Buffer Overflow in Kerberos Administration Daemon
Last revised: February 25, 2003
A complete revision history is at the end of this file.
- MIT Kerberos version 4 and version 5 up to and including krb5-1.2.6
- KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version 0.5.1
- Other Kerberos implementations derived from vulnerable MIT or KTH code
Multiple Kerberos distributions contain a remotely exploitable buffer overflow in the Kerberos administration daemon. A remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system.
The CERT/CC has received reports that indicate that this vulnerability is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002 notes that an exploit is circulating.
We strongly encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate.
Kerberos is a widely used network protocol that uses strong cryptography to authenticate clients and servers. The Kerberos administration daemon (typically called kadmind) handles password change and other requests to modify the Kerberos database. The daemon runs on the master Key Distribution Center (KDC) server of a Kerberos realm.
The code that provides legacy support for the Kerberos 4 administration protocol contains a remotely exploitable buffer overflow. The vulnerable code does not adequately validate data read from a network request. This data is subsequently used as an argument to a memcpy() call, which can overflow a buffer allocated on the stack. An attacker does not have to authenticate in order to exploit this vulnerability, and the Kerberos administration daemon runs with root privileges.
Both Massachusetts Institute of Technology (MIT) and Kungl Tekniska Högskolan (KTH) Kerberos are affected, as well as operating systems, applications, and other Kerberos implementations that use vulnerable code derived from either the MIT or KTH distributions. In MIT Kerberos 5, the Kerberos 4 administration daemon is implemented in kadmind4. In KTH Kerberos 4 (eBones), the Kerberos administration daemon is implemented in kadmind. KTH Kerberos 5 (Heimdal) also implements the daemon in kadmind; however, the Heimdal daemon is only affected if compiled with Kerberos 4 support. Since the vulnerable Kerberos administration daemon is included in the MIT Kerberos 5 and KTH Heimdal distributions, both Kerberos 4 sites and Kerberos 5 sites that enable support for the Kerberos 4 administration protocol are affected.
Further information about this vulnerability may be found in VU#875073.
MIT has released an advisory that contains information about this vulnerability
The KTH eBones and Heimdal web sites also contain information about this vulnerability:
In addition to resolving the vulnerability described in VU#875073, version 0.5.1 of KTH Heimdal contains other fixes related to the KDC and administration servers. See the ChangeLog for more information:
An unauthenticated, remote attacker could execute arbitrary code with root privileges. If an attacker is able to gain control of a master KDC, the integrity of the entire Kerberos realm is compromised, including user and host identities and other systems that accept Kerberos authentication.
Apply a patch or upgrade
Disable vulnerable service
Disable support for the Kerberos 4 administration protocol if it is not needed. In MIT Kerberos 5, this can be achieved by disabling kadmind4. For information about disabling all Kerberos 4 support in MIT Kerberos 5 at compile time, see
Block or restrict access
Block access to the Kerberos administration service from untrusted networks such as the Internet. Furthermore, only allow access to the service from trusted administrative hosts. By default, the Kerberos 4 administration daemon listens on 751/tcp and 751/udp, and the Kerberos 5 administration daemon listens on 749/tcp and 749/udp. It may be necessary to block access to the Kerberos 5 administration service if the daemon also supports the Kerberos 4 administration protocol. This workaround will prevent administrative connections and password change requests from blocked networks. Note that this workaround will not prevent exploitation, but it will limit the possible sources of attacks.
Appendix A. Vendor Information
This appendix contains information provided by vendors. When vendors report new information, this section is updated and the changes are noted in the revision history. If a vendor is not listed below, we have not received their comments.
The Kerberos Administration Daemon was included in Mac OS X 10.0, but removed in Mac OS X 10.1 and later.
We encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate.
Our MIT Kerberos 5 packages in Conectiva Linux 8 do contain the vulnerable kadmind4 daemon, but it is not used by default nor is it installed as a service.
Updated packages are being uploaded to our ftp server and should be available in a few hours at:CLSA-2002:534 (English)]
Cray, Inc. is not vulnerable as the Kerberos administration daemon is not included in any of our operating systems.
Please see the Debian vendor record in VU#875073.
Both the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons were vulnerable and have been corrected as of 23 October 2002. In addition, the heimdal and krb5 ports contained the same vulnerability and have been corrected as of 24 October 2002. A Security Advisory is in progress. [FreeBSD-SA-02:40.kadmind]
Source: Hewlett-Packard Company Software Security Response Team
RE: CERT VU#875073 CA-2002-29
cross reference id: SSRT2396
HP's implementation for the following Operating Systems Software are not affected by this potential buffer overflow vulnerability in the kadmind4 daemon.HP-UXTo report potential security vulnerabilities in HP software, send an E-mail message to: firstname.lastname@example.org
HP Tru64 UNIX
HP NonStop Servers
The IBM pSeries Parallel Systems Support Programs (PSSP) implementation of Kerberos V4 (shipped with PSSP) is potentially vulnerable to the Kerberos V4 administration daemon buffer overflow described in CA-2002-29. For more information, see:
The IBM Network Authentication Service (NAS) product is not vulnerable to the buffer overflow vulnerability in the kadmind4 daemon. NAS is currently at release 1.3 and is available from the AIX Expansion Pack. The kadmind4 daemon is not part of the NAS product.
The eBones and Heimdal web sites have information about this vulnerability:KTH eBones
Microsoft's implementation of Kerberos is not affected by this vulnerability.
MIT has released MIT krb5 Security Advisory 2002-002 that includes a patch and a description of an attack signature:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt
NetBSD has released NetBSD-SA2002-026:
OpenBSD has released Security Fix 016 for OpenBSD 3.1 and Security Fix 033 for OpenBSD 3.0.OpenBSD 3.1
Openwall GNU/*/Linux is not vulnerable. We don't provide Kerberos.
Releases of Red Hat Linux version 6.2 and higher include versions of MIT Kerberos that are vulnerable to this issue; however the vulnerable administration server, kadmind4, has never been enabled by default. We are currently working on producing errata packages. When complete these will be available along with our advisory at the URL below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.
The Sun Enterprise Authentication Mechanism (SEAM), Sun's implementation of the Kerberos v5 protocols, is not affected by this issue. SEAM does not include support for the Kerberos v4 protocols and kadmind4 does not exist. Additional information regarding SEAM is available from:
SuSE Linux 7.2 and later are shipped with Heimdal Kerberos included, but Kerberos 4 support is disabled in all releases. Therefore, SuSE Linux and SuSE Enterprise Linux are not affected by this bug.
No version of BSD/OS is vulnerable to this problem.
A response to this advisory is available from our web site:
Appendix B. References
Authors: Art Manion and Jason A. Rafail.
Copyright 2002 Carnegie Mellon University.
October 25, 2002: Initial release
October 25, 2002: Removed incorrect references to Debian advisory DSA-178 and SuSE advisory SuSE-SA:2002:034, added link to Heimdal 0.4e patch, added link to Debian vendor record in VU#875073
October 26, 2002: Added IBM and Red Hat vendor statements
October 28, 2002: Added link to MIT attack signature, updated MIT vendor statement, added statement thanking MIT and KTH
October 29, 2002: Added Sun vendor statement, corrected kth-krb links
October 30, 2002: Updated IBM vendor statement
November 6, 2002: Updated Conectiva statement
November 15, 2002: Added HP and Cray statements, updated FreeBSD statement, changed wording about other Heimdal 0.5.1 fixes
February 13, 2003: Added Xerox statement
February 25, 2003: Updated Xerox statement