Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » OpenAFS 2003-001: cryptographic weakness in Kerberos v4

OpenAFS 2003-001: cryptographic weakness in Kerberos v4

by Nikola Strahija on April 2nd, 2003 A cryptographic weakness has been found in OpenAFS kaserver, since it implements version 4 of the Kerberos protocol. This vulnerability allows remote attackers to impersonate any principal in the local realm.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

OpenAFS Security Advisory 2003-001

Topic: Cryptographic weakness in Kerberos v4

Issued: 25-Mar-2003
Last Update: 25-Mar-2003
Affected: OpenAFS 1.0 - 1.2.8, OpenAFS 1.3.0 - 1.3.2

A cryptographic weakness in version 4 of the Kerberos protocol,
implemented by the OpenAFS kaserver, allows an attacker to impersonate any
user in the cell. This vulnerability can be exploited if the attacker has
a shared cross-realm key with the given cell, or can create arbitrary
principal names in kaserver. If you are running a Kerberos implementation
other than kaserver, please refer to the FIXES section below, and the MIT
krb5 advisory:

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt

SUMMARY
=======

A cryptographic weakness in version 4 of the Kerberos protocol allows an
attacker to use a chosen-plaintext attack to impersonate any principal in
a realm. OpenAFS kaserver implements version 4 of the Kerberos protocol,
and therefore is vulnerable. An attacker that knows a shared cross-realm
key between any remote realm and the local realm can impersonate any
principal in the local realm to AFS database servers and file servers in
the local cell, and other services in the local realm. An attacker that
can create arbitrary principal names in a realm can also impersonate any
principal in that realm.

If your realm has no shared keys, and does not allow users to create
arbitrary principal names, you are not exposed to this vulnerability.

There are no known publicly-available exploits for this vulnerability at
this time.

IMPACT
======

* An attacker controlling a shared cross-realm key with a remote kaserver
realm can impersonate any principal in the remote realm to any service
in the remote realm. This can lead to root-level compromise of
database servers and file servers, and any other machines that rely on
authentication provided by kaserver (if it is used as a Kerberos v4
KDC).

* This attack may be performed against cross-realm principals, thus
allowing an attacker to hop realms and compromise any realm that
transitively shares a cross-realm key with the attacker's local realm.

* Related, but more difficult attacks may be possible without requiring
the control of a shared cross-realm key. At the very least, an attacker
capable of creating arbitrary principal names in the target realm may be
able to perform the attack.

AFFECTED SOFTWARE
=================

All releases of OpenAFS 1.0.x and 1.1.x.
All releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.8.
All releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2.

FIXES
=====

The OpenAFS project recomments that all users of kaserver disable all
cross-realm authentication, by either deleting cross-realm keys (using
"kas delete"; simply disabling the keys is insufficient), upgrading to
OpenAFS 1.2.9 when it becomes available (where kaserver cross-realm
authentication is disabled by default), or applying this kaserver patch,
which disables cross-realm authentication in kaserver by default:

http://www.openafs.org/security/kaserver-disable-krb4-crossrealm-20030317.delta

The associated detached PGP signature is at:

http://www.openafs.org/security/kaserver-disable-krb4-crossrealm-20030317.delta.asc

It was generated against OpenAFS 1.2.8, but should apply to earlier
releases, possibly with some offset.

No update is presently available for the OpenAFS-unstable series.

Sites that require the use of cross-realm authentication must use native
Kerberos v5 AFS authentication, available in OpenAFS 1.2.8 and above.
Native Kerberos v5 AFS authentication is not vulnerable to the problem
described in this advisory. Sites currently using kaserver are encouraged
to upgrade to Kerberos version 5; instructions for upgrading to MIT krb5
or Heimdal are available in the REFERENCES section. If upgrading to MIT
krb5, you must be running MIT krb5 version 1.2.6 or later to use AFS krb5
(rxkad proposal 2b) authentication.

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

http://www.openafs.org/security/

The main OpenAFS web page is at:

http://www.openafs.org/

ACKNOWLEDGEMENTS
================

Thanks to the MIT krb5 team for the discovery of this vulnerability, and
the MITKRB5-SA-2003-004 advisory, which was used in writing this OpenAFS
advisory.

REFERENCES
==========

* MIT krb5 Security Advisory 2003-004
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt

* rxkad proposal 2b
/afs/grand.central.org/doc/protocol/rx/rxkad-2b.txt
http://grand.central.org/dl/doc/protocol/rx/rxkad-2b.html

* Instructions for upgrading from kaserver to Heimdal
http://www.dementia.org/~shadow/ka2heim.txt

* Kerberos v5 migration kit (upgrading from kaserver to MIT krb5)
/afs/grand.central.org/contrib/security/afs-krb5/afs-krb5-2.0.tar.gz
http://grand.central.org/dl/contrib/security/afs-krb5/afs-krb5-2.0.tar.gz
ftp://grand.central.org/pub/contrib/security/afs-krb5/afs-krb5-2.0.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)

iD8DBQE+gBXOlrhgrDZcUhURAnSmAJ0cigY3PdDe1eZmxM6x8hdY9JrFggCdGkYz
j2RrlAOr7KRS8SPA38mozXM=
=fg22
-----END PGP SIGNATURE-----


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »