Vulnerability Note VU#554257
MIT Kerberos kadmind principal renaming stack buffer overflow
The MIT Kerberos administration daemon (kadmind) contains a stack buffer overflow that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.
A vulnerability exists in the way the principal renaming operation used by the Kerberos administration daemon handles strings and a fixed-size stack buffer. This vulnerability may cause a buffer overflow vulnerability that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-005:
The kadmind code which performs the principal renaming operation passes unchecked string arguments to a sprintf() call which has a fixed-size stack buffer as its destination. These strings are the old and new principal names passed to the rename operation. The attacker needs to authenticate to kadmind to perform this attack, but no administrative privileges are required because the vulnerable code executes prior to privilege verification.
A remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
Apply a patch
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||18 Jun 2007||30 Jul 2007|
|Gentoo Linux||Affected||18 Jun 2007||14 Aug 2007|
|Red Hat, Inc.||Affected||18 Jun 2007||26 Jun 2007|
|Sun Microsystems, Inc.||Affected||18 Jun 2007||28 Jun 2007|
|Ubuntu||Affected||18 Jun 2007||27 Jun 2007|
|CyberSafe, Inc.||Not Affected||18 Jun 2007||18 Jun 2007|
|Juniper Networks, Inc.||Not Affected||18 Jun 2007||26 Jun 2007|
|Microsoft Corporation||Not Affected||18 Jun 2007||19 Jun 2007|
|Network Appliance, Inc.||Not Affected||-||27 Jun 2007|
|Apple Computer, Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|AttachmateWRQ, Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|Conectiva Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|Cray Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|EMC Corporation||Unknown||18 Jun 2007||18 Jun 2007|
|Engarde Secure Linux||Unknown||18 Jun 2007||18 Jun 2007|
CVSS Metrics (Learn More)
Thanks to MIT for reporting this vulnerability, who in turn credit an anonymous discoverer working with iDefense.
This document was written by Will Dormann.
- CVE IDs: CVE-2007-2798
- Date Public: 26 Jun 2007
- Date First Published: 26 Jun 2007
- Date Last Updated: 14 Aug 2007
- Severity Metric: 16.80
- Document Revision: 16
If you have feedback, comments, or additional information about this vulnerability, please send us email.