OVAL query for kerberos vuln CAN-2003-0138

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

OVAL query for kerberos vuln CAN-2003-0138

Jay Beale
A machine isn't vulnerable to the following vulnerability if it does not
accept Kerberos 4 authentication.

Does anyone know how we could test that within our current schema?

 - Jay

------

CVE-ID: CAN-2003-0138
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0138

CVE Description: "Version 4 of the Kerberos protocol (krb4), as used
in Heimdal and other packages, allows an attacker to impersonate any
principal in a realm via a chosen-plaintext attack."

Red Hat Security Advisory RHSA-2003:091-22
Updated kerberos packages fix various vulnerabilities
https://rhn.redhat.com/errata/RHSA-2003-091.html

"Updated Kerberos packages for Red Hat Linux 9 fix a number of
vulnerabilities found in MIT Kerberos.

Kerberos is a network authentication system. The MIT Kerberos team
released an advisory describing a number of vulnerabilities that affect
the
kerberos packages shipped as part of Red Hat Linux 9. These issues
include:

Vulnerabilities have been found in the triple-DES key support found in
the
implementation of the Kerberos IV authentication protocol included in
MIT
Kerberos. The Common Vulnerabilities and Exposures project has assigned
the name CAN-2003-0139 to this issue.

Vulnerabilities have been found in the Kerberos IV authentication
protocol
which allow an attacker with knowledge of a cross-realm key, which is
shared with another realm, to impersonate any principal in that realm to
any service in that realm. This vulnerability can only be closed by
disabling cross-realm authentication in Kerberos IV (CAN-2003-0138).

Vulnerabilities have been found in the RPC library used by the kadmin
service in Kerberos 5. A faulty length check in the RPC library exposes
kadmind to an integer overflow which can be used to crash kadmind
(CAN-2003-0028).

The Key Distribution Center (KDC) allows remote, authenticated attackers
to cause a denial of service (crash) on KDCs within the same realm via a
certain protocol request that causes the KDC to corrupt its heap
(CAN-2003-0082).

All users of Kerberos are advised to upgrade to these errata packages,
which disable cross-realm authentication by default for Kerberos IV and
which contain patches that correct these issues."

I propose the following SQL query for this vulnerability on Red Hat 9:

OVAL-ID: TBA

Status: Initial Submission
Version: 0
Date Modified: 2003-08-14
Platform: Red Hat 9
Query Synopsis:
-- Vulnerable software exists:
        o Red Hat 9 on ix86
        o krb5-libs rpm version prior to 1.2.7-14 is installed
        o krb5-server/krb5-workstation rpm version < 1.2.7-14 is
installed

SELECT 'CAN-2003-0138' FROM Placeholder WHERE EXISTS
-- ### BEGIN VULNERABLE SOFTWARE EXISTS
--
-- Red Hat 9
-- This query is for Red Hat 9...
        (SELECT 'Red Hat 9 is installed' FROM RedHat_RPMinfo WHERE
                RPMName = 'redhat-release' AND
                RPMVersion = '9')
AND EXISTS
--
-- ...on i386 machines.
--
        (SELECT 'ix86 architecture' FROM RedHat_Uname WHERE
                MachineClass LIKE 'i_86')
AND EXISTS
--
-- krb5-libs rpm version prior to 1.2.7-14 is installed
--
        (SELECT 'krb5-libs version < 1.2.7-14'
FROM RedHat_RPMVersionCompare WHERE
                RPMName = 'krb5-libs' AND
                RPMTestedEpoch IS NULL AND
                RPMTestedVersion = '1.2.7' AND
                RPMTestedRelease = '14' AND
                RPMInstalledVersion = 'earlier'
)
--
-- krb5-server or krb5-workstation is installed
--
AND EXISTS
        (SELECT 'krb5-server or krb5-workstation installed' FROM
Placeholder WHERE EXISTS
        --
        -- krb5-server rpm version prior to 1.2.7-14 is installed
        --
        (SELECT 'krb5-server version < 1.2.7-14'
FROM RedHat_RPMVersionCompare WHERE
                RPMName = 'krb5-server' AND
                RPMTestedEpoch IS NULL AND
                RPMTestedVersion = '1.2.7' AND
                RPMTestedRelease = '14' AND
                RPMInstalledVersion = 'earlier')
        OR EXISTS
        --
        -- krb5-workstation rpm version prior to 1.2.7-14 is installed
        --
        (SELECT 'krb5-workstation version < 1.2.7-14'
FROM RedHat_RPMVersionCompare WHERE
                RPMName = 'krb5-workstation' AND
                RPMTestedEpoch IS NULL AND
                RPMTestedVersion = '1.2.7' AND
                RPMTestedRelease = '14' AND
                RPMInstalledVersion = 'earlier')
)
-- ### END VULNERABLE SOFTWARE EXISTS
--
-- ### BEGIN VULNERABLE CONFIGURATION
--
-- HELP: Machine is not vulnerable if it doesn't do kerberos 4 at all.
--       There doesn't appear to be a way to test this via our schema.
--       Anyone have any ideas?
--
-- ### END VULNERABLE CONFIGURATION
;
-----------------------------------------------------------------
INSERT IDs used:

New INSERTs:


-----------------------------------------------------------------