|
|
|
View Notes By
|
|
|
|
Other Documents
|
|
|
|
|
Vulnerability Note VU#377544
MIT Kerberos 5 kadmind privilege escalation vulnerability
OverviewMIT Kerberos kadmind contains a privilege escalation vulnerability that may allow an authenticated attacker to execute code with root privileges.
I. DescriptionKerberos is a network authentication system that uses a trusted third party to authenticate clients and servers to each other. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions. The kadmind daemon is the administration server that runs on the master Kerberos server.
From the kadmind manual page:
This command starts the KADM5 administration server. The administration server runs on the master Kerberos server, which stores the KDC principal database and the KADM5 policy database. Kadmind accepts remote requests to administer the information in these databases. Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command, both of which are clients of kadmind.
Per MITKRB5-SA-2007-006 there is a privilege execution vulnerability in kadmind that may allow an authenticated user with modify policy privileges to execute arbitrary code. Note that per MITKRB5-SA-2007-006, versions of kerberos prior to krb5-1.5 are not affected by this vulnerability.
II. ImpactA local attacker, who has modify policy privileges, may be able to execute arbitrary code with elevated privileges
III. SolutionUpdate
The Kerberos team has released an update to address this issue. Please see MITKRB5-SA-2007-006 for more information on obtaining fixed software.
Systems Affected
| Vendor | Status | Date Updated |
|---|
| Apple Computer, Inc. | Unknown | 24-Aug-2007 |
| AttachmateWRQ, Inc. | Unknown | 24-Aug-2007 |
| Conectiva Inc. | Unknown | 24-Aug-2007 |
| Cray Inc. | Unknown | 24-Aug-2007 |
| CyberSafe, Inc. | Unknown | 24-Aug-2007 |
| Debian GNU/Linux | Unknown | 24-Aug-2007 |
| EMC Corporation | Unknown | 24-Aug-2007 |
| Engarde Secure Linux | Unknown | 24-Aug-2007 |
| F5 Networks, Inc. | Unknown | 24-Aug-2007 |
| Fedora Project | Unknown | 24-Aug-2007 |
| FreeBSD, Inc. | Unknown | 24-Aug-2007 |
| Fujitsu | Unknown | 24-Aug-2007 |
| Gentoo Linux | Vulnerable | 26-Oct-2007 |
| Hewlett-Packard Company | Unknown | 24-Aug-2007 |
| Hitachi | Unknown | 24-Aug-2007 |
| IBM Corporation | Unknown | 24-Aug-2007 |
| IBM Corporation (zseries) | Unknown | 24-Aug-2007 |
| IBM eServer | Unknown | 24-Aug-2007 |
| Immunix Communications, Inc. | Unknown | 24-Aug-2007 |
| Ingrian Networks, Inc. | Unknown | 24-Aug-2007 |
| Juniper Networks, Inc. | Unknown | 24-Aug-2007 |
| KTH Kerberos Team | Unknown | 24-Aug-2007 |
| Mandriva, Inc. | Unknown | 24-Aug-2007 |
| Microsoft Corporation | Not Vulnerable | 4-Sep-2007 |
| MIT Kerberos Development Team | Vulnerable | 4-Sep-2007 |
| MontaVista Software, Inc. | Unknown | 24-Aug-2007 |
| NEC Corporation | Unknown | 24-Aug-2007 |
| NetBSD | Unknown | 24-Aug-2007 |
| Novell, Inc. | Unknown | 24-Aug-2007 |
| OpenBSD | Unknown | 4-Sep-2007 |
| Openwall GNU/*/Linux | Unknown | 24-Aug-2007 |
| QNX, Software Systems, Inc. | Unknown | 24-Aug-2007 |
| Red Hat, Inc. | Vulnerable | 11-Sep-2007 |
| Silicon Graphics, Inc. | Unknown | 24-Aug-2007 |
| Slackware Linux Inc. | Unknown | 24-Aug-2007 |
| Sony Corporation | Unknown | 24-Aug-2007 |
| Sun Microsystems, Inc. | Not Vulnerable | 6-Sep-2007 |
| SUSE Linux | Vulnerable | 6-Sep-2007 |
| The SCO Group | Unknown | 24-Aug-2007 |
| Trustix Secure Linux | Unknown | 24-Aug-2007 |
| Turbolinux | Unknown | 24-Aug-2007 |
| Ubuntu | Unknown | 24-Aug-2007 |
| Unisys | Unknown | 24-Aug-2007 |
| Wind River Systems, Inc. | Unknown | 24-Aug-2007 |
References
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-006.txt
http://secunia.com/advisories/26676/
Credit
Thanks to the MIT Kerberos team for information that was used in this report.
This document was written by Ryan Giobbi.
Other Information
| Date Public | 09/04/2007 |
| Date First Published | 09/04/2007 03:19:21 PM |
| Date Last Updated | 10/26/2007 |
| CERT Advisory | |
| CVE-ID(s) | CVE-2007-4000 |
| NVD-ID(s) | CVE-2007-4000 |
| US-CERT Technical Alerts | |
| Metric | 0.63 |
| Document Revision | 18 |
If you have feedback, comments, or additional information about this vulnerability, please send us
email.
|
|
Get Adobe Reader