-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 _______________________________________________________________________ Mandriva Linux Security Advisory MDVSA-2010:246 http://www.mandriva.com/security/ _______________________________________________________________________ Package : krb5 Date : November 30, 2010 Affected: 2010.1, Enterprise Server 5.0 _______________________________________________________________________ Problem Description: Multiple vulnerabilities were discovered and corrected in krb5: An unauthenticated remote attacker could alter a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. Under some circumstances, this can negate the incremental security benefit of using a single-use authentication mechanism token. An unauthenticated remote attacker has a 1/256 chance of forging KRB-SAFE messages in an application protocol if the targeted pre-existing session uses an RC4 session key. Few application protocols use KRB-SAFE messages (CVE-2010-1323). An unauthenticated remote attacker can forge GSS tokens that are intended to be integrity-protected but unencrypted, if the targeted pre-existing application session uses a DES session key. An authenticated remote attacker can forge PACs if using a KDC that does not filter client-provided PAC data. This can result in privilege escalation against a service that relies on PAC contents to make authorization decisions. An unauthenticated remote attacker has a 1/256 chance of swapping a client-issued KrbFastReq into a different KDC-REQ, if the armor key is RC4. The consequences are believed to be minor (CVE-2010-1324). An authenticated remote attacker that controls a legitimate service principal has a 1/256 chance of forging the AD-SIGNEDPATH signature if the TGT key is RC4, allowing it to use self-generated evidence tickets for S4U2Proxy, instead of tickets obtained from the user or with S4U2Self. Configurations using RC4 for the TGT key are believed to be rare. An authenticated remote attacker has a 1/256 chance of forging AD-KDC-ISSUED signatures on authdata elements in tickets having an RC4 service key, resulting in privilege escalation against a service that relies on these signatures. There are no known uses of the KDC-ISSUED authdata container at this time (CVE-2010-4020. An authenticated remote attacker that controls a legitimate service principal could obtain a valid service ticket to itself containing valid KDC-generated authorization data for a client whose TGS-REQ it has intercepted. The attacker could then use this ticket for S4U2Proxy to impersonate the targeted client even if the client never authenticated to the subverted service. The vulnerable configuration is believed to be rare (CVE-2010-4021). The updated packages have been patched to correct this issue. _______________________________________________________________________ References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1323 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1324 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4020 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4021 http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt _______________________________________________________________________ Updated Packages: Mandriva Linux 2010.1: 317a56866c53118e056d608da7816501 2010.1/i586/krb5-1.8.1-5.2mdv2010.1.i586.rpm 68e604c5a993bd22e070497c3715bfd8 2010.1/i586/krb5-pkinit-openssl-1.8.1-5.2mdv2010.1.i586.rpm 3a476ea497511ba4bfc0f9f43b70119f 2010.1/i586/krb5-server-1.8.1-5.2mdv2010.1.i586.rpm 157af42ca6878241e980f58bd88907ed 2010.1/i586/krb5-server-ldap-1.8.1-5.2mdv2010.1.i586.rpm 8d9eda88b29423366de6010987760e66 2010.1/i586/krb5-workstation-1.8.1-5.2mdv2010.1.i586.rpm 9939fd490b146b8e26daf85b04532e61 2010.1/i586/libkrb53-1.8.1-5.2mdv2010.1.i586.rpm 1970bef02c46809aef5ca1b44c8069c1 2010.1/i586/libkrb53-devel-1.8.1-5.2mdv2010.1.i586.rpm b0409a3b64885ed84ef9cc04968be3f7 2010.1/SRPMS/krb5-1.8.1-5.2mdv2010.1.src.rpm Mandriva Linux 2010.1/X86_64: 71db4c06e7e87c9faa0318ddc0562707 2010.1/x86_64/krb5-1.8.1-5.2mdv2010.1.x86_64.rpm 04cd23f2d43a498ccba0868195f23490 2010.1/x86_64/krb5-pkinit-openssl-1.8.1-5.2mdv2010.1.x86_64.rpm b66e2c6625cc69131e4d1b44d7c05534 2010.1/x86_64/krb5-server-1.8.1-5.2mdv2010.1.x86_64.rpm ceb54db5b54e163c548cd84249266192 2010.1/x86_64/krb5-server-ldap-1.8.1-5.2mdv2010.1.x86_64.rpm 1508414b03cf6b12f583249c4b0be6ee 2010.1/x86_64/krb5-workstation-1.8.1-5.2mdv2010.1.x86_64.rpm e75aa825ac83bddfc61a00dd7daf33fb 2010.1/x86_64/lib64krb53-1.8.1-5.2mdv2010.1.x86_64.rpm 83acc481c2ab4cdb18df2a1719e6a57a 2010.1/x86_64/lib64krb53-devel-1.8.1-5.2mdv2010.1.x86_64.rpm b0409a3b64885ed84ef9cc04968be3f7 2010.1/SRPMS/krb5-1.8.1-5.2mdv2010.1.src.rpm Mandriva Enterprise Server 5: cafa2595564ca56d375c34706d052cbd mes5/i586/krb5-1.8.1-0.3mdvmes5.1.i586.rpm 9e964b4e75ef29006b4d9c9c7d4b0580 mes5/i586/krb5-pkinit-openssl-1.8.1-0.3mdvmes5.1.i586.rpm c745399130544a19ae434c93a25e705d mes5/i586/krb5-server-1.8.1-0.3mdvmes5.1.i586.rpm b9f780014082d8779b2c70814cb61152 mes5/i586/krb5-server-ldap-1.8.1-0.3mdvmes5.1.i586.rpm 2da137c3dd3765452349d0514d0183f1 mes5/i586/krb5-workstation-1.8.1-0.3mdvmes5.1.i586.rpm 85c4e6711c347bd7b9562d951c951e94 mes5/i586/libkrb53-1.8.1-0.3mdvmes5.1.i586.rpm bdb842aaaffdad42969416f3e61bbce9 mes5/i586/libkrb53-devel-1.8.1-0.3mdvmes5.1.i586.rpm 3cc5cc2331d3ff2805850d14fcbccf35 mes5/SRPMS/krb5-1.8.1-0.3mdvmes5.1.src.rpm Mandriva Enterprise Server 5/X86_64: ffdd682d681783fddeada0cd0e605757 mes5/x86_64/krb5-1.8.1-0.3mdvmes5.1.x86_64.rpm e7b85d0d7387bd68303bc9364a711fef mes5/x86_64/krb5-pkinit-openssl-1.8.1-0.3mdvmes5.1.x86_64.rpm 7717e0e24d81862ae84ff03720ca5619 mes5/x86_64/krb5-server-1.8.1-0.3mdvmes5.1.x86_64.rpm a5043665e33fbbe7c2a9fd6bf05fe808 mes5/x86_64/krb5-server-ldap-1.8.1-0.3mdvmes5.1.x86_64.rpm f367fd174eeef3097e766e8183e81c68 mes5/x86_64/krb5-workstation-1.8.1-0.3mdvmes5.1.x86_64.rpm f6c823372133d690539facf101d8e224 mes5/x86_64/lib64krb53-1.8.1-0.3mdvmes5.1.x86_64.rpm 0640da1f402bdd872d8e40b8f4c62736 mes5/x86_64/lib64krb53-devel-1.8.1-0.3mdvmes5.1.x86_64.rpm 3cc5cc2331d3ff2805850d14fcbccf35 mes5/SRPMS/krb5-1.8.1-0.3mdvmes5.1.src.rpm _______________________________________________________________________ To upgrade automatically use MandrivaUpdate or urpmi. The verification of md5 checksums and GPG signatures is performed automatically for you. All packages are signed by Mandriva for security. You can obtain the GPG public key of the Mandriva Security Team by executing: gpg --recv-keys --keyserver pgp.mit.edu 0x22458A98 You can view other update advisories for Mandriva Linux at: http://www.mandriva.com/security/advisories If you want to report vulnerabilities, please contact security_(at)_mandriva.com _______________________________________________________________________ Type Bits/KeyID Date User ID pub 1024D/22458A98 2000-07-10 Mandriva Security Team -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) iD8DBQFM9YOomqjQ0CJFipgRAlPZAJsE6YTtQkLcCSJAD8RBAHAQ2/a0mQCfb+P6 TOZt1Ytga9P1D/l/hD5I1uA= =J5Ih -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/