MIT krb5 Security Advisory 2007-006 Original release: 2007-09-04 Last update: 2007-09-04 Topic: kadmind RPC lib buffer overflow, uninitialized pointer [CVE-2007-3999/VU#883632] RPC library buffer overflow CVSSv2 Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C/E:POC/RL:OF/RC:C CVSSv2 Base Score: 10 Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete CVSSv2 Temporal Score: 7.8 Exploitability: Proof-of-Concept Remediation Level: Official Fix Report Confidence: Confirmed [CVE-2007-4000/VU#377544] kadmind uninitialized pointer CVSSv2 Vector: AV:N/AC:H/Au:S/C:C/I:C/A:C/E:POC/RL:OF/RC:C See DETAILS for the expanded CVSSv2 metrics for this vulnerability. SUMMARY ======= This advisory concerns two vulnerabilities. CVE-2007-3999 is much easier to exploit than CVE-2007-4000. [CVE-2007-3999] The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to a stack buffer overflow in the RPCSEC_GSS authentication flavor of the RPC library. Third-party applications using the RPC library provided with MIT krb5 may also be affected. We have received a proof-of-concept exploit that does not appear to execute malicious code, and we believe that this exploit is not publicly circulated. This is a bug in the RPC library in MIT krb5. It is not a bug in the Kerberos protocol. [CVE-2007-4000] The MIT krb5 Kerberos administration daemon (kadmind) can write data through an uninitialized pointer. We know of no working exploit code for this vulnerability, and do not believe that any exploit code for this vulnerability is circulating. This is a bug in the kadmind in MIT krb5. It is not a bug in the Kerberos protocol. IMPACT ====== [CVE-2007-3999] An unauthenticated remote user may be able to cause a host running kadmind to execute arbitrary code. [CVE-2007-4000] An authenticated user with "modify policy" privilege may be able to cause a host running kadmind to execute arbitrary code. Successful exploitation of either vulnerability can compromise the Kerberos key database and host security on the KDC host. (kadmind typically runs as root.) Unsuccessful exploitation attempts will likely result in kadmind crashing. Third-party applications calling the RPC library provided with MIT krb5 may be vulnerable to CVE-2007-3999. AFFECTED SOFTWARE ================= [CVE-2007-3999] * kadmind in MIT releases krb5-1.4 through krb5-1.6.2 * third-party RPC server programs linked against the RPC library included in MIT releases krb5-1.4 through krb5-1.6.2 * MIT releases prior to krb5-1.4 did not contain the vulnerable code [CVE-2007-4000] * kadmind in MIT releases krb5-1.5 through krb5-1.6.2 * MIT releases prior to krb5-1.5 did not contain the vulnerable code FIXES ===== * The upcoming krb5-1.6.3 release, as well as the upcoming krb5-1.5.5 maintenance release, will contain fixes for this vulnerability. Prior to that release you may apply the following patch. Note that releases prior to krb5-1.5 will not need the svr_policy.c patch. Reproducible: Always
*** This bug has been marked as a duplicate of bug 191301 ***