Update Protection against MIT Kerberos Multiple Remote Code Execution Vulnerabilities
| Check Point Reference: | CPAI-2007-078 | |
| Date Published: | ||
| Severity: | ||
| Source: | Secunia Advisory: SA25800 | |
| Industry Reference(s): | CVE-2007-2442 CVE-2007-2443 |
|
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? MIT Kerberos krb5-1.6.1 and prior | ||
| Vulnerability Description Multiple vulnerabilities have been reported in the Kerberos Administration Server. Kerberos is a protocol suite that provides authenticated communication between two points on a network. The Kerberos V5 administration server (kadmind) utilizes the encrypted SUN-RPC protocol to communicate with its remote clients. A remote attacker may exploit these vulnerabilities to execute arbitrary code on an affected system. |
||
|
Update/Patch Available Apply patch: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-004.txt |
|
|
Vulnerability Details CVE-2007-2442: The vulnerability is due to a memory corruption error in the Kerberos Administration Server (kadmind) within the "gssrpc__svcauth_gssapi" function in the RPC library, which fails to properly validate user-supplied data while processing RPC requests. CVE-2007-2443: The vulnerability is due to an Integer signedness error in the Kerberos Administration Server (kadmind) within the "gssrpc__svcauth_unix()" function in the RPC library, that fails to properly handle malformed RPC requests. |
Protection Overview
By enabling this protection, SmartDefense will detect and block malformed RPC requests.
In order for the protection to be activated, update your VPN-1/InterSpect/Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The Update released on July 16, 2007 includes the following protections:
MIT Kerberos Multiple Remote Code Execution Vulnerabilities (CPAI-2007-078)
Samba NetDFS RPC Remote Code Execution Vulnerability (CPAI-2007-079)
Security Best Practice: Blocking Skype (SBP-2007-07)
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Sun-RPC.
2. Select the following protections:
Block MIT Kerberos Kadmind RPC Vulnerability
Block MIT Kerberos Unix Authentication Vulnerability
3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SUN-RPC Enforcement Protection
Attack Information:
MIT Kerberos RPC vulnerability detected
MIT Kerberos unix authentication vulnerability detected
VPN-1 NGX R61, R60 & VPN-1 NG with Application Intelligence R55W
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > SUN-RPC.
2. Select the following protections:
Block MIT Kerberos Kadmind RPC Vulnerability
Block MIT Kerberos Unix Authentication Vulnerability
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SUN-RPC Enforcement Protection
Attack Information:
MIT Kerberos RPC vulnerability detected
MIT Kerberos unix authentication vulnerability detected
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > SUN-RPC.
2. Select the following protections:
Block MIT Kerberos Kadmind RPC Vulnerability
Block MIT Kerberos Unix Authentication Vulnerability
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules #99899 and #99902 for MIT Kerberos RPC vulnerability, and MIT Kerberos unix authentication accordingly.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > SUN-RPC.
2. Select the following protections:
Block MIT Kerberos Kadmind RPC Vulnerability
Block MIT Kerberos Unix Authentication Vulnerability
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log rules #99899 and #99902 for MIT Kerberos RPC vulnerability, and MIT Kerberos unix authentication accordingly.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > UNIX-RPC.
3. Select the following protections:
Block MIT Kerberos Kadmind RPC Vulnerability
Block MIT Kerberos Unix Authentication Vulnerability
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SUN-RPC Enforcement Protection
Attack Information:
MIT Kerberos RPC vulnerability detected
MIT Kerberos unix authentication vulnerability detected
InterSpect 2.0
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > SUN-RPC.
2. Select the following protections:
Block MIT Kerberos Kadmind RPC Vulnerability
Block MIT Kerberos Unix Authentication Vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SUN-RPC Enforcement Protection
Attack Information:
MIT Kerberos RPC vulnerability detected
MIT Kerberos unix authentication vulnerability detected
Connectra NGX R62 & R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following:
Block MIT Kerberos Kadmind RPC Vulnerability
Block MIT Kerberos Unix Authentication Vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:
Attack Name: SUN-RPC Enforcement Protection
Attack Information:
MIT Kerberos RPC vulnerability detected
MIT Kerberos unix authentication vulnerability detected