[OpenAFS-announce] OpenAFS Security Advisory 2003-001: Cryptographic weakness in Kerberos v4

[Nickolai Zeldovich]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

		OpenAFS Security Advisory 2003-001

Topic: Cryptographic weakness in Kerberos v4

Issued:		25-Mar-2003
Last Update:	25-Mar-2003
Affected:	OpenAFS 1.0 - 1.2.8, OpenAFS 1.3.0 - 1.3.2

A cryptographic weakness in version 4 of the Kerberos protocol,
implemented by the OpenAFS kaserver, allows an attacker to impersonate any
user in the cell.  This vulnerability can be exploited if the attacker has
a shared cross-realm key with the given cell, or can create arbitrary
principal names in kaserver.  If you are running a Kerberos implementation
other than kaserver, please refer to the FIXES section below, and the MIT
krb5 advisory:

  http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt

SUMMARY
=======

A cryptographic weakness in version 4 of the Kerberos protocol allows an
attacker to use a chosen-plaintext attack to impersonate any principal in
a realm.  OpenAFS kaserver implements version 4 of the Kerberos protocol,
and therefore is vulnerable.  An attacker that knows a shared cross-realm
key between any remote realm and the local realm can impersonate any
principal in the local realm to AFS database servers and file servers in
the local cell, and other services in the local realm.  An attacker that
can create arbitrary principal names in a realm can also impersonate any
principal in that realm.

If your realm has no shared keys, and does not allow users to create
arbitrary principal names, you are not exposed to this vulnerability.

There are no known publicly-available exploits for this vulnerability at
this time.

IMPACT
======

* An attacker controlling a shared cross-realm key with a remote kaserver
  realm can impersonate any principal in the remote realm to any service
  in the remote realm.  This can lead to root-level compromise of
  database servers and file servers, and any other machines that rely on
  authentication provided by kaserver (if it is used as a Kerberos v4
  KDC).

* This attack may be performed against cross-realm principals, thus
  allowing an attacker to hop realms and compromise any realm that
  transitively shares a cross-realm key with the attacker's local realm.

* Related, but more difficult attacks may be possible without requiring
  the control of a shared cross-realm key.  At the very least, an attacker
  capable of creating arbitrary principal names in the target realm may be
  able to perform the attack.

AFFECTED SOFTWARE
=================

All releases of OpenAFS 1.0.x and 1.1.x.
All releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.8.
All releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2.

FIXES
=====

The OpenAFS project recomments that all users of kaserver disable all
cross-realm authentication, by either deleting cross-realm keys (using
"kas delete"; simply disabling the keys is insufficient), upgrading to
OpenAFS 1.2.9 when it becomes available (where kaserver cross-realm
authentication is disabled by default), or applying this kaserver patch,
which disables cross-realm authentication in kaserver by default:

    http://www.openafs.org/security/kaserver-disable-krb4-crossrealm-20030317.delta

The associated detached PGP signature is at:

    http://www.openafs.org/security/kaserver-disable-krb4-crossrealm-20030317.delta.asc

It was generated against OpenAFS 1.2.8, but should apply to earlier
releases, possibly with some offset.

No update is presently available for the OpenAFS-unstable series.

Sites that require the use of cross-realm authentication must use native
Kerberos v5 AFS authentication, available in OpenAFS 1.2.8 and above.
Native Kerberos v5 AFS authentication is not vulnerable to the problem
described in this advisory.  Sites currently using kaserver are encouraged
to upgrade to Kerberos version 5; instructions for upgrading to MIT krb5
or Heimdal are available in the REFERENCES section.  If upgrading to MIT
krb5, you must be running MIT krb5 version 1.2.6 or later to use AFS krb5
(rxkad proposal 2b) authentication.

This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:

    http://www.openafs.org/security/

The main OpenAFS web page is at:

    http://www.openafs.org/

ACKNOWLEDGEMENTS
================

Thanks to the MIT krb5 team for the discovery of this vulnerability, and
the MITKRB5-SA-2003-004 advisory, which was used in writing this OpenAFS
advisory.

REFERENCES
==========

* MIT krb5 Security Advisory 2003-004
  http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt

* rxkad proposal 2b
  /afs/grand.central.org/doc/protocol/rx/rxkad-2b.txt
  http://grand.central.org/dl/doc/protocol/rx/rxkad-2b.html

* Instructions for upgrading from kaserver to Heimdal
  http://www.dementia.org/~shadow/ka2heim.txt

* Kerberos v5 migration kit (upgrading from kaserver to MIT krb5)
  /afs/grand.central.org/contrib/security/afs-krb5/afs-krb5-2.0.tar.gz
  http://grand.central.org/dl/contrib/security/afs-krb5/afs-krb5-2.0.tar.gz
  ftp://grand.central.org/pub/contrib/security/afs-krb5/afs-krb5-2.0.tar.gz

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)

iD8DBQE+gBXOlrhgrDZcUhURAnSmAJ0cigY3PdDe1eZmxM6x8hdY9JrFggCdGkYz
j2RrlAOr7KRS8SPA38mozXM=
=fg22
-----END PGP SIGNATURE-----