-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 OpenAFS Security Advisory 2003-001 Topic: Cryptographic weakness in Kerberos v4 Issued: 25-Mar-2003 Last Update: 25-Mar-2003 Affected: OpenAFS 1.0 - 1.2.8, OpenAFS 1.3.0 - 1.3.2 A cryptographic weakness in version 4 of the Kerberos protocol, implemented by the OpenAFS kaserver, allows an attacker to impersonate any user in the cell. This vulnerability can be exploited if the attacker has a shared cross-realm key with the given cell, or can create arbitrary principal names in kaserver. If you are running a Kerberos implementation other than kaserver, please refer to the FIXES section below, and the MIT krb5 advisory: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt SUMMARY ======= A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. OpenAFS kaserver implements version 4 of the Kerberos protocol, and therefore is vulnerable. An attacker that knows a shared cross-realm key between any remote realm and the local realm can impersonate any principal in the local realm to AFS database servers and file servers in the local cell, and other services in the local realm. An attacker that can create arbitrary principal names in a realm can also impersonate any principal in that realm. If your realm has no shared keys, and does not allow users to create arbitrary principal names, you are not exposed to this vulnerability. There are no known publicly-available exploits for this vulnerability at this time. IMPACT ====== * An attacker controlling a shared cross-realm key with a remote kaserver realm can impersonate any principal in the remote realm to any service in the remote realm. This can lead to root-level compromise of database servers and file servers, and any other machines that rely on authentication provided by kaserver (if it is used as a Kerberos v4 KDC). * This attack may be performed against cross-realm principals, thus allowing an attacker to hop realms and compromise any realm that transitively shares a cross-realm key with the attacker's local realm. * Related, but more difficult attacks may be possible without requiring the control of a shared cross-realm key. At the very least, an attacker capable of creating arbitrary principal names in the target realm may be able to perform the attack. AFFECTED SOFTWARE ================= All releases of OpenAFS 1.0.x and 1.1.x. All releases of OpenAFS 1.2.x, up to and including OpenAFS 1.2.8. All releases of OpenAFS 1.3.x, up to and including OpenAFS 1.3.2. FIXES ===== The OpenAFS project recomments that all users of kaserver disable all cross-realm authentication, by either deleting cross-realm keys (using "kas delete"; simply disabling the keys is insufficient), upgrading to OpenAFS 1.2.9 when it becomes available (where kaserver cross-realm authentication is disabled by default), or applying this kaserver patch, which disables cross-realm authentication in kaserver by default: http://www.openafs.org/security/kaserver-disable-krb4-crossrealm-20030317.delta The associated detached PGP signature is at: http://www.openafs.org/security/kaserver-disable-krb4-crossrealm-20030317.delta.asc It was generated against OpenAFS 1.2.8, but should apply to earlier releases, possibly with some offset. No update is presently available for the OpenAFS-unstable series. Sites that require the use of cross-realm authentication must use native Kerberos v5 AFS authentication, available in OpenAFS 1.2.8 and above. Native Kerberos v5 AFS authentication is not vulnerable to the problem described in this advisory. Sites currently using kaserver are encouraged to upgrade to Kerberos version 5; instructions for upgrading to MIT krb5 or Heimdal are available in the REFERENCES section. If upgrading to MIT krb5, you must be running MIT krb5 version 1.2.6 or later to use AFS krb5 (rxkad proposal 2b) authentication. This announcement and code patches related to it may be found on the OpenAFS security advisory page at: http://www.openafs.org/security/ The main OpenAFS web page is at: http://www.openafs.org/ ACKNOWLEDGEMENTS ================ Thanks to the MIT krb5 team for the discovery of this vulnerability, and the MITKRB5-SA-2003-004 advisory, which was used in writing this OpenAFS advisory. REFERENCES ========== * MIT krb5 Security Advisory 2003-004 http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt * rxkad proposal 2b /afs/grand.central.org/doc/protocol/rx/rxkad-2b.txt http://grand.central.org/dl/doc/protocol/rx/rxkad-2b.html * Instructions for upgrading from kaserver to Heimdal http://www.dementia.org/~shadow/ka2heim.txt * Kerberos v5 migration kit (upgrading from kaserver to MIT krb5) /afs/grand.central.org/contrib/security/afs-krb5/afs-krb5-2.0.tar.gz http://grand.central.org/dl/contrib/security/afs-krb5/afs-krb5-2.0.tar.gz ftp://grand.central.org/pub/contrib/security/afs-krb5/afs-krb5-2.0.tar.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (SunOS) iD8DBQE+gBXOlrhgrDZcUhURAnSmAJ0cigY3PdDe1eZmxM6x8hdY9JrFggCdGkYz j2RrlAOr7KRS8SPA38mozXM= =fg22 -----END PGP SIGNATURE-----