Update Protection against MIT Kerberos kadmind RPC Library RPCSEC_GSS Authentication Buffer Overflow Vulnerability
| Check Point Reference: | CPAI-2007-126 | |
| Date Published: | ||
| Severity: | ||
| Last Updated: | ||
| Source: | Secunia Advisory: SA26676 | |
| Industry Reference(s): | CVE-2007-3999 | |
| Protection Provided by: |
VPN-1
|
|
| Who is Vulnerable? MIT Kerberos krb5-1.4 to krb5-1.6.2 | ||
| Vulnerability Description A buffer overflow vulnerability has been reported in the Kerberos Administration Server (kadmind). Kerberos is a protocol suite that provides authenticated communication between two points on a network. The Kerberos V5 administration server utilizes the encrypted SUN-RPC protocol to communicate with its remote clients. A remote attacker may exploit this vulnerability to execute arbitrary code on an affected system. |
||
|
Update/Patch Available Update to Kerberos 1.5.5 or 1.6.3 or apply patches. http://web.mit.edu/kerberos/advisories/2007-006-patch.txt |
|
|
Vulnerability Details The vulnerability is due to a boundary error in the Kerberos Administration Server that fails to properly handle malformed RPC requests. A remote attacker may exploit this vulnerability via a specially crafted RPC request sent to the kadmind daemon. Successful exploitation may cause denial of service or allow execution of arbitrary code on the target system. |
Protection Overview
By enabling this protection, SmartDefense will detect and block malformed RPC requests sent to the kadmind daemon.
In order for the protection to be activated, update your VPN-1 / InterSpect / Connectra product to the latest SmartDefense update. For information on how to update SmartDefense, go to SBP-2006-05, Protection tab and select the version of your choice.
To configure the defense, select your product from the list below and follow the related protection steps.
Additional Information
The update released on November 7, 2007 includes the following protections:
Microsoft Windows Media Player Skin Parsing Vulnerability (MS07-047) – CPAI-2007-102
MIT Kerberos kadmind RPC Library Buffer Overflow Vulnerability (CPAI-2007-126)
Sun Microsystems JRE Memory Exception Vulnerability (CPAI-2007-127)
Microsoft Windows MFC Library Heap Overflow Vulnerability (CPAI-2007-128)
Protections against Recent Malware Threats (CPAI-2007-129)
VPN-1 NGX R65 & R62
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > Sun-RPC.
2. Select the following protection:
Block MIT Kerberos Kadmind GSS Vulnerability
3. In the configuration pane, under Settings > Mode, check Active.
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SUN-RPC Enforcement Protection
Attack Information: MIT Kerberos GSS vulnerability detected
VPN-1 NGX R61 & R60
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > SUN-RPC.
2. Select the following protection:
Block MIT Kerberos Kadmind GSS Vulnerability
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SUN-RPC Enforcement Protection
Attack Information: MIT Kerberos GSS vulnerability detected
VPN-1 NG with Application Intelligence R55
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > SUN-RPC.
2. Select the following protection:
Block MIT Kerberos Kadmind GSS Vulnerability
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99932 will appear on the SmartView Tracker.
VPN-1 VSX NGX
How Can I Protect My Network?
1. In the SmartDefense tree, click Application Intelligence > SUN-RPC.
2. Select the following protection:
Block MIT Kerberos Kadmind GSS Vulnerability
3. Install security policy on all modules.
How Do I Know if My Network is Under Attack?
Rule #99932 will appear on the SmartView Tracker.
InterSpect NGX
How Can I Protect My Network?
1. In the left pane, select Profiles > Default Protection and select the SmartDefense page of the profile.
2. In the SmartDefense tree, click Application Intelligence > UNIX-RPC.
3. Select the following protection:
Block MIT Kerberos Kadmind GSS Vulnerability
4. Install policy on all modules.
How Do I Know if My Network is Under Attack?
SmartView Tracker will log the following entries:
Attack Name: SUN-RPC Enforcement Protection
Attack Information: MIT Kerberos GSS vulnerability detected
Connectra NGX R62 & R61
How Can I Protect My Network?
1. In the left-hand menu, click Security > SmartDefense > Application Intelligence.
2. In the Dynamic Attacks pane, select the following protection:
Block MIT Kerberos Kadmind GSS Vulnerability
3. Install policy on all modules.
How Do I Know if My Network is Under Attack?
In case of an attack, the following log entries will be displayed:
Attack Name: SUN-RPC Enforcement Protection
Attack Information: MIT Kerberos GSS vulnerability detected
IPS-1 & IPS-1 NGX R65
How Can I Protect My Network?
1. In the IPS-1 Policy Manager, click on the Protection tab.
2. In the Protection tree, click Application Intelligence > RPC, and select the Kerberos Kadmind Overflow protection group.
3. Click MIT Kerberos RPCSEC_GSS Authentication Buffer Overflow (IPS-1 NGX R65 only).
4. In the configuration pane, under Settings, check Active.
5. Click on Install Policy.
How Do I Know if My Network is Under Attack?
Upon attack, the following entry will be logged:
Alert Name: rpc_kerberos
Description: kadmind_rpcsec_auth_buffer_overflow_alert