OVAL query for kerberos vuln CAN-2003-0028

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OVAL query for kerberos vuln CAN-2003-0028

Jay Beale
CVE-ID: CAN-2003-0028
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0028

CVE Description: "Integer overflow in the xdrmem_getbytes() function,
and possibly other functions, of XDR (external data representation)
libraries derived from SunRPC, including libnsl, libc, glibc, and
dietlibc, allows remote attackers to execute arbitrary code via
certain integer values in length fields, a different vulnerability
than CAN-2002-0391."

Red Hat Security Advisory RHSA-2003:091-22
Updated kerberos packages fix various vulnerabilities
https://rhn.redhat.com/errata/RHSA-2003-091.html

"Updated Kerberos packages for Red Hat Linux 9 fix a number of
vulnerabilities found in MIT Kerberos.

Kerberos is a network authentication system. The MIT Kerberos team
released an advisory describing a number of vulnerabilities that affect
the
kerberos packages shipped as part of Red Hat Linux 9. These issues
include:

Vulnerabilities have been found in the triple-DES key support found in
the
implementation of the Kerberos IV authentication protocol included in
MIT
Kerberos. The Common Vulnerabilities and Exposures project has assigned
the name CAN-2003-0139 to this issue.

Vulnerabilities have been found in the Kerberos IV authentication
protocol
which allow an attacker with knowledge of a cross-realm key, which is
shared with another realm, to impersonate any principal in that realm to
any service in that realm. This vulnerability can only be closed by
disabling cross-realm authentication in Kerberos IV (CAN-2003-0138).

Vulnerabilities have been found in the RPC library used by the kadmin
service in Kerberos 5. A faulty length check in the RPC library exposes
kadmind to an integer overflow which can be used to crash kadmind
(CAN-2003-0028).

The Key Distribution Center (KDC) allows remote, authenticated attackers
to cause a denial of service (crash) on KDCs within the same realm via a
certain protocol request that causes the KDC to corrupt its heap
(CAN-2003-0082).

All users of Kerberos are advised to upgrade to these errata packages,
which disable cross-realm authentication by default for Kerberos IV and
which contain patches that correct these issues."

I propose the following SQL query for this vulnerability on Red Hat 9:

OVAL-ID: TBA

Status: Initial Submission
Version: 0
Date Modified: 2003-08-14
Platform: Red Hat 9
Query Synopsis:
-- Vulnerable software exists:
        o Red Hat 9 on ix86
        o krb5-server rpm version prior to 1.2.7-14 is installed

SELECT 'CAN-2003-0028' FROM Placeholder WHERE EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- Red Hat 9
-- This query is for Red Hat 9...
        (SELECT 'Red Hat 9 is installed' FROM RedHat_RPMinfo WHERE
                RPMName = 'redhat-release' AND
                RPMVersion = '9')
AND EXISTS
--
-- ...on i386 machines.
--
        (SELECT 'ix86 architecture' FROM RedHat_Uname WHERE
                MachineClass LIKE 'i_86')
AND EXISTS
--
-- krb5-server rpm version prior to 1.2.7-14 is installed
--
        (SELECT 'krb5-server version < 1.2.7-14'
FROM RedHat_RPMVersionCompare WHERE
                RPMName = 'krb5-server' AND
                RPMTestedEpoch IS NULL AND
                RPMTestedVersion = '1.2.7' AND
                RPMTestedRelease = '14' AND
                RPMInstalledVersion = 'earlier'
)
-- ### END VULNERABLE SOFTWARE EXISTS
--
-- ### BEGIN VULNERABLE CONFIGURATION
--
-- HELP: What configuration workaround help here? I can build a kerberos
--       environment, but would be greatly assisted by anyone who has one
--       of their own.
--
-- ### END VULNERABLE CONFIGURATION
;
-----------------------------------------------------------------