Vulnerability Note VU#365313
MIT Kerberos kadmind RPC library gssrpc__svcauth_unix() integer conversion error
The MIT Kerberos administration daemon (kadmind) contains an integer conversion error vulnerability, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.
The gssrpc__svcauth_unix() function used by the Kerberos administration daemon contains an integer conversion error. This vulnerability may cause a stack buffer overflow that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-004:
The function gssrpc__svcauth_unix() in src/lib/rpc/svc_auth_unix.c stores an unsigned integer obtained from IXDR_GET_U_LONG into a signed integer variable "str_len". Subsequently, it checks that "str_len" is less than MAX_MACHINE_NAME, which will always be true of "str_len" is negative, which can happen when a large unsigned integer is converted to a signed integer. Once the length check succeeds, gssrpc__svcauth_unix() calls memmove() with a length of "str_len" with the target in a stack buffer.
This vulnerability occurred as a result of failing to comply with rule INT31-C of the CERT C Programming Language Secure Coding Standard.
A remote, unauthenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
Apply a patch
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||18 Jun 2007||30 Jul 2007|
|Mandriva, Inc.||Affected||18 Jun 2007||27 Jun 2007|
|Red Hat, Inc.||Affected||18 Jun 2007||26 Jun 2007|
|Ubuntu||Affected||18 Jun 2007||27 Jun 2007|
|CyberSafe, Inc.||Not Affected||18 Jun 2007||18 Jun 2007|
|Juniper Networks, Inc.||Not Affected||18 Jun 2007||26 Jun 2007|
|Microsoft Corporation||Not Affected||18 Jun 2007||19 Jun 2007|
|Network Appliance, Inc.||Not Affected||-||27 Jun 2007|
|Sun Microsystems, Inc.||Not Affected||18 Jun 2007||28 Jun 2007|
|Apple Computer, Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|AttachmateWRQ, Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|Conectiva Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|Cray Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|EMC Corporation||Unknown||18 Jun 2007||18 Jun 2007|
|Engarde Secure Linux||Unknown||18 Jun 2007||18 Jun 2007|
CVSS Metrics (Learn More)
Thanks to MIT for reporting this vulnerability, who in turn credit Wei Wang of McAfee Avert Labs.
This document was written by Will Dormann.
- CVE IDs: CVE-2007-2443
- Date Public: 26 Jun 2007
- Date First Published: 26 Jun 2007
- Date Last Updated: 08 Aug 2007
- Severity Metric: 5.40
- Document Revision: 12
If you have feedback, comments, or additional information about this vulnerability, please send us email.