Technical Description

Two vulnerabilities have been identified in MIT Kerberos, which could be exploited by remote attackers to take complete control of an affected system or cause a denial of service.

The first issue is due to memory management errors in the "svc_do_xprt()" [lib/rpc/svc.c] function within the administration daemon "kadmind", which could be exploited by remote unauthenticated attackers to execute arbitrary commands or crash a vulnerable application.

The second vulnerability is due to memory management errors in the "mechglue" abstraction interface of the GSS-API implementation and the administration daemon "kadmind" where the "log_badverf()" function calls "gss_display_name()" without checking its return value and without initializing the "gss_buffer_desc" structures passed to "gss_display_name()", which could be exploited by remote unauthenticated attackers to execute arbitrary commands or crash a vulnerable application.

Affected Products

MIT Kerberos V5 versions 1.4 through 1.4.4
MIT Kerberos V5 versions 1.5 through 1.5.1

Solution

Upgrade to MIT Kerberos V5 version 1.6 :
http://web.mit.edu/kerberos/krb5-1.6/

Or apply patches :
http://web.mit.edu/kerberos/advisories/2006-003-patch.txt
http://web.mit.edu/kerberos/advisories/2006-002-patch.txt

References

http://www.vupen.com/english/advisories/2007/0111
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-003-mechglue.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-002-rpc.txt

Credits

Vulnerabilities reported by Andrew Korty (Indiana University)

ChangeLog

2007-01-09 : Initial release

Vulnerability Management

Subscribe to VUPEN VNS and receive real-time alerts when new advisories or patches relevant to your systems and network configurations are available.

Feedback

If you have additional information or corrections for this security advisory please submit them via our contact form.