Vulnerability Note VU#377544

MIT Kerberos 5 kadmind privilege escalation vulnerability

Original Release date: 04 Sep 2007 | Last revised: 26 Oct 2007


MIT Kerberos kadmind contains a privilege escalation vulnerability that may allow an authenticated attacker to execute code with root privileges.


Kerberos is a network authentication system that uses a trusted third party to authenticate clients and servers to each other. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. MIT Kerberos code is used in network applications from a variety of different vendors and is included in many UNIX and Linux distributions. The kadmind daemon is the administration server that runs on the master Kerberos server.

From the kadmind manual page:

    This command starts the KADM5 administration server. The administration server runs on the master Kerberos server, which stores the KDC principal database and the KADM5 policy database. Kadmind accepts remote requests to administer the information in these databases. Remote requests are sent, for example, by kadmin(8) and the kpasswd(1) command, both of which are clients of kadmind.
Per MITKRB5-SA-2007-006 there is a privilege execution vulnerability in kadmind that may allow an authenticated user with modify policy privileges to execute arbitrary code. Note that per MITKRB5-SA-2007-006, versions of kerberos prior to krb5-1.5 are not affected by this vulnerability.


A local attacker, who has modify policy privileges, may be able to execute arbitrary code with elevated privileges


The Kerberos team has released an update to address this issue. Please see MITKRB5-SA-2007-006 for more information on obtaining fixed software.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Gentoo LinuxAffected24 Aug 200726 Oct 2007
MIT Kerberos Development TeamAffected23 Aug 200704 Sep 2007
Red Hat, Inc.Affected24 Aug 200711 Sep 2007
SUSE LinuxAffected24 Aug 200706 Sep 2007
Microsoft CorporationNot Affected24 Aug 200704 Sep 2007
Sun Microsystems, Inc.Not Affected24 Aug 200706 Sep 2007
Apple Computer, Inc.Unknown24 Aug 200724 Aug 2007
AttachmateWRQ, Inc.Unknown24 Aug 200724 Aug 2007
Conectiva Inc.Unknown24 Aug 200724 Aug 2007
Cray Inc.Unknown24 Aug 200724 Aug 2007
CyberSafe, Inc.Unknown24 Aug 200724 Aug 2007
Debian GNU/LinuxUnknown24 Aug 200724 Aug 2007
EMC CorporationUnknown24 Aug 200724 Aug 2007
Engarde Secure LinuxUnknown24 Aug 200724 Aug 2007
F5 Networks, Inc.Unknown24 Aug 200724 Aug 2007
If you are a vendor and your product is affected, let us know.View More »

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A



Thanks to the MIT Kerberos team for information that was used in this report.

This document was written by Ryan Giobbi.

Other Information

  • CVE IDs: CVE-2007-4000
  • Date Public: 04 Sep 2007
  • Date First Published: 04 Sep 2007
  • Date Last Updated: 26 Oct 2007
  • Severity Metric: 0.63
  • Document Revision: 18


If you have feedback, comments, or additional information about this vulnerability, please send us email.