Mandriva Linux Security Advisory 2010-246 - Multiple vulnerabilities were discovered and corrected in krb5. An unauthenticated remote attacker could alter a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. An unauthenticated remote attacker has a 1/256 chance of forging KRB-SAFE messages in an application protocol if the targeted pre-existing session uses an RC4 session key. An unauthenticated remote attacker can forge GSS tokens that are intended to be integrity-protected but unencrypted, if the targeted pre-existing application session uses a DES session key. Various other issues have also been addressed. The updated packages have been patched to correct these issues.
100c7557ed59ca637d4f6b0069c888d50046989349e8acc0e9bed9cabffe8976
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
_______________________________________________________________________
Mandriva Linux Security Advisory MDVSA-2010:246
http://www.mandriva.com/security/
_______________________________________________________________________
Package : krb5
Date : November 30, 2010
Affected: 2010.1, Enterprise Server 5.0
_______________________________________________________________________
Problem Description:
Multiple vulnerabilities were discovered and corrected in krb5:
An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC. Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token. An unauthenticated remote attacker has a 1/256
chance of forging KRB-SAFE messages in an application protocol if the
targeted pre-existing session uses an RC4 session key. Few application
protocols use KRB-SAFE messages (CVE-2010-1323).
An unauthenticated remote attacker can forge GSS tokens that
are intended to be integrity-protected but unencrypted, if the
targeted pre-existing application session uses a DES session key. An
authenticated remote attacker can forge PACs if using a KDC that does
not filter client-provided PAC data. This can result in privilege
escalation against a service that relies on PAC contents to make
authorization decisions. An unauthenticated remote attacker has a 1/256
chance of swapping a client-issued KrbFastReq into a different KDC-REQ,
if the armor key is RC4. The consequences are believed to be minor
(CVE-2010-1324).
An authenticated remote attacker that controls a legitimate service
principal has a 1/256 chance of forging the AD-SIGNEDPATH signature
if the TGT key is RC4, allowing it to use self-generated evidence
tickets for S4U2Proxy, instead of tickets obtained from the user or
with S4U2Self. Configurations using RC4 for the TGT key are believed
to be rare. An authenticated remote attacker has a 1/256 chance of
forging AD-KDC-ISSUED signatures on authdata elements in tickets
having an RC4 service key, resulting in privilege escalation against
a service that relies on these signatures. There are no known uses
of the KDC-ISSUED authdata container at this time (CVE-2010-4020.
An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ
it has intercepted. The attacker could then use this ticket for
S4U2Proxy to impersonate the targeted client even if the client never
authenticated to the subverted service. The vulnerable configuration
is believed to be rare (CVE-2010-4021).
The updated packages have been patched to correct this issue.
_______________________________________________________________________
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1323
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1324
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4020
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4021
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt
_______________________________________________________________________
Updated Packages:
Mandriva Linux 2010.1:
317a56866c53118e056d608da7816501 2010.1/i586/krb5-1.8.1-5.2mdv2010.1.i586.rpm
68e604c5a993bd22e070497c3715bfd8 2010.1/i586/krb5-pkinit-openssl-1.8.1-5.2mdv2010.1.i586.rpm
3a476ea497511ba4bfc0f9f43b70119f 2010.1/i586/krb5-server-1.8.1-5.2mdv2010.1.i586.rpm
157af42ca6878241e980f58bd88907ed 2010.1/i586/krb5-server-ldap-1.8.1-5.2mdv2010.1.i586.rpm
8d9eda88b29423366de6010987760e66 2010.1/i586/krb5-workstation-1.8.1-5.2mdv2010.1.i586.rpm
9939fd490b146b8e26daf85b04532e61 2010.1/i586/libkrb53-1.8.1-5.2mdv2010.1.i586.rpm
1970bef02c46809aef5ca1b44c8069c1 2010.1/i586/libkrb53-devel-1.8.1-5.2mdv2010.1.i586.rpm
b0409a3b64885ed84ef9cc04968be3f7 2010.1/SRPMS/krb5-1.8.1-5.2mdv2010.1.src.rpm
Mandriva Linux 2010.1/X86_64:
71db4c06e7e87c9faa0318ddc0562707 2010.1/x86_64/krb5-1.8.1-5.2mdv2010.1.x86_64.rpm
04cd23f2d43a498ccba0868195f23490 2010.1/x86_64/krb5-pkinit-openssl-1.8.1-5.2mdv2010.1.x86_64.rpm
b66e2c6625cc69131e4d1b44d7c05534 2010.1/x86_64/krb5-server-1.8.1-5.2mdv2010.1.x86_64.rpm
ceb54db5b54e163c548cd84249266192 2010.1/x86_64/krb5-server-ldap-1.8.1-5.2mdv2010.1.x86_64.rpm
1508414b03cf6b12f583249c4b0be6ee 2010.1/x86_64/krb5-workstation-1.8.1-5.2mdv2010.1.x86_64.rpm
e75aa825ac83bddfc61a00dd7daf33fb 2010.1/x86_64/lib64krb53-1.8.1-5.2mdv2010.1.x86_64.rpm
83acc481c2ab4cdb18df2a1719e6a57a 2010.1/x86_64/lib64krb53-devel-1.8.1-5.2mdv2010.1.x86_64.rpm
b0409a3b64885ed84ef9cc04968be3f7 2010.1/SRPMS/krb5-1.8.1-5.2mdv2010.1.src.rpm
Mandriva Enterprise Server 5:
cafa2595564ca56d375c34706d052cbd mes5/i586/krb5-1.8.1-0.3mdvmes5.1.i586.rpm
9e964b4e75ef29006b4d9c9c7d4b0580 mes5/i586/krb5-pkinit-openssl-1.8.1-0.3mdvmes5.1.i586.rpm
c745399130544a19ae434c93a25e705d mes5/i586/krb5-server-1.8.1-0.3mdvmes5.1.i586.rpm
b9f780014082d8779b2c70814cb61152 mes5/i586/krb5-server-ldap-1.8.1-0.3mdvmes5.1.i586.rpm
2da137c3dd3765452349d0514d0183f1 mes5/i586/krb5-workstation-1.8.1-0.3mdvmes5.1.i586.rpm
85c4e6711c347bd7b9562d951c951e94 mes5/i586/libkrb53-1.8.1-0.3mdvmes5.1.i586.rpm
bdb842aaaffdad42969416f3e61bbce9 mes5/i586/libkrb53-devel-1.8.1-0.3mdvmes5.1.i586.rpm
3cc5cc2331d3ff2805850d14fcbccf35 mes5/SRPMS/krb5-1.8.1-0.3mdvmes5.1.src.rpm
Mandriva Enterprise Server 5/X86_64:
ffdd682d681783fddeada0cd0e605757 mes5/x86_64/krb5-1.8.1-0.3mdvmes5.1.x86_64.rpm
e7b85d0d7387bd68303bc9364a711fef mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.3mdvmes5.1.x86_64.rpm
7717e0e24d81862ae84ff03720ca5619 mes5/x86_64/krb5-server-1.8.1-0.3mdvmes5.1.x86_64.rpm
a5043665e33fbbe7c2a9fd6bf05fe808 mes5/x86_64/krb5-server-ldap-1.8.1-0.3mdvmes5.1.x86_64.rpm
f367fd174eeef3097e766e8183e81c68 mes5/x86_64/krb5-workstation-1.8.1-0.3mdvmes5.1.x86_64.rpm
f6c823372133d690539facf101d8e224 mes5/x86_64/lib64krb53-1.8.1-0.3mdvmes5.1.x86_64.rpm
0640da1f402bdd872d8e40b8f4c62736 mes5/x86_64/lib64krb53-devel-1.8.1-0.3mdvmes5.1.x86_64.rpm
3cc5cc2331d3ff2805850d14fcbccf35 mes5/SRPMS/krb5-1.8.1-0.3mdvmes5.1.src.rpm
_______________________________________________________________________
To upgrade automatically use MandrivaUpdate or urpmi. The verification
of md5 checksums and GPG signatures is performed automatically for you.
All packages are signed by Mandriva for security. You can obtain the
GPG public key of the Mandriva Security Team by executing:
gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98
You can view other update advisories for Mandriva Linux at:
http://www.mandriva.com/security/advisories
If you want to report vulnerabilities, please contact
security_(at)_mandriva.com
_______________________________________________________________________
Type Bits/KeyID Date User ID
pub 1024D/22458A98 2000-07-10 Mandriva Security Team
<security*mandriva.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
iD8DBQFM9YOomqjQ0CJFipgRAlPZAJsE6YTtQkLcCSJAD8RBAHAQ2/a0mQCfb+P6
TOZt1Ytga9P1D/l/hD5I1uA=
=J5Ih
-----END PGP SIGNATURE-----