Kerberos /tmp file race condition

kerberos4-tmpfile-dos (5754)

High Risk

Description:

KTH Kerberos is vulnerable to a /tmp race condition. Kerberos is a network authentication service used over insecure networks. The ticket creating process writes temporary files to the /tmp directory with predictable file names. An attacker can create a symbolic link with a name that Kerberos would use, to overwrite another file on the system as root. An attacker could use this vulnerability to overwrite a critical system file and cause a denial of service.

Platforms Affected:

• FreeBSD, FreeBSD 3.0
• FreeBSD, FreeBSD 3.5
• FreeBSD, FreeBSD 4.2
• KTH, Kerberos 4
• MIT, Kerberos 4
• MIT, Kerberos 5-1.5.2
• NetBSD, NetBSD 1.5
• OpenBSD, OpenBSD 2.8
• RedHat, Linux 6.2
• RedHat, Linux 7
• RedHat, Linux 7.1
• RedHat, Linux 7.2
• RedHat, Linux 7.3

Remedy:

Upgrade to the latest version of KTH Kerberos 4 (1.0.4 or later), available from the KTH Kerberos Web site. See References.

For MIT Kerberos 5 prior to version krb5-1.2.2-beta1 and MIT Kerberos 4 patch 10 and earlier:
Upgrade to the latest version of MIT Kerberos (krb5-1.2.2 or later), as listed in Kerberos Security Advisory 2001-03-07. See References.

For NetBSD 1.5:
Apply the 20001220-krb patch, as listed in NetBSD Security Advisory 2000-017. See References.

— OR —

Upgrade to the latest version of NetBSD-current since 20001209, as listed in NetBSD Security Advisory 2000-017. See References.

For OpenBSD:
Apply the patch, as listed in OpenBSD Security Advisory, December 7th, 2000. See References.

For FreeBSD:
Apply the appropriate patch for your system, as listed in FreeBSD, Inc. Security Advisory FreeBSD-SA-01:25. See References.

For Red Hat Linux 6.2:
Upgrade to the latest version of krb5 (1.1.1-26 or later), as listed in RHSA-2001:025-14. See References.

For Red Hat Linux 7.0:
Upgrade to the latest version of krb5 (1.2.2-3 or later) and pam_krb5 (1.29-1 or later), as listed in RHSA-2001:025-14. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Denial of Service

References:

• BugTraq Mailing List, Fri Dec 08 2000 - 09:36:27 CST, Vulnerabilities in KTH Kerberos IV at http://archives.neohapsis.com/archives/bugtraq/2000-12/0093.html.
• CIAC Information Bulletin L-057, Kerberos /tmp Root Vulnerability at http://www.ciac.org/ciac/bulletins/l-057.shtml.
• FreeBSD Security Advisory FreeBSD-SA-01:25, Local and remote vulnerabilities in Kerberos IV at ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:25.kerberosIV.asc.
• Kerberos Security Advisory 2001-03-07, Unsafe temporary file handling in krb4 at http://web.mit.edu/kerberos/www/advisories/krb4tkt.txt.
• KTH Kerberos Web site, Kerberos page at http://www.pdc.kth.se/kth-krb/.
• NetBSD Security Advisory 2000-017, Exploitable bugs in kerberised telnetd and libkrb at http://archives.neohapsis.com/archives/netbsd/2000-q4/0270.html.
• OpenBSD Security Advisory, December 7, 2000, Two problems have recently been discovered in the KerberosIV code. at http://www.openbsd.com/errata28.html#kerberos.
• OpenBSD Source Code Patch, Source Code Patch for Kerberos at ftp://ftp.openbsd.org/pub/OpenBSD/patches/2.8/common/008_kerberos.patch.
• BID-2093: Multiple Vendor Kerberos 4 Temporary File Race Condition Vulnerability
• CVE-2001-0036: KTH Kerberos IV allows local users to overwrite arbitrary files via a symlink attack on a ticket file.
• CVE-2001-0417: Kerberos 4 (aka krb4) allows local users to overwrite arbitrary files via a symlink attack on new ticket files.
• RHSA-2001-025: Updated Kerberos 5 and pam_krb5 packages available
• US-CERT VU#426273: KTH Kerberos filesystem race condition on tickets stored in /tmp

Reported:

Dec 08, 2000

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page