-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 MITKRB5-SA-2010-007 MIT krb5 Security Advisory 2010-007 Original release: 2010-11-30 Last update: 2010-11-30 Topic: Multiple checksum handling vulnerabilities CVE-2010-1324 * krb5 GSS-API applications may accept unkeyed checksums * krb5 application services may accept unkeyed PAC checksums * krb5 KDC may accept low-entropy KrbFastArmoredReq checksums CVSSv2 Vector: AV:N/AC:M/Au:N/C:N/I:C/A:N/E:POC/RL:OF/RC:C CVSSv2 Base Score: 7.1 Access Vector: Network Access Complexity: Medium Authentication: None Confidentiality Impact: None Integrity Impact: Complete Availability Impact: None CVSSv2 Temporal Score: 5.6 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed CVE-2010-1323 * krb5 clients may accept unkeyed SAM-2 challenge checksums * krb5 may accept KRB-SAFE checksums with low-entropy derived keys CVSSv2 Vector: AV:N/AC:H/Au:N/C:N/I:C/A:N/E:POC/RL:OF/RC:C CVSSv2 Base Score: 5.4 CVSSv2 Temporal Score: 4.2 CVE-2010-4020 * krb5 may accept authdata checksums with low-entropy derived keys CVSSv2 Vector: AV:N/AC:M/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C CVSSv2 Base Score: 3.5 CVSSv2 Temporal Score: 2.7 CVE-2010-4021 * krb5 KDC may issue unrequested tickets due to KrbFastReq forgery CVSSv2 Vector: AV:N/AC:H/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C CVSSv2 Base Score: 2.1 CVSSv2 Temporal Score: 1.6 See DETAILS for the expanded CVSSv2 metrics for CVE-2010-1323, CVE-2010-4020, and CVE-2010-4021. SUMMARY ======= These vulnerabilities are in the MIT implementation of Kerberos (krb5), but because these vulnerabilities arise from flaws in protocol handling logic, other implementations may also be vulnerable. CVE-2010-1324 MIT krb5 (releases krb-1.7 and newer) incorrectly accepts an unkeyed checksum with DES session keys for version 2 (RFC 4121) of the GSS-API krb5 mechanism. MIT krb5 (releases krb5-1.7 and newer) incorrectly accepts an unkeyed checksum for PAC signatures. Running exclusively krb5-1.8 or newer KDCs blocks the attack. MIT krb5 KDC (releases krb5-1.7 and newer) incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying the req-checksum in a KrbFastArmoredReq. CVE-2010-1323 MIT krb5 clients (releases krb5-1.3 and newer) incorrectly accept an unkeyed checksums in the SAM-2 preauthentication challenge. MIT krb5 (releases krb5-1.3 and newer) incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying KRB-SAFE messages. CVE-2010-4020 MIT krb5 (releases krb5-1.8 and newer) incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying AD-SIGNEDPATH and AD-KDC-ISSUED authorization data. CVE-2010-4021 MIT krb5 KDC (release krb5-1.7 only) may issue tickets not requested by a client, based on an attacker-chosen KrbFastArmoredReq. IMPACT ====== CVE-2010-1324 An unauthenticated remote attacker can forge GSS tokens that are intended to be integrity-protected but unencrypted, if the targeted pre-existing application session uses a DES session key. An authenticated remote attacker can forge PACs if using a KDC that does not filter client-provided PAC data. This can result in privilege escalation against a service that relies on PAC contents to make authorization decisions. An unauthenticated remote attacker has a 1/256 chance of swapping a client-issued KrbFastReq into a different KDC-REQ, if the armor key is RC4. The consequences are believed to be minor. CVE-2010-1323 An unauthenticated remote attacker could alter a SAM-2 challenge, affecting the prompt text seen by the user or the kind of response sent to the KDC. Under some circumstances, this can negate the incremental security benefit of using a single-use authentication mechanism token. An unauthenticated remote attacker has a 1/256 chance of forging KRB-SAFE messages in an application protocol if the targeted pre-existing session uses an RC4 session key. Few application protocols use KRB-SAFE messages. CVE-2010-4020 An authenticated remote attacker that controls a legitimate service principal has a 1/256 chance of forging the AD-SIGNEDPATH signature if the TGT key is RC4, allowing it to use self-generated "evidence" tickets for S4U2Proxy, instead of tickets obtained from the user or with S4U2Self. Configurations using RC4 for the TGT key are believed to be rare. An authenticated remote attacker has a 1/256 chance of forging AD-KDC-ISSUED signatures on authdata elements in tickets having an RC4 service key, resulting in privilege escalation against a service that relies on these signatures. There are no known uses of the KDC-ISSUED authdata container at this time. CVE-2010-4021 An authenticated remote attacker that controls a legitimate service principal could obtain a valid service ticket to itself containing valid KDC-generated authorization data for a client whose TGS-REQ it has intercepted. The attacker could then use this ticket for S4U2Proxy to impersonate the targeted client even if the client never authenticated to the subverted service. The vulnerable configuration is believed to be rare. AFFECTED SOFTWARE ================= CVE-2010-1324 Kerberos application client and server software (including third-party applications) using GSS-API libraries from MIT releases krb5-1.7 and newer are vulnerable to the DES GSS-API issue if they use GSS-API for integrity protection of unencrypted messages. Kerberos application server software (including third-party applications) using libraries from MIT releases krb5-1.7 and newer are vulnerable to the PAC issue. Deployments running exclusively KDCs from releases krb5-1.8 and newer are not vulnerable to the PAC issue because those KDCs discard client-provided PAC authdata. The MIT krb5 KDC in releases krb5-1.7 and newer is vulnerable to the KrbFastReq swapping issue. CVE-2010-1323 Initial credential acquisition clients (including kinit) in MIT releases krb5-1.3 and newer are vulnerable to the SAM-2 issue. Third-party applications that obtain initial Kerberos credentials using libraries from these releases are also vulnerable. Kerberos application client and server software (including third-party applications) using libraries from MIT releases krb5 krb5-1.3 and newer are vulnerable to the RC4 KRB-SAFE issue. CVE-2010-4020 The AD-SIGNEDPATH issue affects the KDC in releases krb5-1.8 and newer. Kerberos application server software (including third-party applications) using libraries from MIT releases krb5-1.8 and newer are vulnerable to the AD-KDC-ISSUED problem. Deployments running exclusively KDCs from releases krb5-1.8 and newer discard client-provided AD-KDC-ISSUED authdata and are not vulnerable to this issue. CVE-2010-4021 The KDC from release krb5-1.7 only is vulnerable to the KrbFastReq forgery issue. FIXES ===== * Upcoming releases in the krb5-1.8 and krb5-1.7 series will contain fixes for these issues. * The patches for this advisory do not cover CVE-2010-4021, which is a minor issue already corrected in krb5-1.7.1. A patch for the krb5-1.8 series is available at http://web.mit.edu/kerberos/advisories/2010-007-patch.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-007-patch.txt.asc A patch for the krb5-1.7 series is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r17.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r17.txt.asc A patch for the krb5-1.6 series is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r16.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r16.txt.asc A patch for the krb5-1.5 series is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt A PGP-signed patch is available at http://web.mit.edu/kerberos/advisories/2010-007-patch-r15.txt.asc REFERENCES ========== This announcement is posted at: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt This announcement and related security advisories may be found on the MIT Kerberos security advisory page at: http://web.mit.edu/kerberos/advisories/index.html The main MIT Kerberos web page is at: http://web.mit.edu/kerberos/index.html CVSSv2: http://www.first.org/cvss/cvss-guide.html http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2 CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1324 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-1323 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4020 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-4021 ACKNOWLEDGMENTS =============== Thanks to Sam Hartman for helping with analysis. CONTACT ======= The MIT Kerberos Team security contact address is . When sending sensitive information, please PGP-encrypt it using the following key: pub 2048R/8B8DF501 2010-01-15 [expires: 2011-02-01] uid MIT Kerberos Team Security Contact DETAILS ======= Background for RC4-keyed RFC 3961 checksum issues: The hmac-sha1-des3, hmac-sha1-96-aes128, and hmac-sha1-96-aes256 checksum types are specified to be used with 3DES, AES128, and AES256 keys respectively, but MIT krb5 allows these checksum types to be used with any type of key. All three checksum types make use of a key derivation algorithm built around the block encryption operation of the key's encryption type. The arcfour-hmac and arcfour-hmac-exp encryption types are specified in RFC 4757, and make use of a stream cipher instead of a block cipher. The MIT krb5 implementation treats these encryption types as having a cipher block size of one byte for the purposes of key derivation. When the aforementioned checksum types perform key derivation, they repeatedly invoke stream cipher encryption on one-byte blocks. The result is a derived key whose contents alternate between a known byte (which depends only on the key usage value) and a byte whose values depend on the key. There are only 256 possible derived keys for each key usage value. CVE-2010-1324 (GSS-API issue): RFC 4121 specifies version 2 of the krb5 GSS-API mechanism. It is commonly used only with "newer" encryption types, but may be used with any encryption type. RFC 4121 specifies that non-confidential Wrap messages and Message Integrity Codes (MICs) are computed using the required checksum type for the key's encryption type. MIT krb5 uses the internal krb5int_c_mandatory_cksumtype function to look up this checksum type. This function returns incorrect values for DES encryption types, selecting unkeyed rather than keyed checksums. If a GSS-API context is established using a DES key, the MIT krb5 code will accept Wrap or MIC tokens in either the RFC 4121 or RFC 1964 style. An attacker can construct a Wrap or MIC token in the RFC 4121 style using unkeyed checksums. CVE-2010-1324 (PAC issue): Privilege Attribute Certificates (PACs) are a type of authorization data specified in: http://msdn.microsoft.com/en-us/library/cc237917(PROT.13).aspx PACs contain two signature fields which bind the PAC to the server and krbtgt keys; this signature is intended to prove that the PAC was generated by the KDC and not by a client. PAC signatures are specified to use the hmac-md5, hmac-sha1-96-aes128, or hmac-sha1-96-aes256 keyed checksum types. The MIT krb5 code for verifying PAC signatures does not verify that the checksum type contained in the PAC is a keyed signature, so a client could use an unkeyed checksum to "prove" that its made-up PAC data was generated by a KDC. This attack would not work in the presence of a sufficiently recent (1.8 or later) MIT KDC because the KDC would filter out client-provided PAC authdata. CVE-2010-1324 (KrbFastReq swapping issue): The KDC may accept an RFC 3961 key-derivation checksum keyed with an RC4 key in the req-checksum field of KrbArmoredFastReq. An attacker has a 1/256 chance of guessing the derived key that would be required to bind a captured encrypted KrbFastReq to a different KDC-REQ message. This is probably at worst an auditing issue; the KDC will log a successful authentication, but with the wrong parameters, and the client will not necessarily be able to use the resulting ticket. CVE-2010-1323 (SAM-2 issue): CVSSv2 Base Score: 5.4 Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: None Integrity Impact: Complete Availability Impact: None CVSSv2 Temporal Score: 4.2 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed SAM-2 is a preauthentication mechanism described in: http://tools.ietf.org/html/draft-ietf-krb-wg-kerberos-sam-03 (SAM2) In this mechanism, a KDC sends a challenge to the client consisting of a challenge body and a list of checksums. The client prompts the user for Single-use Authentication Data (SAD), computes a reply key based on the SAD and the parameters in the challenge body, and then tries to verify each of the checksums against the body using the reply key. If no checksum matches, the client assumes that the SAD value is incorrect or the integrity of the challenge has been tampered with by a party with no knowledge of the reply key. The MIT krb5 code for verifying SAM-2 challenge signatures does not verify that the checksum type is keyed, so an attacker alter a challenge and supply an unkeyed signature, fooling the client into believing that the challenge body was not tampered with. The general result would be that the client would transmit an invalid reply to the KDC, causing preauthentication to fail. With non-challenge/response SAM tokens having low entropy (e.g., a clock-based token with six decimal digits of readout), this may allow an attacker to learn the SAD value by a precomputation attack, negating the incremental security benefit of using a SAM token. This would allow the attacker to authenticate to the KDC as the user, or to impersonate the KDC to the user, provided that the user's password has been previously captured. CVE-2010-1323 (KRB-SAFE RC4 issue): The KRB-SAFE message is intended for the integrity protection of cleartext application data. An attacker can forge KRB-SAFE messages in an existing application protocol session with 1/256 probability of success, if the session uses an RC4 session key. CVE-2010-4020 (authdata RC4 issue): CVSSv2 Base Score: 3.5 Access Vector: Network Access Complexity: Medium Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None CVSSv2 Temporal Score: 2.7 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed S4U2proxy is a Microsoft protocol extension that allows a service to impersonate a user to another service, in a constrained way: http://msdn.microsoft.com/en-us/library/cc246071(PROT.13).aspx MIT and Heimdal implementations of Kerberos use an extension to take the place of the Windows PAC in S4U2proxy evidence tickets: http://k5wiki.kerberos.org/wiki/Projects/ConstrainedDelegation The signature in the SIGNEDPATH authorization data uses the TGT key, which is only known to the KDC. If the TGT key is RC4, then a service can forge this signature with a 1/256 chance of success by supplying an inappropriate checksum type. CVE-2010-4021 (KrbFastReq forgery issue): CVSSv2 Base Score: 2.1 Access Vector: Network Access Complexity: High Authentication: Single Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None CVSSv2 Temporal Score: 1.6 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed In release krb5-1.7, but not newer releases, the KDC allows an arbitrary TGT credential to serve as the armor for TGS requests, allowing the inner request to be arbitrarily altered by an attacker who controls a service principal. (The attacker has full knowledge of the armor key, having provided the armor ticket.) The resulting ticket is useless to both client and attacker unless the named service principal in the forged request is that of the attacker. By intercepting a legitimate TGS-REQ message, a malicious service that has S4U2Proxy privileges can rewrite the inner request so that the service named in the request is itself, and then capture the issued ticket for use as an evidence ticket in a S4U2Proxy request to impersonate the client to another service, even though the client never asked for a ticket for the malicious service. Since krb5-1.7 does not natively support S4U2proxy, the attack is only feasible in certain cross-realm configurations, which are believed to be rare, involving Active Directory domains that grant S4U2proxy privileges to services in a non-AD Kerberos foreign realm. REVISION HISTORY ================ 2010-11-30 original release Copyright (C) 2010 Massachusetts Institute of Technology -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (SunOS) iEYEARECAAYFAkz1SjoACgkQSO8fWy4vZo5CGgCePDfxaWdGcX70V4U83JUbi9uF VXoAoO0eP1MPEOUZt096Xsgyv1fR1k1u =BFph -----END PGP SIGNATURE-----