Novell Open Enterprise Server: MITKRB5-SA-2009-004 [CVE-2009-4212]

  • 7005185
  • 19-Jan-2010
  • 08-Nov-2012

Environment

Novell Open Enterprise Server 2 (OES 2) Linux
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 1
Novell Open Enterprise Server 2 (OES 2) Linux Support Pack 2

Situation

As per the disclosed facts in MITKRB5-SA-2009-004 [CVE-2009-4212] the following services in OES2 are vulnerable if enabled:

    * Novell KDC (NKDC)
    * Kerberos functionality in Domain Services for Windows (DSfW)
    * SASL-GSSAPI LDAP login method

The vulnerability has been addressed in the following package versions:

OES2 SP0 (which uses ix86 rpms for both ix86 and x86_64 OES):
novell-kerberos-admin-server-1.5-32.6.i586.rpm
novell-kerberos-authentication-1.5-32.6.i586.rpm
novell-kerberos-base-1.5-32.6.i586.rpm
novell-kerberos-kdc-1.5-32.6.i586.rpm
novell-kerberos-ldap-extensions-1.5-32.6.i586.rpm
novell-kerberos-password-agent-1.5-32.6.i586.rpm
novell-kerberos-password-server-1.5-32.6.i586.rpm
novell-kerberos-server-base-1.5-32.6.i586.rpm
novell-kerberos-utilities-1.5-32.6.i586.rpm

OES2 SP1 (ix86):
novell-kerberos-base-1.5-39.i586.rpm
novell-kerberos-ldap-extensions-1.5-39.i586.rpm
novell-xad-krb5-1.6.5286-0.4.1.i586.rpm

OES2 SP1 (x86_64):
novell-kerberos-base-1.5-39.x86_64.rpm
novell-kerberos-ldap-extensions-1.5-39.x86_64.rpm
novell-xad-krb5-1.6.5286-0.4.1.x86_64.rpm
novell-xad-krb5-32bit-1.6.5286-0.4.1.x86_64.rpm

OES2 SP2 (ix86):
novell-kerberos-base-1.5-42.i586.rpm
novell-kerberos-ldap-extensions-1.5-42.i586.rpm
novell-xad-krb5-1.7.5285-0.5.i586.rpm

OES2 SP2 (x86_64):
novell-kerberos-base-1.5-42.x86_64.rpm
novell-kerberos-ldap-extensions-1.5-42.x86_64.rpm
novell-xad-krb5-1.7.5285-0.5.x86_64.rpm
novell-xad-krb5-32bit-1.7.5285-0.5.x86_64.rpm

Additional information:
- NKDC was discontinued as of OES2 SP1
- Domain Services for Windows (DSfW) is available in OES2 SP1 and later

Resolution

Check current rpm versions if any of these services are enabled.

Update to current packages in channel if required.

Status

Security Alert

Additional Information

This announcement is posted at:

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-004.txt

CVE: CVE-2009-4212
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-4212