Vulnerability Note VU#419344
MIT Kerberos 5 GSS-API library double-free vulnerability
The GSS-API library provided with MIT krb5 contains a vulnerability that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.
A vulnerability in the way the GSS-API library provided with MIT krb5 handles messages with an invalid direction encoding may result in a double free. According to MIT krb5 Security Advisory MITKRB5-SA-2007-003:
The kg_unseal_v1() function in src/lib/gssapi/krb5/k5unseal.c frees memory allocated for the "message_buffer" gss_buffer_t when it detects an invalid direction encoding on the message. It does not set the pointer to NULL, nor does it set the length to zero. An application subsequently calling gss_release_buffer() on this gss_buffer_t will cause memory to be freed twice.
This vulnerability can be triggered by sending a specially crafted Kerberos message to a vulnerable system.
A remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer, Inc.||Affected||04 Apr 2007||20 Apr 2007|
|Debian GNU/Linux||Affected||-||04 Apr 2007|
|Gentoo Linux||Affected||21 Mar 2007||04 Apr 2007|
|Mandriva, Inc.||Affected||04 Apr 2007||05 Apr 2007|
|MIT Kerberos Development Team||Affected||-||03 Apr 2007|
|Red Hat, Inc.||Affected||-||02 Apr 2007|
|rPath||Affected||-||05 Apr 2007|
|SUSE Linux||Affected||04 Apr 2007||05 Apr 2007|
|Trustix Secure Linux||Affected||04 Apr 2007||06 Apr 2007|
|Ubuntu||Affected||21 Mar 2007||04 Apr 2007|
|AttachmateWRQ, Inc.||Not Affected||21 Mar 2007||04 Apr 2007|
|Cisco Systems, Inc.||Not Affected||-||02 Apr 2007|
|CyberSafe, Inc.||Not Affected||21 Mar 2007||04 Apr 2007|
|Force10 Networks, Inc.||Not Affected||21 Mar 2007||04 Apr 2007|
|Heimdal Kerberos Project||Not Affected||21 Mar 2007||04 Apr 2007|
CVSS Metrics (Learn More)
This issue is addressed in MIT krb5 Security Advisory MITKRB5-SA-2007-003.
This document was written by Chris Taschner.
- CVE IDs: CVE-2007-1216
- Date Public: 03 Apr 2007
- Date First Published: 03 Apr 2007
- Date Last Updated: 23 Apr 2007
- Severity Metric: 17.85
- Document Revision: 43
If you have feedback, comments, or additional information about this vulnerability, please send us email.