Subject: NetBSD Security Advisory 2002-026: Buffer overflow in kadmind daemon
To: None <tech-security@netbsd.org, current-users@netbsd.org>
From: NetBSD Security Officer <security-officer@netbsd.org>
List: current-users
Date: 10/21/2002 19:30:51
-----BEGIN PGP SIGNED MESSAGE-----
NetBSD Security Advisory 2002-026
=================================
Topic: Buffer overflow in kadmind daemon
Version: NetBSD-current: source prior to October 21 2002
NetBSD-1.6: affected
NetBSD-1.5.3: affected
NetBSD-1.5.2: affected
NetBSD-1.5.1: affected
NetBSD-1.5: affected
NetBSD-1.4.*: not affected
Severity: remote buffer overflow, resulting in root exploit
Fixed: NetBSD-current: October 22, 2002
NetBSD-1.6 branch: October 22, 2002
NetBSD-1.5 branch: October 22, 2002
Abstract
========
Kadmind is the server for administrative access to kerberos database,
and comes from the Heimdal Kerberos implementation used by NetBSD. In
Heimdal releases earlier than 0.5.1 kadmind has a buffer overflow in
the kerberos version 4 compatibility code.
The kadmind daemon has never been enabled by default in NetBSD;
enabling it would require a change in /etc/inetd.conf.
Technical Details
=================
All versions prior to Heimdal 0.5.1 and 0.4enb1 are vulnerable. NetBSD
1.5, 1.6, and -current (prior to October 21, 2002) ship with a vulnerable
version.
The problem is a buffer overflow in the kerberos version 4 compatibility layer
of kadmind.
See also: http://www.pdc.kth.se/heimdal/
Solutions and Workarounds
=========================
For most users this is not a vital service and is likely not enabled.
The only user of kadmin should be the kdc in a kerberos
realm. Since the security of the kerberos server very important,
kadmind must be disabled until upgraded.
* NetBSD all releases:
Check that you don't have kadmind in your /etc/inetd.conf.
# grep kadmind /etc/inetd.conf
If kadmind is enabled, disable it by commenting out its entry and
reloading inetd:
# /etc/rc.d/inetd reload
Check that kadmind is not running as a service
# ps axlwww | grep kadmind
If kadmind is running, kill it:
# kill <process id of kadmind>
* NetBSD-current:
Systems running NetBSD-current dated from before 2002-Oct-22 should
be upgraded to NetBSD-current dated 2002-Oct-22 or later. The fix
is included in crypto/dist/heimdal/kadmin/version4.c, revision 1.2.
The following directory needs to be updated from the netbsd-current
CVS branch (aka HEAD):
crypto/dist/heimdal/kadmin
To update from CVS, re-build, and re-install kadmind(8):
# cd src
# cvs update -d -P crypto/dist/heimdal
# cd libexec/kadmind
# make cleandir dependall
# make install
* NetBSD 1.6:
The following directory needs to be updated from the
netbsd-1-6 CVS branch:
crypto/dist/heimdal/kadmin
To update from CVS, re-build, and re-install kadmind(8):
# cd src
# cvs update -d -P -r netbsd-1-6 crypto/dist/heimdal/kadmin
# cd libexec/kadmind
# make cleandir dependall
# make install
* NetBSD 1.5:
The following directory needs to be updated from the
netbsd-1-5 CVS branch:
crypto/dist/heimdal/kadmin
To update from CVS, re-build, and re-install kadmind(8):
# cd src
# cvs update -d -P -r netbsd-1-5 crypto/dist/heimdal/kadmin
# cd libexec/kadmind
# make cleandir dependall
# make install
Thanks To
=========
Love Hoernquist-Astrand for the patch and notification and Johan Danielsson
for testing.
Revision History
================
2002-Oct-21 Initial release
More Information
================
Advisories may be updated as new information comes to hand. The most
recent version of this advisory (PGP signed) can be found at
ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc
Information about NetBSD and NetBSD security can be found at
http://www.NetBSD.ORG/ and http://www.NetBSD.ORG/Security/.
Copyright 2002, The NetBSD Foundation, Inc. All Rights Reserved.
$NetBSD: NetBSD-SA2002-026.txt,v 1.9 2002/10/21 20:34:06 groo Exp $
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (NetBSD)
Comment: For info see http://www.gnupg.org
iQCVAwUBPbRlij5Ru2/4N2IFAQGcgwQAn2bBxCdA6L0KhD5Pq0DzylaH8V5wHsq+
iguSkTTaj8cfIR/7Nz8LHUx16Sn9BzYM/YbGkHhp0NjasjIXxlL1ulriTly6Ynf1
SOLNqfHP4IlOITGvIYbFBV0EsIgQiRA4uW5jaQT15YJ/gWi8874wioHNWNRCuTm+
rmkN3qBFP04=
=2on8
-----END PGP SIGNATURE-----