Home | FAQ | Contact | Privacy Policy
US-CERT
Vulnerability
Notes
Database

Search Vulnerability Notes

Vulnerability Notes Help Information
 

 View Notes By
Name

ID Number

CVE Name

Date Public

Date Published

Date Updated

Severity Metric

 Other Documents
Technical Alerts

Technical Bulletins

Alerts

Security Tips

OpenBSD Information for VU#623217

Date Notified:2003-03-05
Date Updated:
Statement Date:
Status Summary:Vulnerable

Vendor Statement

There is a cryptographic weaknesses in the Kerberos v4 protocol
(this is not something that is fixable in Kerberos v4). Sites still
using Kerberos v4 should migrate to Kerberos v5.

Kerberos v5 does not have this weakness, but since it contains v4
to v5 translation services it is still possible to exploit the v4
protocol defect.

For more information, please see:
   http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt

The following patches cause Kerberos v4 requests from foreign realms
to be ignored unless support for this is explicitly enabled.

Patch for OpenBSD 3.1:
   ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.1/common/026_kerberos.patch

Patch for OpenBSD 3.2:
   ftp://ftp.openbsd.org/pub/OpenBSD/patches/3.2/common/013_kerberos.patch

The aforementioned patches have already been applied to the 3.1 and
3.2 -stable branches.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.
 

Produced 2009 by US-CERT, a government organization
Disclaimers and copyright information