• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

ASN.1 Double free vulnerabilities
2004-09-30-ASN.1
Published: 2004-09-30 14:18:19
Updated: 2004-09-30 14:18:19

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

IBM SECURITY ADVISORY

First Issued: Thu Sep 30 14:42:06 CDT 2004

===========================================================================
                           VULNERABILITY SUMMARY

VULNERABILITY:      Double free vulnerabilities may result in a denial of
                    service or allow an attacker to execute arbitrary code.
                    A vulnerability in the ASN.1 decoder library may
                    allow an attacker to cause an infinite loop
                    resulting in a denial of service.

PLATFORMS:          AIX 5.1, AIX 5.2 and AIX 5.3.

SOLUTION:           Apply the fixes described below.

THREAT:             A remote attacker may execute arbitrary code or cause
                    a denial of service against a KDC or kerberoized
                    daemon or client.

CERT VU Number:     VU#795632 (CAN-2004-0642), VU#866472 (CAN-2004-0643)
                    and VU#550464 (CAN-2004-0644)
===========================================================================
                           DETAILED INFORMATION


I.  Description
===============
The MIT Kerberos team recently reported various vulnerabilities in Kerberos
version 5. AIX includes several kerberoized applications which are affected
by these vulnerabilities. The applications include NFS version 4.0; the
LDAP, KRB5 and KRB5A authentication modules; OpenSSH and the secure
r-commands (rsh, krshd, rlogin, krlogind, ftp, ftpd and telnet, telnetd
when configured to use Kerberos). Kerberos is available for AIX via Network
Authentication Service on the Expansion Pack.

VU#795632 (CAN-2004-0642) and VU#866472 (CAN-2004-0643) may allow an
attacker to execute arbitrary code on a KDC, kerberoized daemon or
kerberoized client. VU#550464 (CAN-2004-0644) may be exploited to cause a
KDC, kerberoized daemon or kerberoized client to hang in an infinite loop
resulting in a denial of service. More information about these
vulnerabilities can be found in MIT krb5 security advisories 2004-002 and
2004-003 which are located at http://web.mit.edu/kerberos/advisories/.

The following versions of Network Authentication Service are vulnerable:

     * Network Authentication Service 1.3.0.1 and earlier
     * Network Authentication Service 1.4.0.0

To determine what version of Network Authentication Service is installed,
execute the following commands:

# lslpp -L krb5.client.rte
# lslpp -L krb5.server.rte

If the filesets are installed they will be listed along with version
information, state, type and a description. The first command prints
information for the client fileset and the second command prints
information for the server fileset. Affected hosts should upgrade all
affected Network Authentication Service filesets that are installed.


II. Impact
==========

A remote attacker may cause a denial of service or execute arbitrary code.

III.  Solutions
===============

A. Official Fix
IBM provides the following fixes:

      AIX 5.1.0: Customers using version 1.3.0.1 and earlier may contact your
                 local IBM AIX support center to request version 1.3.0.2 or
                 version 1.4.0.1.
                 Customers using version 1.4.0.0 may contact your local IBM AIX
                 support center to request version 1.4.0.1.
                 Customers may upgrade to version 1.4.0.1 available on the
                 AIX 5L for POWER V5.1 Expansion Pack
                 (form number LCD4-1079-10). The Expansion Pack will be
                 available on 12/03/04.
      AIX 5.2.0: Customers using version 1.4.0.0 may contact your local
                 IBM AIX support center to request version 1.4.0.1.
                 Customers may upgrade to version 1.4.0.1 available on the
                 AIX 5L for POWER V5.2 Expansion Pack
                 (form number LCD4-1142-06). The Expansion Pack will be
                 available on 12/03/04.
      AIX 5.3.0: Customers using version 1.4.0.0 may contact your local
                 IBM AIX support center to request version 1.4.0.1.
                 Customers may upgrade to version 1.4.0.1 available on the
                 AIX 5L for POWER V5.3 Expansion Pack
                 (form number LCD4-7460-01). The Expansion Pack will be
                 available on 12/03/04.


IV.  Contact Information
========================

If you would like to receive AIX Security Advisories via email, please visit:
     https://techsupport.services.ibm.com/server/pseries.subscriptionSvcs

Comments regarding the content of this announcement can be directed to:

     security-alert@austin.ibm.com

To request the PGP public key that can be used to communicate securely
with the AIX Security Team send email to security-alert@austin.ibm.com
with a subject of "get key". The key can also be downloaded from a
PGP Public Key Server. The key id is 0x3AE561C3.

Please contact your local IBM AIX support center for any assistance.

eServer is a trademark of International Business Machines Corporation.
IBM, AIX and pSeries are registered trademarks of International Business
Machines Corporation. All other trademarks are property of their
respective holders.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (MingW32)

iD8DBQFBXHsj+0ah+jrlYcMRAmeQAKCj6l2DrmFg9UZFReH869x9HP/ZGgCeLFkL
wMz17Zunf35TbkyfgU1F15Q=
=4aTd
-----END PGP SIGNATURE-----