Vulnerability Note VU#481564

Kerberos administration daemon fails to properly initialize function pointers

Original Release date: 09 Jan 2007 | Last revised: 10 May 2007

Overview

The Kerberos administration daemon fails to properly initialize pointers. This vulnerability may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.

Description

A vulnerability exists in the way the Kerberos administration daemon handles pointers that may allow a remote, unauthenticated user to execute arbitrary code. According to MIT krb5 Security Advisory 2006-002:

    The Kerberos administration daemon, "kadmind", can execute arbitrary code by calling through a function pointer located in freed memory. This vulnerability results from bugs in the server-side portion of the RPC library.


Note that krb5-1.4 through krb5-1.4.4, and krb5-1.5 through krb5-1.5.1 are affected by this vulnerability. Other server applications that utilize the RPC library provided with MIT krb5 may also be affected.

This vulnerability can be triggered by sending a specially crafted Kerberos packet to a vulnerable system.

Impact

A remote, unauthenticated user may be able to execute arbitrary code resulting in the compromise of the Kerberos key database or cause a denial of service.

Solution

Apply Patch

A patch can be obtained from MIT krb5 Security Advisory 2006-002. MIT also states that this will be addressed in the upcoming krb5-1.6 release and krb5-1.5.2 patch release.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Debian GNU/LinuxAffected04 Jan 200719 Jan 2007
Fedora ProjectAffected04 Jan 200711 Jan 2007
Gentoo LinuxAffected04 Jan 200707 Feb 2007
Mandriva, Inc.Affected04 Jan 200711 Jan 2007
MIT Kerberos Development TeamAffected04 Jan 200709 Jan 2007
OpenPKGAffected-11 Jan 2007
rPathAffected-12 Jan 2007
Slackware Linux Inc.Affected04 Jan 200719 Jan 2007
SUSE LinuxAffected04 Jan 200711 Jan 2007
Trustix Secure LinuxAffected04 Jan 200719 Jan 2007
UbuntuAffected04 Jan 200716 Jan 2007
AttachmateWRQ, Inc.Not Affected04 Jan 200707 Feb 2007
CyberSafe, Inc.Not Affected04 Jan 200705 Jan 2007
Force10 Networks, Inc.Not Affected04 Jan 200710 May 2007
HitachiNot Affected04 Jan 200716 Jan 2007
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This issue is addressed in MIT krb5 Security Advisory 2006-002. MIT credits Andrew Korty from Indiana University for reporting this issue.

This document was written by Chris Taschner.

Other Information

  • CVE IDs: CVE-2006-6143
  • Date Public: 09 Jan 2007
  • Date First Published: 09 Jan 2007
  • Date Last Updated: 10 May 2007
  • Severity Metric: 20.92
  • Document Revision: 55

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.