MIT krb5 Security Advisory 2007-006
Original release: 2007-09-04
Last update: 2007-09-04
Topic: kadmind RPC lib buffer overflow, uninitialized pointer
RPC library buffer overflow
CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C
CVSSv2 Base Score: 10
Access Vector: Network
Access Complexity: Low
Confidentiality Impact: Complete
Integrity Impact: Complete
Availability Impact: Complete
CVSSv2 Temporal Score: 7.8
Remediation Level: Official Fix
Report Confidence: Confirmed
kadmind uninitialized pointer
CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C
See DETAILS for the expanded CVSSv2 metrics for this vulnerability.
This advisory concerns two vulnerabilities. CVE-2007-3999 is much
easier to exploit than CVE-2007-4000.
The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a stack buffer overflow in the RPCSEC_GSS authentication flavor of the
RPC library. Third-party applications using the RPC library provided
with MIT krb5 may also be affected.
We have received a proof-of-concept exploit that does not appear to
execute malicious code, and we believe that this exploit is not
This is a bug in the RPC library in MIT krb5. It is not a bug in the
The MIT krb5 Kerberos administration daemon (kadmind) can write data
through an uninitialized pointer. We know of no working exploit code
for this vulnerability, and do not believe that any exploit code for
this vulnerability is circulating.
This is a bug in the kadmind in MIT krb5. It is not a bug in the
[CVE-2007-3999] An unauthenticated remote user may be able to cause a
host running kadmind to execute arbitrary code.
[CVE-2007-4000] An authenticated user with "modify policy" privilege
may be able to cause a host running kadmind to execute arbitrary code.
Successful exploitation of either vulnerability can compromise the
Kerberos key database and host security on the KDC host. (kadmind
typically runs as root.) Unsuccessful exploitation attempts will
likely result in kadmind crashing.
Third-party applications calling the RPC library provided with MIT
krb5 may be vulnerable to CVE-2007-3999.
* kadmind in MIT releases krb5-1.4 through krb5-1.6.2
* third-party RPC server programs linked against the RPC library
included in MIT releases krb5-1.4 through krb5-1.6.2
* MIT releases prior to krb5-1.4 did not contain the vulnerable code
* kadmind in MIT releases krb5-1.5 through krb5-1.6.2
* MIT releases prior to krb5-1.5 did not contain the vulnerable code
* The upcoming krb5-1.6.3 release, as well as the upcoming krb5-1.5.5
maintenance release, will contain fixes for this vulnerability.
Prior to that release you may apply the following patch. Note that
releases prior to krb5-1.5 will not need the svr_policy.c patch.
*** This bug has been marked as a duplicate of bug 191301 ***