trust vulnerability

Category: core
Module: crypto_heimdal
Announced: 2004-05-05
Credits: Heimdal project
Affects: FreeBSD 4 with Kerberos 5 installed, and FreeBSD 5
Corrected: 2004-05-05 19:49:41 UTC (RELENG_4, 4.10-PRERELEASE)
2004-05-05 19:55:46 UTC (RELENG_5_2, 5.2.1-RELEASE-p6)
2004-05-05 20:48:19 UTC (RELENG_4_10, 4.10-RELEASE-RC)
2004-05-05 20:01:06 UTC (RELENG_4_9, 4.9-RELEASE-p6)
2004-05-05 20:06:30 UTC (RELENG_4_8, 4.8-RELEASE-p19)
CVE Name: CAN-2004-0371
FreeBSD only: NO

For general information regarding FreeBSD Security Advisories,
including descriptions of the fields above, security branches, and the
following sections, please visit
.

I. Background

Heimdal implements the Kerberos 5 network authentication protocols.
Principals (i.e. users and services) represented in Kerberos are
grouped into separate, autonomous realms. Unidirectional or
bidirectional trust relationships may be established between realms to
allow the principals in one realm to recognize the authenticity of
principals in another. These trust relationships may be transitive.
An authentication path is the ordered list of realms (and therefore
KDCs) that were involved in the authentication process. The
authentication path is recorded in Kerberos tickets as the `transited'
field.

It is possible for the Key Distribution Center (KDC) of a realm to
forge part or all of the `transited' field. KDCs should validate this
field before accepting authentication results, checking that each
realm in the authentication path is trusted and that the path conforms
to local policy. Applications are required to perform this type of
checking if the KDC has not already done so.

Prior to FreeBSD 5.1, Kerberos 5 was an optional component of FreeBSD,
and was not installed by default.

II. Problem Description

Some versions of Heimdal do not perform appropriate checking of the
`transited' field.

III. Impact

For sites that have established trust relationships with other realms,
it is possible for the administrator(s) of those other realms to
impersonate any Kerberos principal in any other realm.

IV. Workaround

Disable all inter-realm trust relationships. The Heimdal advisory
listed in the References section below provides details for checking
for trust relationships and disabling them.

V. Solution

Perform one of the following:

1) Upgrade your vulnerable system to 4-STABLE; or to the RELENG_5_2,
RELENG_4_9, or RELENG_4_8 security branch dated after the correction
date.

2) To patch your present system:

The following patches have been verified to apply to FreeBSD 4.8,
4.9, 5.1, and 5.2 systems.

a) Download the relevant patch from the location below, and verify the
detached PGP signature using your PGP utility.

[FreeBSD 4.8, 4.9, 5.1 with Heimdal 0.5.1]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal51.patch.asc

[FreeBSD 5.2 with Heimdal 0.6]
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch
# fetch ftp://ftp.FreeBSD.org/pub/FreeBSD/CERT/patches/SA-04:08/heimdal6.patch.asc

b) Execute the following commands as root:

# cd /usr/src
# patch < /path/to/patch
# cd /usr/src/secure/lib/libcrypto
# make obj && make depend && make
# cd /usr/src/kerberos5
# make obj && make depend && make && make install

Be sure to restart any running services that use Kerberos, such as
kdc(8) or sshd(8). Perhaps the simplest way to ensure all such
applications are restarted is to reboot the system.

VI. Correction details

The following list contains the revision numbers of each file that was
corrected in FreeBSD.

Branch Revision
Path
- -------------------------------------------------------------------------
RELENG_4
src/crypto/heimdal/kdc/config.c 1.1.1.2.2.4
src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.5
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.4
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.5
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.5
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.3
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.3
RELENG_5_2
src/UPDATING 1.282.2.14
src/crypto/heimdal/kdc/config.c 1.1.1.7.2.1
src/crypto/heimdal/kdc/kdc.8 1.1.1.7.2.1
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.6.2.1
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.8.2.1
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.9.2.1
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.6.6.1
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.6.2.1
src/sys/conf/newvers.sh 1.56.2.13
RELENG_4_10
src/crypto/heimdal/kdc/config.c 1.1.1.2.2.3.8.1
src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.4.8.1
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.3.8.1
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.4.8.1
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.4.8.1
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.2.10.1
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.2.8.1
RELENG_4_9
src/UPDATING 1.73.2.89.2.7
src/crypto/heimdal/kdc/config.c 1.1.1.2.2.3.6.1
src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.4.6.1
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.3.6.1
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.4.6.1
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.4.6.1
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.2.8.1
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.2.6.1
src/sys/conf/newvers.sh 1.44.2.32.2.7
RELENG_4_8
src/UPDATING 1.73.2.80.2.22
src/crypto/heimdal/kdc/config.c 1.1.1.2.2.3.4.1
src/crypto/heimdal/kdc/kdc.8 1.1.1.2.2.4.4.1
src/crypto/heimdal/kdc/kdc_locl.h 1.1.1.2.2.3.4.1
src/crypto/heimdal/kdc/kerberos5.c 1.1.1.2.2.4.4.1
src/crypto/heimdal/lib/krb5/krb5-protos.h 1.1.1.3.2.4.4.1
src/crypto/heimdal/lib/krb5/rd_req.c 1.1.1.3.2.2.6.1
src/crypto/heimdal/lib/krb5/transited.c 1.1.1.3.2.2.4.1
src/sys/conf/newvers.sh 1.44.2.29.2.20
- -------------------------------------------------------------------------

VII. References


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (FreeBSD)

iD8DBQFAmVTvFdaIBMps37IRAkhZAKCQZmbxNkicz82VEcPeDO/840uNxwCfQ/0U
NYT36OgpzsBI9Jc0cpDXTA4=
=i17O
-----END PGP SIGNATURE-----

Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »