Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

MiT Kerberos Development Team Information for VU#516825

Date Notified12/11/2002
Date Modified02/11/2004 11:37:30 AM
Status SummaryVulnerable

Vendor Statement

It may be possible for a remote attacker to exploit an integer
overflow in xdrmem_getbytes() to crash the kadmind server process by a
read segmentation fault.  For this to succeed, the kadmind process
must be able to allocate more than MAX_INT bytes of memory.  This is
believed to be unlikely, as most installations are not likely to
permit that the allocation of that much memory.

It may also be possible for a remote attacker to exploit this integer
overflow to obtain sensitive information, such as secret keys, from
the kadmind process.  This is believed to be extremely unlikely, as
there are unlikely to be ways for the information, once improperly
copied, of being returned to the attacker.  In addition, the above
condition of the kadmind being able to allocate huge amounts of memory
must be satisfied.

US-CERT Addendum

The MIT Kerberos development team has released MIT krb5 Security Advisory 2003-003 describing this issue. Users are encouraged to review this document and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2008 by US-CERT, a government organization
Disclaimers and copyright information