MIT Kerberos管理守护程序Kadmind二次释放漏洞

漏洞信息详情

MIT Kerberos管理守护程序Kadmind二次释放漏洞

• CNNVD编号：CNNVD-200704-080
• 危害等级： 高危
  
  
• CVE编号：
  CVE-2007-1216
  
• 漏洞类型：
  
  
  资源管理错误
  
• 发布时间：
  
  2007-04-05
  
• 威胁类型：
  
  
  远程
  
• 更新时间：
  
  2021-02-03
  
• 厂        商：
  
  mit
• 漏洞来源：
  Shiva Persaud

Kerberos是美国麻省理工学院（MIT）开发的一套网络认证协议，它采用客户端/服务器结构，并且客户端和服务器端均可对对方进行身份认证（即双重验证），可防止窃听、防止replay攻击等。MIT Kerberos 5（又名krb5）是美国麻省理工学院（MIT）开发的一套网络认证协议，它采用客户端/服务器结构，并且客户端和服务器端均可对对方进行身份认证（即双重验证），可防止窃听、防止replay攻击等。

Kerberos在处理特定畸形的请求时存在内存处理漏洞，远程攻击者可能利用此漏洞在服务器上执行任意指令。

如果在消息中检测到了无效的direction值的话src/lib/gssapi/krb5/k5unseal.c文件的kg_unseal_v1()函数会释放为message_buffer gss_buffer_t所分配的内存。该函数既没有将指针设置为空，也没有将长度设置为0，应用程序之后对这个gss_buffer_t调用gss_release_buffer()就会导致二次释放内存。

krb5-1.4所引入的RPC库RPCSEC_GSS认证在gss_unwrap()失败时会调用gss_release_buffer()，这允许已认证的攻击者触发二次释放。调用了MIT krb5所提供的RPC库且使用RPCSEC_GSS认证方式的第三方应用程序受这个漏洞影响。如果在出现gss_unseal()或gss_unwrap()错误时调用gss_release_buffer()的话，则调用MIT GSS-API库的第三方应用程序也受这个漏洞影响。

厂商补丁：

Debian

——

Debian已经为此发布了一个安全公告(DSA-1276-1)以及相应补丁:

DSA-1276-1：New krb5 packages fix several vulnerabilities

链接：
http://www.debian.org/security/2007/dsa-1276” target=”_blank”>

http://www.debian.org/security/2007/dsa-1276

补丁下载：

Source archives:

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge4.dsc” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge4.dsc

Size/MD5 checksum: 782 a4a9a2cff9292af1de210f83edcee281

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge4.diff.gz” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6-2sarge4.diff.gz

Size/MD5 checksum: 666048 006edbace85ee6fab561c8f5ba59914d

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6.orig.tar.gz” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5_1.3.6.orig.tar.gz

Size/MD5 checksum: 6526510 7974d0fc413802712998d5fc5eec2919

Architecture independent components:

http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.3.6-2sarge4_all.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5-doc_1.3.6-2sarge4_all.deb

Size/MD5 checksum: 718724 9bd56e8f5a673661416a042cc315509b

Alpha architecture:

http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge4_alpha.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5-admin-server_1.3.6-2sarge4_alpha.deb

Size/MD5 checksum: 114882 0b1d6a3f226b48f3065f8e065049a02a

http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge4_alpha.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5-clients_1.3.6-2sarge4_alpha.deb

Size/MD5 checksum: 247602 b36d6e32ae319ed6953327d0de0e091c

http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge4_alpha.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5-ftpd_1.3.6-2sarge4_alpha.deb

Size/MD5 checksum: 62892 a96ce75c69cc4423f0922a49ce97b7ef

http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge4_alpha.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5-kdc_1.3.6-2sarge4_alpha.deb

Size/MD5 checksum: 137006 6285c054dbb18b511153aeab6d5bb399

http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge4_alpha.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5-rsh-server_1.3.6-2sarge4_alpha.deb

Size/MD5 checksum: 89654 491c88a0bea723021f0f1eda84450208

http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge4_alpha.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5-telnetd_1.3.6-2sarge4_alpha.deb

Size/MD5 checksum: 72142 3cad8d2db4270a422c0ba0ccfd6a9151

http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge4_alpha.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/krb5-user_1.3.6-2sarge4_alpha.deb

Size/MD5 checksum: 144782 dea1c0c916c80b59174b4cfd18f1eb5e

http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge4_alpha.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/libkadm55_1.3.6-2sarge4_alpha.deb

Size/MD5 checksum: 201754 42d6fcb995989672cfde30a467f9486e

http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge4_alpha.deb” target=”_blank”>

http://security.debian.org/pool/updates/main/k/krb5/libkrb5-dev_1.3.6-2sarge4_alpha.deb

Size/MD5 checksum: 860980 3dabb660978f0d3cfc2c121acf8a48de

http://security.debian.org/pool/updates/main/k/krb5/libkrb53_1.3.6-2sarge4_alpha.de

链接:http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056923

来源:SECUNIA

链接:http://secunia.com/advisories/24736

来源:MANDRIVA

链接:http://www.mandriva.com/security/advisories?name=MDKSA-2007:077

来源:REDHAT

链接:http://www.redhat.com/support/errata/RHSA-2007-0095.html

来源:SECUNIA

链接:http://secunia.com/advisories/24735

来源:SECUNIA

链接:http://secunia.com/advisories/24757

来源:BUGTRAQ

链接:http://www.securityfocus.com/archive/1/464591/100/0/threaded

来源:VUPEN

链接:http://www.vupen.com/english/advisories/2007/1470

来源:BID

链接:https://www.securityfocus.com/bid/23282

来源:CONFIRM

链接:http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-003.txt

来源:CERT

链接:http://www.us-cert.gov/cas/techalerts/TA07-093B.html

来源:SECUNIA

链接:http://secunia.com/advisories/24817

来源:BUGTRAQ

链接:http://www.securityfocus.com/archive/1/464666/100/0/threaded

来源:SECTRACK

链接:http://www.securitytracker.com/id?1017852

来源:GENTOO

链接:http://security.gentoo.org/glsa/glsa-200704-02.xml

来源:CERT

链接:http://www.us-cert.gov/cas/techalerts/TA07-109A.html

来源:VUPEN

链接:http://www.vupen.com/english/advisories/2007/1218

来源:VUPEN

链接:http://www.vupen.com/english/advisories/2007/1916

来源:SECUNIA

链接:http://secunia.com/advisories/24966

来源:SECUNIA

链接:http://secunia.com/advisories/24785

来源:CERT-VN

链接:http://www.kb.cert.org/vuls/id/419344

来源:UBUNTU

链接:http://www.ubuntu.com/usn/usn-449-1

来源:SECUNIA

链接:http://secunia.com/advisories/24740

来源:SECUNIA

链接:http://secunia.com/advisories/24786

来源:BUGTRAQ

链接:http://www.securityfocus.com/archive/1/464814/30/7170/threaded

来源:CONFIRM

链接:http://docs.info.apple.com/article.html?artnum=305391

来源:DEBIAN

链接:https://www.debian.org/security/2007/dsa-1276

来源:SECUNIA

链接:http://secunia.com/advisories/24706

来源:XF

链接:https://exchange.xforce.ibmcloud.com/vulnerabilities/33413

来源:APPLE

链接:http://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.html

来源:SUSE

链接:http://lists.suse.com/archive/suse-security-announce/2007-Apr/0001.html

来源:OVAL

链接:https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11135

来源:SECUNIA

链接:http://secunia.com/advisories/24750

来源:SECUNIA

链接:http://secunia.com/advisories/25388