- Email: [email protected]
SSL certificate validation vulnerability
news
Kerberos at risk from DoS attacks According to CERT Advisory CA-2000-11 there have been reports of several potential buffer overflow vulnerabilities in the Kerberos authentication software. The most severe vulnerability allows remote intruders to disrupt normal operations of the Key Distribution Center (KDC) if an attacker is able to send malformed requests to a realm’s key server. The following versions are vulnerable to one or more of these vulnerabilities: • MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1.1 • MIT Kerberos 4 patch 10, and probably earlier releases as well • KerbNet (Cygnus implementation of Kerberos 5) • Cygnus Network Security (CNS — Cygnus implementation of Kerberos 4) These new vulnerabilities, of which there at least five, may be exploited to affect denialof-service attacks with varying degrees of severity. These include: • The buffer used to hold the variable lastrealm in the function set_tgtkey() can be overflowed. • The buffer used to hold the variable localrealm in the function process_v4() can be overflowed. • The buffer to hold the variable e_msg in the function kerb_err_reply() can be overflowed. • The code that serves AUTH_MSG_KDC_ REQUESTs does not properly check for nulltermination.
• Memory that has previously been freed may be improperly freed again, possibly resulting in unstable operation. Depending on the version of Kerberos, the environment in which it is running and the particular vulnerability that is exploited, a remote attacker can cause one or more of the following: • The KDC to issue invalid tickets for all principles. • The KDC to generate a ‘principal unknown’ error. • The KDC process to crash. Any new authentications to kerberized services will not be possible until the KDC is restarted. Note that this implies that operation of ‘kerberized’ services will be halted until the KDC is stopped. It does not appear that any of these vulnerabilities allows the execution of code by an intruder. You are advised to apply a patch from your vendor. For further information, contact CERT on: +1 412 268 7090; or visit the Web site: http://www.CERT.org
SSL certificate validation vulnerability Two vulnerabilities have been identified in the way Internet Explorer handles digital certificates (Microsoft Security Bulletin MS00-039). The vulnerabilities could, under a very daunting set of circumstances, allow a malicious Web site operator to pose as a trusted Web site. The two vulnerabilities are:
• When a connection to a secure server is made via either an image or a frame, IE only verifies that the server’s SSL certificate was issued by a trusted root — it does not verify the server name or the expiration date. When a connection is made via any other means, all expected validation is performed. • Even if the initial validation is made correctly, IE does not revalidate the certificate if a new SSL session is established with the same server during the same IE session. The circumstances under which these vulnerabilities could be exploited are fairly restricted. In both cases, it is likely that the attacker would need to either carry out DNS cache poisoning or physically replace the server in order to successfully carry out an attack
“The circumstances under which these vulnerabilities could be exploited are fairly restricted.” via second case, as the malicious user would need to poison the cache or replace the machine during the interregum between the two SSL sessions. The following versions are affected by these problems: • Microsoft Internet Explorer 4.0 • Microsoft Internet Explorer 4.01 • Microsoft Internet Explorer 5.0 • Microsoft Internet Explorer 5.01 A patch is available from Microsoft’s Web site: http:// www.Microsoft.com/windows/i.e./download/critical/p atch7.htm
AIX cdmount vulnerability According to Internet Security Systems Security Advisory (dated 20 June 2000) a malicious user could execute cdmount giving commands containing shell metacharacters. The cd-mount program normally allows regular users to mount CD-ROM filesystems. This problem means that a malicious user could run arbitrary commands, as root, through shell meta-character command manipulation. The following AIX systems are vulnerable to this problem: any with the LPP UMS.objects 2.3.0.0 and below installed. The cdmount program is part of the AIX UltiMedia Services (UMS) package. UMS provides multimedia applications to AIX workstations. The cdmount program is normally used as a helper to UMS multimedia players. It has SUID root permissions to allow regular users to mount a CDROM. The system() library subroutine is used within cdmount to invoke the mount program. This subroutine spawns a shell to execute the mount command with arguments provided by the user. An attacker may execute arbitrary commands as root by calling cdmount with arguments containing shell metacharacters. ISS recommends removing the SUID bit from cdmount by executing the following command: # chmod 555 /usr/lpp/ UMS/bin/cdmount IBM is currently working on the following Authorized
3
Kerberos at risk from DoS attacks According to CERT Advisory CA-2000-11 there have been reports of several potential buffer overflow vulnerabilities in the Kerberos authentication software. The most severe vulnerability allows remote intruders to disrupt normal operations of the Key Distribution Center (KDC) if an attacker is able to send malformed requests to a realm’s key server. The following versions are vulnerable to one or more of these vulnerabilities: • MIT Kerberos 5 releases krb5-1.0.x, krb5-1.1.1 • MIT Kerberos 4 patch 10, and probably earlier releases as well • KerbNet (Cygnus implementation of Kerberos 5) • Cygnus Network Security (CNS — Cygnus implementation of Kerberos 4) These new vulnerabilities, of which there at least five, may be exploited to affect denialof-service attacks with varying degrees of severity. These include: • The buffer used to hold the variable lastrealm in the function set_tgtkey() can be overflowed. • The buffer used to hold the variable localrealm in the function process_v4() can be overflowed. • The buffer to hold the variable e_msg in the function kerb_err_reply() can be overflowed. • The code that serves AUTH_MSG_KDC_ REQUESTs does not properly check for nulltermination.
• Memory that has previously been freed may be improperly freed again, possibly resulting in unstable operation. Depending on the version of Kerberos, the environment in which it is running and the particular vulnerability that is exploited, a remote attacker can cause one or more of the following: • The KDC to issue invalid tickets for all principles. • The KDC to generate a ‘principal unknown’ error. • The KDC process to crash. Any new authentications to kerberized services will not be possible until the KDC is restarted. Note that this implies that operation of ‘kerberized’ services will be halted until the KDC is stopped. It does not appear that any of these vulnerabilities allows the execution of code by an intruder. You are advised to apply a patch from your vendor. For further information, contact CERT on: +1 412 268 7090; or visit the Web site: http://www.CERT.org
SSL certificate validation vulnerability Two vulnerabilities have been identified in the way Internet Explorer handles digital certificates (Microsoft Security Bulletin MS00-039). The vulnerabilities could, under a very daunting set of circumstances, allow a malicious Web site operator to pose as a trusted Web site. The two vulnerabilities are:
• When a connection to a secure server is made via either an image or a frame, IE only verifies that the server’s SSL certificate was issued by a trusted root — it does not verify the server name or the expiration date. When a connection is made via any other means, all expected validation is performed. • Even if the initial validation is made correctly, IE does not revalidate the certificate if a new SSL session is established with the same server during the same IE session. The circumstances under which these vulnerabilities could be exploited are fairly restricted. In both cases, it is likely that the attacker would need to either carry out DNS cache poisoning or physically replace the server in order to successfully carry out an attack
“The circumstances under which these vulnerabilities could be exploited are fairly restricted.” via second case, as the malicious user would need to poison the cache or replace the machine during the interregum between the two SSL sessions. The following versions are affected by these problems: • Microsoft Internet Explorer 4.0 • Microsoft Internet Explorer 4.01 • Microsoft Internet Explorer 5.0 • Microsoft Internet Explorer 5.01 A patch is available from Microsoft’s Web site: http:// www.Microsoft.com/windows/i.e./download/critical/p atch7.htm
AIX cdmount vulnerability According to Internet Security Systems Security Advisory (dated 20 June 2000) a malicious user could execute cdmount giving commands containing shell metacharacters. The cd-mount program normally allows regular users to mount CD-ROM filesystems. This problem means that a malicious user could run arbitrary commands, as root, through shell meta-character command manipulation. The following AIX systems are vulnerable to this problem: any with the LPP UMS.objects 2.3.0.0 and below installed. The cdmount program is part of the AIX UltiMedia Services (UMS) package. UMS provides multimedia applications to AIX workstations. The cdmount program is normally used as a helper to UMS multimedia players. It has SUID root permissions to allow regular users to mount a CDROM. The system() library subroutine is used within cdmount to invoke the mount program. This subroutine spawns a shell to execute the mount command with arguments provided by the user. An attacker may execute arbitrary commands as root by calling cdmount with arguments containing shell metacharacters. ISS recommends removing the SUID bit from cdmount by executing the following command: # chmod 555 /usr/lpp/ UMS/bin/cdmount IBM is currently working on the following Authorized
3