IBM Information for VU#875073

Kerberos administration daemon vulnerable to buffer overflow

Status

Affected

Vendor Statement

The IBM pSeries Parallel Systems Support Programs (PSSP) implementation of Kerberos V4 (shipped with PSSP) is potentially vulnerable to the Kerberos V4 administration daemon buffer overflow described in CA-2002-29. For more information, see:

http://techsupport.services.ibm.com/server/nav?fetch=/spflashes/home.html
Click on the Service Flash for "Potential Kerberos V4 security vulnerability." This link also contains APAR numbers and solution information.

The IBM Network Authentication Service (NAS) product is not vulnerable to the buffer overflow vulnerability in the kadmind4 daemon. NAS is currently at release 1.3 and is available from the AIX Expansion Pack. The kadmind4 daemon is not part of the NAS product.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

It is possible that PSSP and other IBM and third-party applications using DCE/Kerberos 5 may be vulnerable if they support Kerberos 4 administration.

If you have feedback, comments, or additional information about this vulnerability, please send us email.