Vulnerability Note VU#356961
MIT Kerberos kadmind RPC library gssrpc__svcauth_gssapi() uninitialized pointer free vulnerability
The MIT Kerberos administration daemon (kadmind) can free an uninitialized pointer, which may allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service.
The gssrpc__svcauth_gssapi() function used by the Kerberos administration daemon can free an uninitialized pointer when receiving a specially crafted RPC request. This vulnerability may cause memory corruption that could allow a remote, unauthenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-004:
The function gssrpc__svcauth_gssapi() in src/lib/rpc/svc_auth_gssapi.c declares an automatic variable "creds" of type auth_gssapi_creds. This type includes a gss_buffer_desc (which includes a pointer to void used as a pointer to a buffer of bytes). If gssrpc__svcauth_gssapi() receives an RPC credential with a length of zero, it jumps to the label "error", which executes some cleanup code. At this point, the gss_buffer_desc in "creds" is not yet initialized, and the cleanup code calls xdr_free() on "creds", which then attempts to free the memory pointed to by the uninitialized "value" member of the gss_buffer_desc.
This vulnerability occurred as a result of failing to comply with rule EXP33-C of the CERT C Programming Language Secure Coding Standard.
A remote, unauthenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.
Apply a patch
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Debian GNU/Linux||Affected||18 Jun 2007||30 Jul 2007|
|Red Hat, Inc.||Affected||18 Jun 2007||26 Jun 2007|
|Sun Microsystems, Inc.||Affected||18 Jun 2007||28 Jun 2007|
|CyberSafe, Inc.||Not Affected||18 Jun 2007||18 Jun 2007|
|Microsoft Corporation||Not Affected||18 Jun 2007||19 Jun 2007|
|Network Appliance, Inc.||Not Affected||-||27 Jun 2007|
|Apple Computer, Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|AttachmateWRQ, Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|Conectiva Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|Cray Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|EMC Corporation||Unknown||18 Jun 2007||18 Jun 2007|
|Engarde Secure Linux||Unknown||18 Jun 2007||18 Jun 2007|
|F5 Networks, Inc.||Unknown||18 Jun 2007||18 Jun 2007|
|Fedora Project||Unknown||18 Jun 2007||18 Jun 2007|
|FreeBSD, Inc.||Unknown||18 Jun 2007||18 Jun 2007|
CVSS Metrics (Learn More)
Thanks to MIT for reporting this vulnerability, who in turn credit Wei Wang of McAfee Avert Labs.
This document was written by Will Dormann.
- CVE IDs: CVE-2007-2442
- Date Public: 26 Jun 2007
- Date First Published: 26 Jun 2007
- Date Last Updated: 08 Aug 2007
- Severity Metric: 5.40
- Document Revision: 18
If you have feedback, comments, or additional information about this vulnerability, please send us email.