CERT/CC Vulnerability Note VU#883632

Overview

An unspecified vulnerability in MIT Kerberos kadmind server may allow an attacker to execute arbitrary code.

Description

Kerberos is a network authentication system that uses a trusted third party to authenticate clients and servers to each other. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions. The kadmind daemon is the administration server that runs on the master Kerberos server.

From the kadmind manual page:

This command starts the KADM5 administration server. The administration server runs on the master Kerberos server, which stores the KDC principal database and the KADM5 policy database. Kadmind accepts remote requests to administer the information--exclude in these databases. Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command, both of which are clients of kadmind.
Per MITKRB5-SA-2007-006 there is a stack buffer overflow in the RPCSEC_GSS authentication in the RPC library that is included in krb5-1.4 through krb5-1.6.2. Any programs that link against the RPC library may also be affected.

Note that per MITKRB5-SA-2007-006, versions of kerberos prior to krb5-1.5 are not affected.

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code.

Solution

Update
The Kerberos team has released an update to address this issue. Please see MITKRB5-SA-2007-006 for more information on obtaining fixed software.

Restrict access

Restricng network access to the Kerberos server may partially mitigate this vulnerability. kadmind listens on 749/tcp by default.

Vendor Information

883632

Filter by status:

Filter by content: Additional information available

Sort by:

Expand all

Debian GNU/Linux Affected

Gentoo Linux Affected

MIT Kerberos Development Team Affected

Red Hat, Inc. Affected

SUSE Linux Affected

Sun Microsystems, Inc. Affected

Microsoft Corporation Not Affected

Apple Computer, Inc. Unknown

AttachmateWRQ, Inc. Unknown

Conectiva Inc. Unknown

Cray Inc. Unknown

CyberSafe, Inc. Unknown

EMC Corporation Unknown

Engarde Secure Linux Unknown

F5 Networks, Inc. Unknown

Fedora Project Unknown

FreeBSD, Inc. Unknown

Fujitsu Unknown

Hewlett-Packard Company Unknown

Hitachi Unknown

IBM Corporation Unknown

IBM Corporation (zseries) Unknown

IBM eServer Unknown

Immunix Communications, Inc. Unknown

Ingrian Networks, Inc. Unknown

Juniper Networks, Inc. Unknown

KTH Kerberos Team Unknown

Mandriva, Inc. Unknown

MontaVista Software, Inc. Unknown

NEC Corporation Unknown

NetBSD Unknown

Novell, Inc. Unknown

OpenBSD Unknown

Openwall GNU/*/Linux Unknown

QNX, Software Systems, Inc. Unknown

Silicon Graphics, Inc. Unknown

Slackware Linux Inc. Unknown

Sony Corporation Unknown

The SCO Group Unknown

Trustix Secure Linux Unknown

Turbolinux Unknown

Ubuntu Unknown

Unisys Unknown

Wind River Systems, Inc. Unknown

View all 44 vendors View less vendors

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

Acknowledgements

Thanks to the MIT Kerberos team for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

CVE IDs:	CVE-2007-3999
Severity Metric:	8.61
Date Public:	2007-09-04
Date First Published:	2007-09-04
Date Last Updated:	2007-11-15 13:21 UTC
Document Revision:	28

Software Engineering Institute

CERT Coordination Center

MIT Kerberos 5 kadmind buffer overflow vulnerability

Vulnerability Note VU#883632