Executive Summary
Summary | |
---|---|
Title | MIT Kerberos kadmind principal renaming stack buffer overflow |
Informations | |||
---|---|---|---|
Name | VU#554257 | First vendor Publication | 2007-06-26 |
Vendor | VU-CERT | Last vendor Modification | 2007-08-08 |
Severity (Vendor) | N/A | Revision | M |
Security-Database Scoring CVSS v3
Cvss vector : N/A | |||
---|---|---|---|
Overall CVSS Score | NA | ||
Base Score | NA | Environmental Score | NA |
impact SubScore | NA | Temporal Score | NA |
Exploitabality Sub Score | NA | ||
Calculate full CVSS 3.0 Vectors scores |
Security-Database Scoring CVSS v2
Cvss vector : (AV:A/AC:M/Au:S/C:C/I:C/A:C) | |||
---|---|---|---|
Cvss Base Score | 7.4 | Attack Range | Adjacent network |
Cvss Impact Score | 10 | Attack Complexity | Medium |
Cvss Expoit Score | 4.4 | Authentication | Requires single instance |
Calculate full CVSS 2.0 Vectors scores |
Detail
Vulnerability Note VU#554257MIT Kerberos kadmind principal renaming stack buffer overflowOverviewThe MIT Kerberos administration daemon (kadmind) contains a stack buffer overflow that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.I. DescriptionA vulnerability exists in the way the principal renaming operation used by the Kerberos administration daemon handles strings and a fixed-size stack buffer. This vulnerability may cause a buffer overflow vulnerability that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-005:The kadmind code which performs the principal renaming operation passes unchecked string arguments to a sprintf() call which has a fixed-size stack buffer as its destination. These strings are the old and new principal names passed to the rename operation. The attacker needs to authenticate to kadmind to perform this attack, but no administrative privileges are required because the vulnerable code executes prior to privilege verification. II. ImpactA remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.III. SolutionApply a patchA patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-005. MIT also states that this will be addressed in the upcoming krb5-1.6.2 and krb5-1.5.4 releases.
References
Thanks to MIT for reporting this vulnerability, who in turn credit an anonymous discoverer working with iDefense. This document was written by Will Dormann.
|
Original Source
Url : http://www.kb.cert.org/vuls/id/554257 |
CWE : Common Weakness Enumeration
% | Id | Name |
---|---|---|
100 % | CWE-787 | Out-of-bounds Write (CWE/SANS Top 25) |
OVAL Definitions
Definition Id: oval:org.mitre.oval:def:1726 | |||
Oval ID: | oval:org.mitre.oval:def:1726 | ||
Title: | Security Vulnerability in the Kerberos Administration Daemon (kadmind(1M)) May Lead to Arbitrary Code Execution | ||
Description: | Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-2798 | Version: | 2 |
Platform(s): | Sun Solaris 9 Sun Solaris 10 | Product(s): | |
Definition Synopsis: | |||
|
Definition Id: oval:org.mitre.oval:def:20462 | |||
Oval ID: | oval:org.mitre.oval:def:20462 | ||
Title: | DSA-1323-1 krb5 | ||
Description: | Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code. | ||
Family: | unix | Class: | patch |
Reference(s): | DSA-1323-1 CVE-2007-2442 CVE-2007-2443 CVE-2007-2798 | Version: | 5 |
Platform(s): | Debian GNU/Linux 4.0 | Product(s): | krb5 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:22639 | |||
Oval ID: | oval:org.mitre.oval:def:22639 | ||
Title: | ELSA-2007:0562: krb5 security update (Important) | ||
Description: | Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. | ||
Family: | unix | Class: | patch |
Reference(s): | ELSA-2007:0562-02 CVE-2007-2442 CVE-2007-2443 CVE-2007-2798 | Version: | 17 |
Platform(s): | Oracle Linux 5 | Product(s): | krb5 |
Definition Synopsis: | |||
Definition Id: oval:org.mitre.oval:def:9996 | |||
Oval ID: | oval:org.mitre.oval:def:9996 | ||
Title: | Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. | ||
Description: | Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal. | ||
Family: | unix | Class: | vulnerability |
Reference(s): | CVE-2007-2798 | Version: | 5 |
Platform(s): | Red Hat Enterprise Linux 3 CentOS Linux 3 Red Hat Enterprise Linux 4 CentOS Linux 4 Oracle Linux 4 Red Hat Enterprise Linux 5 CentOS Linux 5 Oracle Linux 5 | Product(s): | |
Definition Synopsis: | |||
|
CPE : Common Platform Enumeration
OpenVAS Exploits
Date | Description |
---|---|
2009-11-17 | Name : Mac OS X Version File : nvt/macosx_version.nasl |
2009-04-09 | Name : Mandriva Update for krb5 MDKSA-2007:137 (krb5) File : nvt/gb_mandriva_MDKSA_2007_137.nasl |
2009-03-23 | Name : Ubuntu Update for krb5 vulnerabilities USN-477-1 File : nvt/gb_ubuntu_USN_477_1.nasl |
2009-02-27 | Name : Fedora Update for krb5 FEDORA-2007-0740 File : nvt/gb_fedora_2007_0740_krb5_fc7.nasl |
2009-02-27 | Name : Fedora Update for krb5 FEDORA-2007-2017 File : nvt/gb_fedora_2007_2017_krb5_fc7.nasl |
2009-02-27 | Name : Fedora Update for krb5 FEDORA-2007-2066 File : nvt/gb_fedora_2007_2066_krb5_fc7.nasl |
2009-02-27 | Name : Fedora Update for krb5 FEDORA-2007-620 File : nvt/gb_fedora_2007_620_krb5_fc5.nasl |
2009-02-27 | Name : Fedora Update for krb5 FEDORA-2007-621 File : nvt/gb_fedora_2007_621_krb5_fc6.nasl |
2009-02-16 | Name : Fedora Update for krb5 FEDORA-2008-2637 File : nvt/gb_fedora_2008_2637_krb5_fc7.nasl |
2009-01-28 | Name : SuSE Update for krb5 SUSE-SA:2007:038 File : nvt/gb_suse_2007_038.nasl |
2008-09-24 | Name : Gentoo Security Advisory GLSA 200707-11 (mit-krb5) File : nvt/glsa_200707_11.nasl |
2008-01-17 | Name : Debian Security Advisory DSA 1323-1 (krb5) File : nvt/deb_1323_1.nasl |
Open Source Vulnerability Database (OSVDB)
Id | Description |
---|---|
36595 | MIT Kerberos kadmind rename_principal_2_svc Function Remote Overflow |
Snort® IPS/IDS
Date | Description |
---|---|
2014-01-10 | portmap 2112 udp rename_principal attempt RuleID : 12188 - Revision : 8 - Type : PROTOCOL-RPC |
2014-01-10 | portmap 2112 tcp rename_principal attempt RuleID : 12187 - Revision : 11 - Type : PROTOCOL-RPC |
2014-01-10 | portmap 2112 udp request RuleID : 12186 - Revision : 9 - Type : PROTOCOL-RPC |
2014-01-10 | portmap 2112 tcp request RuleID : 12185 - Revision : 9 - Type : PROTOCOL-RPC |
Nessus® Vulnerability Scanner
Date | Description |
---|---|
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0562.nasl - Type : ACT_GATHER_INFO |
2013-07-12 | Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2007-0384.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070626_krb5_on_SL5_x.nasl - Type : ACT_GATHER_INFO |
2012-08-01 | Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20070626_krb5_on_SL3.nasl - Type : ACT_GATHER_INFO |
2010-06-28 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_41166.nasl - Type : ACT_GATHER_INFO |
2010-06-28 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_41167.nasl - Type : ACT_GATHER_INFO |
2010-06-28 | Name : The remote HP-UX host is missing a security-related patch. File : hpux_PHSS_41168.nasl - Type : ACT_GATHER_INFO |
2009-07-27 | Name : The remote VMware ESX host is missing one or more security-related patches. File : vmware_VMSA-2007-0006.nasl - Type : ACT_GATHER_INFO |
2007-12-13 | Name : The remote SuSE 10 host is missing a security-related patch. File : suse_krb5-3821.nasl - Type : ACT_GATHER_INFO |
2007-11-10 | Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-477-1.nasl - Type : ACT_GATHER_INFO |
2007-11-06 | Name : The remote Fedora host is missing a security update. File : fedora_2007-0740.nasl - Type : ACT_GATHER_INFO |
2007-10-17 | Name : The remote openSUSE host is missing a security update. File : suse_krb5-3820.nasl - Type : ACT_GATHER_INFO |
2007-08-02 | Name : The remote host is missing a Mac OS X update that fixes various security issues. File : macosx_SecUpd2007-007.nasl - Type : ACT_GATHER_INFO |
2007-07-27 | Name : The remote Gentoo host is missing one or more security-related patches. File : gentoo_GLSA-200707-11.nasl - Type : ACT_GATHER_INFO |
2007-07-01 | Name : The remote Debian host is missing a security-related update. File : debian_DSA-1323.nasl - Type : ACT_GATHER_INFO |
2007-06-27 | Name : The remote Mandrake Linux host is missing one or more security updates. File : mandrake_MDKSA-2007-137.nasl - Type : ACT_GATHER_INFO |
2007-06-27 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0384.nasl - Type : ACT_GATHER_INFO |
2007-06-27 | Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2007-0562.nasl - Type : ACT_GATHER_INFO |
2007-06-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0562.nasl - Type : ACT_GATHER_INFO |
2007-06-27 | Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2007-0384.nasl - Type : ACT_GATHER_INFO |
2004-07-12 | Name : The remote host is missing Sun Security Patch number 112925-08 File : solaris9_112925.nasl - Type : ACT_GATHER_INFO |
2004-07-12 | Name : The remote host is missing Sun Security Patch number 116044-04 File : solaris9_x86_116044.nasl - Type : ACT_GATHER_INFO |