Kerberos /tmp file race condition
| kerberos4-tmpfile-dos (5754) |  High Risk |
Description:
KTH Kerberos is vulnerable to a /tmp race condition. Kerberos is a network authentication service used over insecure networks. The ticket creating process writes temporary files to the /tmp directory with predictable file names. An attacker can create a symbolic link with a name that Kerberos would use, to overwrite another file on the system as root. An attacker could use this vulnerability to overwrite a critical system file and cause a denial of service.
Consequences:
Denial of Service
Remedy:
Upgrade to the latest version of KTH Kerberos 4 (1.0.4 or later), available from the KTH Kerberos Web site. See References.
For MIT Kerberos 5 prior to version krb5-1.2.2-beta1 and MIT Kerberos 4 patch 10 and earlier:
Upgrade to the latest version of MIT Kerberos (krb5-1.2.2 or later), as listed in Kerberos Security Advisory 2001-03-07. See References.
For NetBSD 1.5:
Apply the 20001220-krb patch, as listed in NetBSD Security Advisory 2000-017. See References.
— OR —
Upgrade to the latest version of NetBSD-current since 20001209, as listed in NetBSD Security Advisory 2000-017. See References.
For OpenBSD:
Apply the patch, as listed in OpenBSD Security Advisory, December 7th, 2000. See References.
For FreeBSD:
Apply the appropriate patch for your system, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:25. See References.
For Red Hat Linux 6.2:
Upgrade to the latest version of krb5 (1.1.1-26 or later), as listed in RHSA-2001:025-14. See References.
For Red Hat Linux 7.0:
Upgrade to the latest version of krb5 (1.2.2-3 or later) and pam_krb5 (1.29-1 or later), as listed in RHSA-2001:025-14. See References.
For other distributions:
Contact your vendor for upgrade or patch information.
References:
- BugTraq Mailing List, Fri Dec 08 2000 - 09:36:27 CST: Vulnerabilities in KTH Kerberos IV.
- CIAC Information Bulletin L-057: Kerberos /tmp Root Vulnerability.
- FreeBSD Security Advisory FreeBSD-SA-01:25: Local and remote vulnerabilities in Kerberos IV.
- Kerberos Security Advisory 2001-03-07: Unsafe temporary file handling in krb4.
- KTH Kerberos Web site: Kerberos page.
- NetBSD Security Advisory 2000-017: Exploitable bugs in kerberised telnetd and libkrb.
- OpenBSD Security Advisory, December 7, 2000: Two problems have recently been discovered in the KerberosIV code..
- OpenBSD Source Code Patch: Source Code Patch for Kerberos.
- BID-2093: Multiple Vendor Kerberos 4 Temporary File Race Condition Vulnerability
- CVE-2001-0036: KTH Kerberos IV allows local users to overwrite arbitrary files via a symlink attack on a ticket file.
- CVE-2001-0417: Kerberos 4 (aka krb4) allows local users to overwrite arbitrary files via a symlink attack on new ticket files.
- RHSA-2001-025: Updated Kerberos 5 and pam_krb5 packages available
- US-CERT VU#426273: KTH Kerberos filesystem race condition on tickets stored in /tmp
Platforms Affected:
- FreeBSD FreeBSD 3.0
- FreeBSD FreeBSD 3.5
- FreeBSD FreeBSD 4.2
- KTH Kerberos 4
- MIT Kerberos 4
- MIT Kerberos 5-1.5.2
- NetBSD NetBSD 1.5
- OpenBSD OpenBSD 2.8
- RedHat Linux 6.2
- RedHat Linux 7
- RedHat Linux 7.1
- RedHat Linux 7.2
- RedHat Linux 7.3
Reported:
Dec 08, 2000
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.
For corrections or additions please email xforce@iss.net