We recently received a report of some automated security scanning software red-flagging the Kerberos DLLs that ship with the PostgreSQL installers for Windows. This blog post is an analysis of the impact of know vulnerabilities in Kerberos, and how they relate to PostgreSQL, and what we're doing about them.
PostgreSQL 8.3.x and 8.4.x
PostgreSQL 8.3 and 8.4 are built using Kerberos for Windows (KfW) 3.2.2 which is based on the Kerberos 1.6.3 package. This is the latest version of Kerberos for Windows that is currently available from MIT.
The vulnerabilities that were reported by the security scanning tool were:
CVE-2008-0062 and CVE-2008-0063. These are bugs in the KDC server which are exposed if Kerberos 4 is enabled on a v5 KDC. As we don't ship the KDC software with PostgreSQL, these bugs do not apply.
CVE-2008-0947 and CVE-2008-0948. These are bugs in kadmind, the Kerberos Administration Server. We don't ship this either, so like the previous bugs, these do not apply to PostgreSQL.
What the scanning tool didn't report, was a fifth vulnerability which does potentially affect PostgreSQL users:
CVE-2009-0846. This issue is described as: The asn1_decode_generaltime() function, which decodes DER encodings of the ASN.1 type "GeneralizedTime", can free an uninitialized pointer. This can cause a Kerberos application to crash, or, under theoretically possible but unlikely circumstances, execute arbitrary malicious code.
As mentioned above, we currently ship the latest version of Kerberos with PostgreSQL. As soon as MIT update the Kerberos for Windows package to include Kerberos 1.6.4 (which does not have this issue), we will update the PostgreSQL build servers.
PostgreSQL 8.2 is built using Kerberos for Windows (KfW) 2.6.5 which is based on the Kerberos 1.3.5 package. This is the most recent version of Kerberos for Windows v2.6.x that is available from MIT and is no longer being maintained.
This version of Kerberos is believed to be vulnerable to the issue noted above (CVE-2009-0846), as well as CVE-2005-1689, which describes a double-free bug in the krb5_recvauth function (but was not noted by the scanning tool that started this exercise)!
Updating Kerberos for Windows to version 3.2.2 in the PostgreSQL 8.2 distribution is the only way we can work around this issue, however, this is not as simple as it might sound as the distribution has changed in structure thus requiring modifications to the PostgreSQL installer to accommodate additional DLLs as well as any application installers that our users may have built around their libpq-based applications.
Because of the potential disruption to users and software developers for the sake of a feature used by such a small percentage of users, we have decided not to update the PostgreSQL 8.2 installer with the newer Kerberos packages but instead to recommend users of PostgreSQL 8.2 on Windows who wish to use Kerberos plan to upgrade their installations to PostgreSQL 8.3 or 8.4 as soon as possible.