Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Title krb5 vulnerabilities
Informations
Name USN-477-1 First vendor Publication 2007-06-26
Vendor Ubuntu Last vendor Modification 2007-06-26
Severity (Vendor) N/A Revision N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:N/C:C/I:C/A:C)
Cvss Base Score 9.3 Attack Range Network
Cvss Impact Score 10 Attack Complexity Medium
Cvss Expoit Score 8.6 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

A security issue affects the following Ubuntu releases:

Ubuntu 6.06 LTS Ubuntu 6.10 Ubuntu 7.04

This advisory also applies to the corresponding versions of Kubuntu, Edubuntu, and Xubuntu.

The problem can be corrected by upgrading your system to the following package versions:

Ubuntu 6.06 LTS:
libkadm55 1.4.3-5ubuntu0.4

Ubuntu 6.10:
libkadm55 1.4.3-9ubuntu1.3

Ubuntu 7.04:
libkadm55 1.4.4-5ubuntu3.1

In general, a standard system upgrade is sufficient to effect the necessary changes.

Details follow:

Wei Wang discovered that the krb5 RPC library did not correctly handle certain error conditions. A remote attacker could cause kadmind to free an uninitialized pointer, leading to a denial of service or possibly execution of arbitrary code with root privileges. (CVE-2007-2442)

Wei Wang discovered that the krb5 RPC library did not correctly check the size of certain communications. A remote attacker could send a specially crafted request to kadmind and execute arbitrary code with root privileges. (CVE-2007-2443)

It was discovered that the kadmind service could be made to overflow its stack. A remote attacker could send a specially crafted request and execute arbitrary code with root privileges. (CVE-2007-2798)

Original Source

Url : http://www.ubuntu.com/usn/USN-477-1

CAPEC : Common Attack Pattern Enumeration & Classification

Id Name
CAPEC-3 Using Leading 'Ghost' Character Sequences to Bypass Input Filters
CAPEC-7 Blind SQL Injection
CAPEC-8 Buffer Overflow in an API Call
CAPEC-9 Buffer Overflow in Local Command-Line Utilities
CAPEC-10 Buffer Overflow via Environment Variables
CAPEC-13 Subverting Environment Variable Values
CAPEC-14 Client-side Injection-induced Buffer Overflow
CAPEC-18 Embedding Scripts in Nonscript Elements
CAPEC-22 Exploiting Trust in Client (aka Make the Client Invisible)
CAPEC-24 Filter Failure through Buffer Overflow
CAPEC-28 Fuzzing
CAPEC-31 Accessing/Intercepting/Modifying HTTP Cookies
CAPEC-32 Embedding Scripts in HTTP Query Strings
CAPEC-42 MIME Conversion
CAPEC-43 Exploiting Multiple Input Interpretation Layers
CAPEC-45 Buffer Overflow via Symbolic Links
CAPEC-46 Overflow Variables and Tags
CAPEC-47 Buffer Overflow via Parameter Expansion
CAPEC-52 Embedding NULL Bytes
CAPEC-53 Postfix, Null Terminate, and Backslash
CAPEC-63 Simple Script Injection
CAPEC-64 Using Slashes and URL Encoding Combined to Bypass Validation Logic
CAPEC-66 SQL Injection
CAPEC-67 String Format Overflow in syslog()
CAPEC-71 Using Unicode Encoding to Bypass Validation Logic
CAPEC-72 URL Encoding
CAPEC-73 User-Controlled Filename
CAPEC-78 Using Escaped Slashes in Alternate Encoding
CAPEC-79 Using Slashes in Alternate Encoding
CAPEC-80 Using UTF-8 Encoding to Bypass Validation Logic
CAPEC-81 Web Logs Tampering
CAPEC-83 XPath Injection
CAPEC-85 Client Network Footprinting (using AJAX/XSS)
CAPEC-86 Embedding Script (XSS ) in HTTP Headers
CAPEC-88 OS Command Injection
CAPEC-91 XSS in IMG Tags
CAPEC-99 XML Parser Attack
CAPEC-101 Server Side Include (SSI) Injection
CAPEC-104 Cross Zone Scripting
CAPEC-106 Cross Site Scripting through Log Files
CAPEC-108 Command Line Execution through SQL Injection
CAPEC-109 Object Relational Mapping Injection
CAPEC-110 SQL Injection through SOAP Parameter Tampering
CAPEC-171 Variable Manipulation

CWE : Common Weakness Enumeration

% Id Name
100 % CWE-787 Out-of-bounds Write (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10631
 
Oval ID: oval:org.mitre.oval:def:10631
Title: The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup.
Description: The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup.
Family: unix Class: vulnerability
Reference(s): CVE-2007-2442
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11277
 
Oval ID: oval:org.mitre.oval:def:11277
Title: Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.
Description: Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.
Family: unix Class: vulnerability
Reference(s): CVE-2007-2443
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1726
 
Oval ID: oval:org.mitre.oval:def:1726
Title: Security Vulnerability in the Kerberos Administration Daemon (kadmind(1M)) May Lead to Arbitrary Code Execution
Description: Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
Family: unix Class: vulnerability
Reference(s): CVE-2007-2798
Version: 2
Platform(s): Sun Solaris 9
Sun Solaris 10
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:20462
 
Oval ID: oval:org.mitre.oval:def:20462
Title: DSA-1323-1 krb5
Description: Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code.
Family: unix Class: patch
Reference(s): DSA-1323-1
CVE-2007-2442
CVE-2007-2443
CVE-2007-2798
Version: 5
Platform(s): Debian GNU/Linux 4.0
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:22639
 
Oval ID: oval:org.mitre.oval:def:22639
Title: ELSA-2007:0562: krb5 security update (Important)
Description: Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
Family: unix Class: patch
Reference(s): ELSA-2007:0562-02
CVE-2007-2442
CVE-2007-2443
CVE-2007-2798
Version: 17
Platform(s): Oracle Linux 5
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7131
 
Oval ID: oval:org.mitre.oval:def:7131
Title: HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code
Description: Integer signedness error in the gssrpc__svcauth_unix function in svc_auth_unix.c in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a negative length value.
Family: unix Class: vulnerability
Reference(s): CVE-2007-2443
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7344
 
Oval ID: oval:org.mitre.oval:def:7344
Title: HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code
Description: The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup.
Family: unix Class: vulnerability
Reference(s): CVE-2007-2442
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:7550
 
Oval ID: oval:org.mitre.oval:def:7550
Title: HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code
Description: Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
Family: unix Class: vulnerability
Reference(s): CVE-2007-2798
Version: 11
Platform(s): HP-UX 11
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9996
 
Oval ID: oval:org.mitre.oval:def:9996
Title: Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
Description: Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
Family: unix Class: vulnerability
Reference(s): CVE-2007-2798
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Red Hat Enterprise Linux 5
CentOS Linux 5
Oracle Linux 5
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 36
Os 3
Os 2

OpenVAS Exploits

Date Description
2009-11-17 Name : Mac OS X Version
File : nvt/macosx_version.nasl
2009-04-09 Name : Mandriva Update for krb5 MDKSA-2007:137 (krb5)
File : nvt/gb_mandriva_MDKSA_2007_137.nasl
2009-03-23 Name : Ubuntu Update for krb5 vulnerabilities USN-477-1
File : nvt/gb_ubuntu_USN_477_1.nasl
2009-02-27 Name : Fedora Update for krb5 FEDORA-2007-0740
File : nvt/gb_fedora_2007_0740_krb5_fc7.nasl
2009-02-27 Name : Fedora Update for krb5 FEDORA-2007-2017
File : nvt/gb_fedora_2007_2017_krb5_fc7.nasl
2009-02-27 Name : Fedora Update for krb5 FEDORA-2007-2066
File : nvt/gb_fedora_2007_2066_krb5_fc7.nasl
2009-02-27 Name : Fedora Update for krb5 FEDORA-2007-620
File : nvt/gb_fedora_2007_620_krb5_fc5.nasl
2009-02-27 Name : Fedora Update for krb5 FEDORA-2007-621
File : nvt/gb_fedora_2007_621_krb5_fc6.nasl
2009-02-16 Name : Fedora Update for krb5 FEDORA-2008-2637
File : nvt/gb_fedora_2008_2637_krb5_fc7.nasl
2009-01-28 Name : SuSE Update for krb5 SUSE-SA:2007:038
File : nvt/gb_suse_2007_038.nasl
2008-09-24 Name : Gentoo Security Advisory GLSA 200707-11 (mit-krb5)
File : nvt/glsa_200707_11.nasl
2008-01-17 Name : Debian Security Advisory DSA 1323-1 (krb5)
File : nvt/deb_1323_1.nasl

Open Source Vulnerability Database (OSVDB)

Id Description
36597 MIT Kerberos 5 RPC Library gssrpc__svcauth_unix Function Remote Code Execution

36596 MIT Kerberos 5 RPC Library gssrpc__svcauth_gssapi Function Remote Code Execution

36595 MIT Kerberos kadmind rename_principal_2_svc Function Remote Overflow

Snort® IPS/IDS

Date Description
2014-01-10 MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code executi...
RuleID : 13268 - Revision : 5 - Type : RPC
2014-01-10 MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code executi...
RuleID : 13223 - Revision : 6 - Type : PROTOCOL-RPC
2014-01-10 MIT Kerberos kadmind auth buffer overflow attempt
RuleID : 12708 - Revision : 7 - Type : PROTOCOL-RPC
2014-01-10 portmap 2112 udp rename_principal attempt
RuleID : 12188 - Revision : 8 - Type : PROTOCOL-RPC
2014-01-10 portmap 2112 tcp rename_principal attempt
RuleID : 12187 - Revision : 11 - Type : PROTOCOL-RPC
2014-01-10 portmap 2112 udp request
RuleID : 12186 - Revision : 9 - Type : PROTOCOL-RPC
2014-01-10 portmap 2112 tcp request
RuleID : 12185 - Revision : 9 - Type : PROTOCOL-RPC
2014-01-10 MIT Kerberos kadmind rpc library uninitialized pointer arbitrary code executi...
RuleID : 12075 - Revision : 10 - Type : PROTOCOL-RPC
2014-01-10 MIT Kerberos kadmind RPC Library unix authentication buffer overflow attempt
RuleID : 12046 - Revision : 10 - Type : PROTOCOL-RPC

Nessus® Vulnerability Scanner

Date Description
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2007-0562.nasl - Type : ACT_GATHER_INFO
2013-07-12 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2007-0384.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20070626_krb5_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2012-08-01 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20070626_krb5_on_SL3.nasl - Type : ACT_GATHER_INFO
2010-06-28 Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHSS_41166.nasl - Type : ACT_GATHER_INFO
2010-06-28 Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHSS_41167.nasl - Type : ACT_GATHER_INFO
2010-06-28 Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHSS_41168.nasl - Type : ACT_GATHER_INFO
2009-07-27 Name : The remote VMware ESX host is missing one or more security-related patches.
File : vmware_VMSA-2007-0006.nasl - Type : ACT_GATHER_INFO
2007-12-13 Name : The remote SuSE 10 host is missing a security-related patch.
File : suse_krb5-3821.nasl - Type : ACT_GATHER_INFO
2007-11-10 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-477-1.nasl - Type : ACT_GATHER_INFO
2007-11-06 Name : The remote Fedora host is missing a security update.
File : fedora_2007-0740.nasl - Type : ACT_GATHER_INFO
2007-10-17 Name : The remote openSUSE host is missing a security update.
File : suse_krb5-3820.nasl - Type : ACT_GATHER_INFO
2007-08-02 Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2007-007.nasl - Type : ACT_GATHER_INFO
2007-07-27 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200707-11.nasl - Type : ACT_GATHER_INFO
2007-07-01 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-1323.nasl - Type : ACT_GATHER_INFO
2007-06-27 Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2007-137.nasl - Type : ACT_GATHER_INFO
2007-06-27 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0384.nasl - Type : ACT_GATHER_INFO
2007-06-27 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2007-0562.nasl - Type : ACT_GATHER_INFO
2007-06-27 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2007-0562.nasl - Type : ACT_GATHER_INFO
2007-06-27 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2007-0384.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 112925-08
File : solaris9_112925.nasl - Type : ACT_GATHER_INFO
2004-07-12 Name : The remote host is missing Sun Security Patch number 116044-04
File : solaris9_x86_116044.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
Date Informations
2014-02-17 12:04:26
  • Multiple Updates