8.5 - VU#377544

Executive Summary

Summary
Title	MIT Kerberos 5 kadmind privilege escalation vulnerability

Informations
Name	VU#377544	First vendor Publication	2007-09-04
Vendor	VU-CERT	Last vendor Modification	2007-09-06
Severity (Vendor)	N/A	Revision	M

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:M/Au:S/C:C/I:C/A:C)
Cvss Base Score	8.5	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Medium
Cvss Expoit Score	6.8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Vulnerability Note VU#377544

MIT Kerberos 5 kadmind privilege escalation vulnerability

Overview

MIT Kerberos kadmind contains a privilege escalation vulnerability that may allow an authenticated attacker to execute code with root privileges.

I. Description

Kerberos is a network authentication system that uses a trusted third party to authenticate clients and servers to each other. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions. The kadmind daemon is the administration server that runs on the master Kerberos server.

From the kadmind manual page:

This command starts the KADM5 administration server. The administration server runs on the master Kerberos server, which stores the KDC principal database and the KADM5 policy database. Kadmind accepts remote requests to administer the information in these databases. Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command, both of which are clients of kadmind.

Per MITKRB5-SA-2007-006 there is a privilege execution vulnerability in kadmind that may allow an authenticated user with modify policy privileges to execute arbitrary code. Note that per MITKRB5-SA-2007-006, versions of kerberos prior to krb5-1.5 are not affected by this vulnerability.

II. Impact

A local attacker, who has modify policy privileges, may be able to execute arbitrary code with elevated privileges

III. Solution

Update

The Kerberos team has released an update to address this issue. Please see MITKRB5-SA-2007-006 for more information on obtaining fixed software.

Systems Affected

Vendor	Status	Date Updated
Apple Computer, Inc.	Unknown	24-Aug-2007
AttachmateWRQ, Inc.	Unknown	24-Aug-2007
Conectiva Inc.	Unknown	24-Aug-2007
Cray Inc.	Unknown	24-Aug-2007
CyberSafe, Inc.	Unknown	24-Aug-2007
Debian GNU/Linux	Unknown	24-Aug-2007
EMC Corporation	Unknown	24-Aug-2007
Engarde Secure Linux	Unknown	24-Aug-2007
F5 Networks, Inc.	Unknown	24-Aug-2007
Fedora Project	Unknown	24-Aug-2007
FreeBSD, Inc.	Unknown	24-Aug-2007
Fujitsu	Unknown	24-Aug-2007
Gentoo Linux	Unknown	24-Aug-2007
Hewlett-Packard Company	Unknown	24-Aug-2007
Hitachi	Unknown	24-Aug-2007
IBM Corporation	Unknown	24-Aug-2007
IBM Corporation (zseries)	Unknown	24-Aug-2007
IBM eServer	Unknown	24-Aug-2007
Immunix Communications, Inc.	Unknown	24-Aug-2007
Ingrian Networks, Inc.	Unknown	24-Aug-2007
Juniper Networks, Inc.	Unknown	24-Aug-2007
KTH Kerberos Team	Unknown	24-Aug-2007
Mandriva, Inc.	Unknown	24-Aug-2007
Microsoft Corporation	Not Vulnerable	4-Sep-2007
MIT Kerberos Development Team	Vulnerable	4-Sep-2007
MontaVista Software, Inc.	Unknown	24-Aug-2007
NEC Corporation	Unknown	24-Aug-2007
NetBSD	Unknown	24-Aug-2007
Novell, Inc.	Unknown	24-Aug-2007
OpenBSD	Unknown	4-Sep-2007
Openwall GNU/*/Linux	Unknown	24-Aug-2007
QNX, Software Systems, Inc.	Unknown	24-Aug-2007
Red Hat, Inc.	Unknown	24-Aug-2007
Silicon Graphics, Inc.	Unknown	24-Aug-2007
Slackware Linux Inc.	Unknown	24-Aug-2007
Sony Corporation	Unknown	24-Aug-2007
Sun Microsystems, Inc.	Not Vulnerable	6-Sep-2007
SUSE Linux	Vulnerable	6-Sep-2007
The SCO Group	Unknown	24-Aug-2007
Trustix Secure Linux	Unknown	24-Aug-2007
Turbolinux	Unknown	24-Aug-2007
Ubuntu	Unknown	24-Aug-2007
Unisys	Unknown	24-Aug-2007
Wind River Systems, Inc.	Unknown	24-Aug-2007

References

http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-006.txt
http://secunia.com/advisories/26676/

Credit

Thanks to the MIT Kerberos team for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

Date Public	09/04/2007
Date First Published	09/04/2007 03:19:21 PM
Date Last Updated	09/06/2007
CERT Advisory
CVE Name	CVE-2007-4000
Metric	0.63
Document Revision	18

Original Source

Url : http://www.kb.cert.org/vuls/id/377544

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:22682

Oval ID:	oval:org.mitre.oval:def:22682
Title:	ELSA-2007:0858: krb5 security update (Important)
Description:	The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
Family:	unix	Class:	patch
Reference(s):	ELSA-2007:0858-01 CVE-2007-3999 CVE-2007-4000	Version:	13
Platform(s):	Oracle Linux 5	Product(s):	krb5
Definition Synopsis:
Oracle Linux 5.x rpm test krb5-libs is earlier than 0:1.5-29 AND krb5-devel is earlier than 0:1.5-29 AND krb5-server is earlier than 0:1.5-29 AND krb5 is earlier than 0:1.5-29 AND krb5-workstation is earlier than 0:1.5-29

Definition Id: oval:org.mitre.oval:def:9278

Oval ID:	oval:org.mitre.oval:def:9278
Title:	The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
Description:	The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2007-4000	Version:	5
Platform(s):	Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5	Product(s):
Definition Synopsis:
RHEL5, CentOS5 or Oracle Linux 5 The operating system installed on the system is Red Hat Enterprise Linux 5 AND CentOS Linux 5.x AND Oracle Linux 5.x AND Configuration section krb5-workstation is earlier than 0:1.5-29 AND krb5 is earlier than 0:1.5-29 AND krb5-libs is earlier than 0:1.5-29 AND krb5-server is earlier than 0:1.5-29 AND krb5-devel is earlier than 0:1.5-29

CPE : Common Platform Enumeration

Type	Description	Count
Application	Mit Kerberos 5 cpe:2.3:a:mit:kerberos_5:1.6.2:::::::* cpe:2.3:a:mit:kerberos_5:1.6.1:::::::* cpe:2.3:a:mit:kerberos_5:1.6:::::::* cpe:2.3:a:mit:kerberos_5:1.5.3:::::::* cpe:2.3:a:mit:kerberos_5:1.5.2:::::::* cpe:2.3:a:mit:kerberos_5:1.5.1:::::::* cpe:2.3:a:mit:kerberos_5:1.5:::::::* cpe:2.3:a:mit:kerberos_5:1.4.4:::::::* cpe:2.3:a:mit:kerberos_5:1.4.3:::::::* cpe:2.3:a:mit:kerberos_5:1.4.2:::::::* cpe:2.3:a:mit:kerberos_5:1.4.1:::::::* cpe:2.3:a:mit:kerberos_5:1.4:::::::* cpe:2.3:a:mit:kerberos_5:1.3.6:::::::* cpe:2.3:a:mit:kerberos_5:1.3.5:::::::* cpe:2.3:a:mit:kerberos_5:1.3.4:::::::* cpe:2.3:a:mit:kerberos_5:1.3.3:::::::* cpe:2.3:a:mit:kerberos_5:1.3.2:::::::* cpe:2.3:a:mit:kerberos_5:1.3.1:::::::* cpe:2.3:a:mit:kerberos_5:1.3:-:::::: cpe:2.3:a:mit:kerberos_5:1.3:alpha1:::::: cpe:2.3:a:mit:kerberos_5:1.2.8:::::::* cpe:2.3:a:mit:kerberos_5:1.2.7:::::::* cpe:2.3:a:mit:kerberos_5:1.2.6:::::::* cpe:2.3:a:mit:kerberos_5:1.2.5:::::::* cpe:2.3:a:mit:kerberos_5:1.2.4:::::::* cpe:2.3:a:mit:kerberos_5:1.2.3:::::::* cpe:2.3:a:mit:kerberos_5:1.2.2:::::::* cpe:2.3:a:mit:kerberos_5:1.2.1:::::::* cpe:2.3:a:mit:kerberos_5:1.2:beta2:::::: cpe:2.3:a:mit:kerberos_5:1.2:beta1:::::: cpe:2.3:a:mit:kerberos_5:1.2:-:::::: cpe:2.3:a:mit:kerberos_5:1.1.1:::::::* cpe:2.3:a:mit:kerberos_5:1.1:::::::* cpe:2.3:a:mit:kerberos_5:1.0.6:::::::* cpe:2.3:a:mit:kerberos_5:1.0:-:::::: cpe:2.3:a:mit:kerberos_5:::::::: cpe:2.3:a:mit:kerberos_5:-:::::::*	37
Os	Fedoraproject Fedora cpe:2.3:o:fedoraproject:fedora:7:::::::*	1

OpenVAS Exploits

Date	Description
2009-04-09	Name : Mandriva Update for krb5 MDKSA-2007:174 (krb5) File : nvt/gb_mandriva_MDKSA_2007_174.nasl
2009-04-09	Name : Mandriva Update for krb5 MDKSA-2007:174-1 (krb5) File : nvt/gb_mandriva_MDKSA_2007_174_1.nasl
2009-02-27	Name : Fedora Update for krb5 FEDORA-2007-2017 File : nvt/gb_fedora_2007_2017_krb5_fc7.nasl
2009-02-27	Name : Fedora Update for krb5 FEDORA-2007-2066 File : nvt/gb_fedora_2007_2066_krb5_fc7.nasl
2009-02-27	Name : Fedora Update for krb5 FEDORA-2007-690 File : nvt/gb_fedora_2007_690_krb5_fc6.nasl
2009-02-16	Name : Fedora Update for krb5 FEDORA-2008-2637 File : nvt/gb_fedora_2008_2637_krb5_fc7.nasl
2008-09-24	Name : Gentoo Security Advisory GLSA 200709-01 (mit-krb5) File : nvt/glsa_200709_01.nasl

Open Source Vulnerability Database (OSVDB)

Id	Description
37325	MIT Kerberos 5 kadmind lib/kadm5/srv/svr_policy.c kadm5_modify_policy_interna...

Nessus® Vulnerability Scanner

Date	Description
2013-07-12	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0858.nasl - Type : ACT_GATHER_INFO
2012-08-01	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070904_krb5_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2010-01-06	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0858.nasl - Type : ACT_GATHER_INFO
2007-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_krb5-4192.nasl - Type : ACT_GATHER_INFO
2007-12-13	Name : The remote SuSE 10 host is missing a security-related patch. File : suse_krb5-4249.nasl - Type : ACT_GATHER_INFO
2007-11-10	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-511-1.nasl - Type : ACT_GATHER_INFO
2007-11-06	Name : The remote Fedora host is missing a security update. File : fedora_2007-2017.nasl - Type : ACT_GATHER_INFO
2007-10-17	Name : The remote openSUSE host is missing a security update. File : suse_krb5-4191.nasl - Type : ACT_GATHER_INFO
2007-10-17	Name : The remote openSUSE host is missing a security update. File : suse_krb5-4248.nasl - Type : ACT_GATHER_INFO
2007-09-14	Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200709-01.nasl - Type : ACT_GATHER_INFO
2007-09-07	Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-174.nasl - Type : ACT_GATHER_INFO
2007-09-05	Name : The remote Fedora Core host is missing a security update. File : fedora_2007-690.nasl - Type : ACT_GATHER_INFO
2007-09-05	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0858.nasl - Type : ACT_GATHER_INFO

Global Informations

Type	Count
Oval ID(s)	2
CPE ID(s)	38
osvdb(s)	1
Openvas Exploit(s)	7
Nessus® Exploit(s)	13

	Related
8.5	CVE-2007-4000
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 1 more Alert(s)