search menu icon-carat-right cmu-wordmark

CERT Coordination Center

MIT Kerberos vulnerable to ticket splicing when using Kerberos4 triple DES service tickets

Vulnerability Note VU#442569

Original Release Date: 2003-03-20 | Last Revised: 2003-05-09

Overview

Several cryptographic vulnerabilities exist in the basic Kerberos version 4 protocol that could allow an attacker to impersonate any user in a Kerberos realm and gain any privilege authorized through that Kerberos realm.

Description

The MIT Kerberos Development team has discovered a serious cryptographic flaw in the Kerberos version 4 protocol. This flaw could allow an attacker to compromise the entire affected Kerberos realm. In addition to the vulnerability described in VU#623217, an additional vulnerability was discovered in the MIT Kerberos implementation of triple-DES encryption of service tickets.

From the MIT advisory:

"As a result of concerns about single DES weaknesses, MIT implemented support for Kerberos 4 tickets encrypted in triple DES service keys. This support shares all the cryptographic weaknesses of single DES Kerberos 4. In addition, since it uses CBC mode rather than PCBC mode, it introduces new weaknesses not found in other Kerberos 4 implementations. When certain alignment constraints are met, it is possible to splice two tickets together, allowing an attacker to get a ticket with a known session key for a client without knowing that client's long term key. This attack does require sniffing a ticket for that client."

As a result, MIT implementations of Kerberos version 5 or derived implementations that include support for triple-DES keys in Kerberos version 4 are vulnerable.

Impact

In addition to the impacts described for VU#623217, an attacker may impersonate any principal to a service keyed with triple-DES Kerberos version 4 keys, given the ability to capture network traffic containing tickets for the target client principal.

Solution

Apply a patch from the vendor

The MIT Kerberos team has released MIT krb5 Security Advisory 2003-004 regarding this vulnerability. Sites are strongly encouraged to apply the patches referenced in the advisory.

Workarounds

In the absence of patching, the following workarounds have been proposed by the MIT Kerberos team:

1) V4 Cross Realm Considered Harmful

    Kerberos implementations should gain an option to
   disable Kerberos 4 cross-realm authentication both in the KDC and
   in any implementations of the krb524 protocol.  This configuration
   should be the default.

2)  Application Migration

    Application vendors and sites should migrate from Kerberos version 4
   to Kerberos version 5.  The OpenAFS community has introduced features
   that allow Kerberos 5 to be used for AFS in OpenAFS 1.2.8.  Patches
   are available to add Kerberos 5 support to OpenSSH.  Several other
   implementations of the SSH protocol also support Kerberos 5.
   Applications such as IMAP, POP and LDAP already support Kerberos 5.

3) TGT Key Separation

    One motivation for the V4 triple DES support is that if a single
   DES key  exists for the TGT principal then an attacker can  attack
   that key both for v4 and v5 tickets. Kerberos
   implementations should gain support for a DES TGT key that is used
   for v4 requests but not v5 requests.

4) Remove Triple DES Kerberos 4 Support

    The cut and paste attack is a critical failure in MIT's attempt at
   Kerberos 4 Triple DES.  Even without cross-realm authentication,
   this can be exploited in real-world situations.  As such the
   support for 3DES service keys  should be disabled.

Vendor Information

442569
 
Affected   Unknown   Unaffected

Conectiva

Notified:  March 05, 2003 Updated:  May 09, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Conectiva has released Conectiva Security Announcement CLSA-2003:639 in response to this issue. Users are encouraged to review this announcement and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Debian

Notified:  March 05, 2003 Updated:  March 31, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Debian Project has released Debian Security Advisories DSA-266 and DSA-273 in response to this issue. Users are encouraged to review these advisories and apply the patches they refer to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Gentoo Linux

Updated:  March 31, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The Gentoo development team has released the following Gentoo Linux Security Announcements in response to this issue:

    Users are encouraged to review these bulletins and apply the patches they refer to.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    MandrakeSoft

    Notified:  March 05, 2003 Updated:  April 01, 2003

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    MandrakeSoft has issued Mandrake Linux Security Update Advisory MDKSA-2003:043 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Red Hat Inc.

    Notified:  March 05, 2003 Updated:  April 02, 2003

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Red Hat has issued Red Hat Security Advisories RHSA-2003:051 and RHSA-2003:091 in response to this issue. Users are encouraged to review these advisories and apply the patches they refer to.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Wirex

    Notified:  March 05, 2003 Updated:  April 09, 2003

    Status

      Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    WireX Communications, Inc. has released Immunix Secured OS Security Advisory IMNX-2003-7+-007-01 in response to this issue. Users are encouraged to review this advisory and apply the patches it refers to.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Hitachi

    Notified:  March 05, 2003 Updated:  April 04, 2003

    Status

      Not Vulnerable

    Vendor Statement

    Hitachi's GR2000 gigabit router series
     - is NOT vulnerable.

    Hitachi's HI-UX/WE2
     - is NOT vulnerable, because it does not support Kerberos V4.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Ingrian Networks

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Not Vulnerable

    Vendor Statement

    Ingrian Networks products are not succeptable to VU#623217 and VU#442569.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Juniper Networks

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Not Vulnerable

    Vendor Statement

    Kerberos does not ship with any Juniper product, so there is no vulnerability to these issues.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Lotus Software

    Updated:  March 10, 2003

    Status

      Not Vulnerable

    Vendor Statement

    Kerberos does not ship with any Lotus product, so there is no vulnerability to this issue.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Microsoft Corporation

    Notified:  March 05, 2003 Updated:  March 20, 2003

    Status

      Not Vulnerable

    Vendor Statement

    Microsoft has investigated this issue and determined that our products are not vulnerable to the issues described in the report. Microsoft implementations are based on Kerberos 5

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Xerox

    Notified:  March 05, 2003 Updated:  May 09, 2003

    Status

      Not Vulnerable

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    Xerox Corporation's response to this issue can be found at the following location


    Users are encouraged to review this document to determine if any of the Xerox products they employ are affected by this vulnerability.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    3Com

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    AT&T

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Apple Computer Inc.

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Avaya

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    BSDI

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Cisco Systems Inc.

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Cray Inc.

    Notified:  March 05, 2003 Updated:  March 21, 2003

    Status

      Unknown

    Vendor Statement

    Cray, Inc. may be vulnerable on their UNICOS and UNICOS/mk systems only.  UNICOS/mp is not affected.  SPR 725005 has been opened to investigate.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    D-Link Systems

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Data General

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    F5 Networks

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Foundry Networks Inc.

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    FreeBSD

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Fujitsu

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Guardian Digital Inc.

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Hewlett-Packard Company

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    IBM-zSeries

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Intel

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    KTH Kerberos

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Lucent Technologies

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    MiT Kerberos Development Team

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    MontaVista Software

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Multi-Tech Systems Inc.

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NEC Corporation

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NETBSD

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NeXT

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    NetScreen

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Network Appliance

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Nokia

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Nortel Networks

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenAFS

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    OpenBSD

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Openwall GNU/*/Linux

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Redback Networks Inc.

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Riverstone Networks

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SGI

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sequent

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sony Corporation

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    SuSE Inc.

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Sun Microsystems Inc.

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    The SCO Group (SCO Linux)

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    The SCO Group (SCO UnixWare)

    Notified:  March 05, 2003 Updated:  March 10, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Unisys

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.

    Wind River Systems Inc.

    Notified:  March 05, 2003 Updated:  March 17, 2003

    Status

      Unknown

    Vendor Statement

    No statement is currently available from the vendor regarding this vulnerability.

    Vendor Information

    The vendor has not provided us with any further information regarding this vulnerability.

    Addendum

    The CERT/CC has no additional comments at this time.

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


    CVSS Metrics

    Group Score Vector
    Base N/A N/A
    Temporal N/A N/A
    Environmental N/A

    References

    Credit

    The CERT/CC thanks Sam Hartman, Ken Raeburn, and Tom Yu of the Kerberos group at MIT for their detailed analysis and report of this vulnerability.

    This document was written by Chad R Dougherty.

    Other Information

    CVE IDs: CVE-2003-0139
    Severity Metric: 8.91
    Date Public: 2003-03-15
    Date First Published: 2003-03-20
    Date Last Updated: 2003-05-09 19:11 UTC
    Document Revision: 11

    Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.