Microsoft Information for VU#759265

Kerberos client code buffer overflow in kdc_reply_cipher()

Status

Not Affected

Vendor Statement

Windows 2000 does not support Kerb IV. W2K has completely different implementation of the protocol and is not vulnerable to the specific buffer overflow condition using memcpy identified by VU#759265. (Note that buffer overrun as a general implementation problem is one we are continuously on guard against through our buffer overrun examination tools, internal code reviews, and in the case of kerberos implementation, an external security code review).

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Vendor References

None

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.