'Highly critical' Kerberos 5 flaws
Attackers could exploit "highly critical" security holes in Kerberos 5 to cause a denial of service or launch malicious code, Danish security firm Secunia said in an advisory.
Sun Microsystems said Tuesday that the problems affect its Enterprise Authentication Mechanism software as well as versions seven through 10 of the Solaris operating system.
The first vulnerability is that "a double-free error in the 'krb5_recvauth()' function can potentially be exploited to execute arbitrary code in the context of the program calling this function," Secunia said. "Successful exploitation may lead to the compromise of an entire Kerberos realm or cause the program to crash." The flaw has been reported in kpropd, klogind, and krshd versions 1.4.1 and prior. Any third-party programs calling the 'krb5_recvauth()' function are also vulnerable, the firm added.
The second issue is an error in the Key Distribution Center (KDC) implementation that causes memory to be
The third problem is that a boundary error in the KDC can cause a single-byte heap-based buffer overflow if the attacker uses a specially crafted TCP or UDP request. "This can potentially be exploited to execute arbitrary code," Secunia said. "Successful exploitation may lead to the compromise of an entire Kerberos realm or cause a [denial of service]." The vulnerability has been reported in KDC implementations and application servers 1.4.1 and prior. Third-party application servers using MIT krb5 are also affected, the firm said.
The Secunia advisory links to advisories from the Massachusetts Institute of Technology's (MIT) Kerberos Team. The advisories outline patches and workarounds, and Secunia noted the flaws will also be fixed in version 1.4.2.
Cisco addresses multiple CallManager flaws
Attackers could exploit multiple security holes in Cisco CallManager to cause a denial of service, corrupt memory and launch malicious code, the networking giant said in an advisory. But fixes are available.
Cisco CallManager [CCM] is the software-based call-processing component of the Cisco IP telephony product. It extends enterprise telephony features and functions to packet telephony network devices such as IP phones, media processing devices, Voice over IP (VoIP) gateways and multimedia applications, Cisco said. The vulnerabilities are that:
- RISDC (Realtime Information Server Data Collection) sockets are not timed out aggressively enough, which can be exploited to cause "RisDC.exe" to consume large amounts of memory and ports.
- The CTI Manager [ctimgr.exe] may restart when using more than 1GB of memory. This can be exploited by continuously sending specially crafted packets causing the CTI Manager to allocate more than 1GB of memory .
- An error within the handling of specially crafted packets can be exploited to cause CallManager to allocate 500MB of memory to the ccm.exe process. This can be exploited to exhaust memory and cause CallManager to restart when under a heavy load.
- A memory leak within the login handling for the Admin Service Tool when MLA [Multi Level Admin] is enabled [disabled by default] can be exploited to exhaust memory resources.
- A boundary error in the aupair service (aupair.exe) can be exploited by specially crafted packets to cause a buffer overflow.
The advisory includes details on the specific patches to fix the problems.
Apple plugs Mac OS X security holes
Apple has patched two security holes in Mac OS X an attacker could exploit to replace system widgets or crash machines. Apple described two flaws in its advisory:
- A NULL pointer dereference error in the TCP/IP implementation attackers could exploit to crash the kernel using a specially crafted TCP/IP packet. Mac OS X 10.4 and Mac OS X Server 10.4 are affected.
- An error in the dashboard attackers could exploit to install widgets with the same internal identifier [CFBundleIdentifier] as Apple-supplied widgets, thereby replacing them. Mac OS X 10.4 and Mac OS X Server 10.4 are affected.