An unprivileged (either authenticated or unauthenticated) remote user may be able to execute arbitrary code with elevated privileges on Kerberos systems due to a double-free error in the krb5_recvauth() library routine. The privileges attained would depend on the affected program that utilizes the krb5_recvauth() routine; some affected applications such as kpropd() run with root privileges on slave Key Distribution Center (KDC) hosts, which means its potentially possible to compromise an entire Kerberos realm.

This issue is described in MIT krb5 Security Advisory 2005-003 available at

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2005-003-recvauth.txt

This issue is also referenced in the following documents:

CAN-2005-1689 at http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-1689

CERT VU#623332 at http://www.kb.cert.org/vuls/id/623332.

This issue can occur in the following releases:

SPARC Platform

• SEAM 1.0 for Solaris 7
• Solaris 8 with the Solaris Supplemental Encryption packages and without patch 112390-11
• Solaris 8 without patch 112237-13
• Solaris 9 without patch 112908-20
• Solaris 10 without patch 120469-02

x86 Platform

• SEAM 1.0 for Solaris 7
• Solaris 8 with the Solaris Supplemental Encryption packages without patch 112240-10
• Solaris 8 without patch 112238-12
• Solaris 9 without patch 115168-08
• Solaris 10 without patch 120470-02

Notes:

1. Only systems configured to utilize Kerberos are affected by this issue.
2. Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled product available for Solaris 7, 8 and 9. For more information on SEAM, please see the SEAM(5) man page.
3. Different components of the SEAM product have migrated to Solaris over time and thus Solaris 8 and 9 are impacted while SEAM for Solaris 8 and 9 is not. This is also the reason that there is no SEAM product for Solaris 10.

To determine if a system is configured to utilize Kerberos, the following command can be run:

    $ grep default_realm /etc/krb5/krb5.conf | grep -v ___default_realm___

If the command returns no output or the "krb5.conf" file is not found, then the system is not configured for Kerberos.

To determine if SEAM has been installed, the following command can be run:

    $ pkginfo SUNWkr5sv

If the SUNWkr5sv package is present, SEAM is installed on the system.

There are no reliable symptoms that would indicate the described issues have been exploited to execute arbitrary commands as root on a Kerberos host.

There is no workaround for this issue. Please see the Resoltuion section.

This issue is addressed in the following releases:

SPARC Platform

• Solaris 8 with the Solaris Supplemental Encryption packages and with patch 112390-11 or later
• Solaris 8 with patch 112237-13 or later
• Solaris 9 with patch 112908-20 or later
• Solaris 10 with patch 120469-02 or later

x86 Platform

• Solaris 8 with the Solaris Supplemental Encryption packages and with patch 112240-10 or later
• Solaris 8  with patch 112238-12 or later
• Solaris 9 with patch 115168-08 or later
• Solaris 10 with patch 120470-02 or later

02-Aug-2005:

• Update Contributing Factors and Resolution sections

05-Aug-2005:

• Update Contributing Factors and Resolution sections

• Updated Contributing Factors and Resolution sections

16-Aug-2005:

• Update Contributing Factors and Resolution sections

29-Aug-2005:

• Update Contributing Factors and Resolution sections

This solution has no attachment