[OpenAFS-announce] OpenAFS Security Advisory 2003-001: Cryptographic weakness in Kerberos
Tue, 25 Mar 2003 03:53:52 -0500 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
OpenAFS Security Advisory 2003-001
Topic: Cryptographic weakness in Kerberos v4
Last Update: 25-Mar-2003
Affected: OpenAFS 1.0 - 1.2.8, OpenAFS 1.3.0 - 1.3.2
A cryptographic weakness in version 4 of the Kerberos protocol,
implemented by the OpenAFS kaserver, allows an attacker to impersonate any
user in the cell. This vulnerability can be exploited if the attacker has
a shared cross-realm key with the given cell, or can create arbitrary
principal names in kaserver. If you are running a Kerberos implementation
other than kaserver, please refer to the FIXES section below, and the MIT
A cryptographic weakness in version 4 of the Kerberos protocol allows an
attacker to use a chosen-plaintext attack to impersonate any principal in
a realm. OpenAFS kaserver implements version 4 of the Kerberos protocol,
and therefore is vulnerable. An attacker that knows a shared cross-realm
key between any remote realm and the local realm can impersonate any
principal in the local realm to AFS database servers and file servers in
the local cell, and other services in the local realm. An attacker that
can create arbitrary principal names in a realm can also impersonate any
principal in that realm.
If your realm has no shared keys, and does not allow users to create
arbitrary principal names, you are not exposed to this vulnerability.
There are no known publicly-available exploits for this vulnerability at
* An attacker controlling a shared cross-realm key with a remote kaserver
realm can impersonate any principal in the remote realm to any service
in the remote realm. This can lead to root-level compromise of
database servers and file servers, and any other machines that rely on
authentication provided by kaserver (if it is used as a Kerberos v4
* This attack may be performed against cross-realm principals, thus
allowing an attacker to hop realms and compromise any realm that
transitively shares a cross-realm key with the attacker's local realm.
* Related, but more difficult attacks may be possible without requiring
the control of a shared cross-realm key. At the very least, an attacker
capable of creating arbitrary principal names in the target realm may be
able to perform the attack.
All releases of OpenAFS 1.0.x and 1.1.x.
All releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.8.
All releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2.
The OpenAFS project recomments that all users of kaserver disable all
cross-realm authentication, by either deleting cross-realm keys (using
"kas delete"; simply disabling the keys is insufficient), upgrading to
OpenAFS 1.2.9 when it becomes available (where kaserver cross-realm
authentication is disabled by default), or applying this kaserver patch,
which disables cross-realm authentication in kaserver by default:
The associated detached PGP signature is at:
It was generated against OpenAFS 1.2.8, but should apply to earlier
releases, possibly with some offset.
No update is presently available for the OpenAFS-unstable series.
Sites that require the use of cross-realm authentication must use native
Kerberos v5 AFS authentication, available in OpenAFS 1.2.8 and above.
Native Kerberos v5 AFS authentication is not vulnerable to the problem
described in this advisory. Sites currently using kaserver are encouraged
to upgrade to Kerberos version 5; instructions for upgrading to MIT krb5
or Heimdal are available in the REFERENCES section. If upgrading to MIT
krb5, you must be running MIT krb5 version 1.2.6 or later to use AFS krb5
(rxkad proposal 2b) authentication.
This announcement and code patches related to it may be found on the
OpenAFS security advisory page at:
The main OpenAFS web page is at:
Thanks to the MIT krb5 team for the discovery of this vulnerability, and
the MITKRB5-SA-2003-004 advisory, which was used in writing this OpenAFS
* MIT krb5 Security Advisory 2003-004
* rxkad proposal 2b
* Instructions for upgrading from kaserver to Heimdal
* Kerberos v5 migration kit (upgrading from kaserver to MIT krb5)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (SunOS)
-----END PGP SIGNATURE-----