HOME > ADVISORIES


   ADVISORIES

CERT-In Advisory CIAD-2007-34
MIT Kerberos Multiple Vulnerabilities

Original issue date: June 28, 2007

Severity Rating: High

System Affected

  • MIT Kerberos V5 version 1.6.1 and prior
  • MIT Kerberos V5 version 1.5.3 and prior

Overview

Multiple vulnerabilities have been reported in MIT krb5 Kerberos administration daemon (kadmind) which could be exploited by remote attacker to execute arbitrary code on the affected system or cause denial of service.

Description

1. MIT Kerberos “ rename_principal_2_svc()" Buffer Overflow Vulnerability (CVE-2007-2798)

A stack overflow vulnerability has been reported in MIT krb5 Kerberos administration daemon( kadmind ) due to error in the way kadmind daemon handles the principal renaming operation which passes unchecked string arguments to rename_principal_2_svc()" [src/kadmin/server/server_stubs.c] function. A remote, authenticated attacker could exploit the vulnerability to execute arbitrary code on the affected system or crash the affected application.

Successful exploitation does not require administrative privileges but authentication.

2. MIT Kerberos “gssrpc__svcauth_gssapi()" RPC library Vulnerability (CVE-2007-2442)

A vulnerability has been reported in MIT Kerberos administration daemon ( kadmind ) due to error in the "gssrpc__svcauth_gssapi()" [src/lib/rpc/svc_auth_gssapi.c] function while processing an RPC credential with a length of zero. A remote, unauthenticated attacker could exploit the vulnerability by sending specially crafted RPC request to the above function to make kadmind daemon to free an uninitialized pointer. This could lead to execute arbitrary code on the affected system or crash the affected application.

3. MIT Kerberos “gssrpc__svcauth_unix ()RPC library Vulnerabilitiy (CVE-2007-2443)

A vulnerability has been reported in MIT Kerberos administration daemon ( kadmind ) due to integer signedness error in the gssrpc__svcauth_unix () function in svc_auth_unix.c in the RPC library. This could allow remote attacker to execute arbitrary code on the affected system.

Third-party applications using the RPC library provided with MIT krb5 may also be vulnerable

Solution

Apply appropriate patch provided by the vendor http://web.mit.edu/kerberos/advisories/2007-005-patch.txt
http://web.mit.edu/kerberos/advisories/2007-004-patch.txt

Vendor Information

MIT Kerberos
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-005.txt
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-004.txt

References

iDefense Labs
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=548

US -CERT
http://www.kb.cert.org/vuls/id/554257

FrSirt
http://www.frsirt.com/english/advisories/2007/2337


CVE Name
CVE-2007-2798
CVE-2007-2442
CVE-2007-2443

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003