search menu icon-carat-right cmu-wordmark

CERT Coordination Center

MIT Kerberos kadmind principal renaming stack buffer overflow

Vulnerability Note VU#554257

Original Release Date: 2007-06-26 | Last Revised: 2007-08-14

Overview

The MIT Kerberos administration daemon (kadmind) contains a stack buffer overflow that may allow a remote, authenticated attacker to execute arbitrary code or cause a denial of service.

Description

A vulnerability exists in the way the principal renaming operation used by the Kerberos administration daemon handles strings and a fixed-size stack buffer. This vulnerability may cause a buffer overflow vulnerability that could allow a remote, authenticated user to execute arbitrary code. According to MIT krb5 Security Advisory MITKRB5-SA-2007-005:

The kadmind code which performs the principal renaming operation passes unchecked string arguments to a sprintf() call which has a fixed-size stack buffer as its destination. These strings are the old and new principal names passed to the rename operation. The attacker needs to authenticate to kadmind to perform this attack, but no administrative privileges are required because the vulnerable code executes prior to privilege verification.
Note that this issue affects all releases of MIT krb5 up to and including krb5-1.6.1. MIT has been provided with proof-of-concept exploit code, but it's not clear whether the exploit code is publicly available yet.

Impact

A remote, authenticated user may be able to execute arbitrary code on an affected system or cause the affected program to crash, resulting in a denial of service. Secondary impacts of code execution include complete compromise of the Kerberos key database.

Solution

Apply a patch
A patch can be obtained from MIT krb5 Security Advisory MITKRB5-SA-2007-005. MIT also states that this will be addressed in the upcoming krb5-1.6.2 and krb5-1.5.4 releases.

Vendor Information

554257
 
Affected   Unknown   Unaffected

Debian GNU/Linux

Notified:  June 18, 2007 Updated:  July 30, 2007

Status

  Vulnerable

Vendor Statement

These vulnerabilities have been fixed in Debian GNU/Linux 4.0 (stable) in version 1.4.4-7etch2. and for Debian GNU/Linux 3.1 (oldstable) in version 1.3.6-2sarge5 via Debian Security Advisory 1323 as in <http://www.debian.org/security/2007/dsa-1323>

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Gentoo Linux

Notified:  June 18, 2007 Updated:  August 14, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see GLSA 200707-11.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Red Hat, Inc.

Notified:  June 18, 2007 Updated:  June 26, 2007

Status

  Vulnerable

Vendor Statement

These issues affect the krb5-server package available for Red Hat

Enterprise Linux 2.1, 3, 4, and 5. Updated packages to correct this
issue are available along with our advisories at the URLs below and
via Red Hat Network.

Red Hat Enterprise Linux 2.1, 3:
https://rhn.redhat.com/errata/RHSA-2007-0384.html

Red Hat Enterprise Linux 4, 5:
https://rhn.redhat.com/errata/RHSA-2007-0562.html

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sun Microsystems, Inc.

Notified:  June 18, 2007 Updated:  June 28, 2007

Status

  Vulnerable

Vendor Statement

Sun can confirm that Solaris 8, 9, and 10 are affected by the issue

described in CERT advisory VU#554257.

Sun has published Sun Alert 102985 which includes details of the
Solaris specific impact, contributing factors, workaround options
and resolution information, and is available here:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-102985-1

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ubuntu

Notified:  June 18, 2007 Updated:  June 27, 2007

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Ubuntu Security Notice USN-477-1.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CyberSafe, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Not Vulnerable

Vendor Statement

The vulnerabilities referenced in VU#365313 do not apply to CyberSafe
products, including all versions of TrustBroker, ActiveTRUST and
Challenger products.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Juniper Networks, Inc.

Notified:  June 18, 2007 Updated:  June 26, 2007

Status

  Not Vulnerable

Vendor Statement

Juniper Networks products do not use Kerberos, and are therefore not susceptible to this set of vulnerabilities.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Microsoft Corporation

Notified:  June 18, 2007 Updated:  June 19, 2007

Status

  Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Network Appliance, Inc.

Updated:  June 27, 2007

Status

  Not Vulnerable

Vendor Statement

NetApp does not ship kadmind.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Apple Computer, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

AttachmateWRQ, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Conectiva Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Cray Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

EMC Corporation

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Engarde Secure Linux

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

F5 Networks, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fedora Project

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

FreeBSD, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Fujitsu

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hewlett-Packard Company

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Hitachi

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM Corporation (zseries)

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

IBM eServer

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Immunix Communications, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Ingrian Networks, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

KTH Kerberos Team

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

MIT Kerberos Development Team

Notified:  June 13, 2007 Updated:  June 13, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Mandriva, Inc.

Notified:  June 18, 2007 Updated:  June 27, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Mandriva Advisory MDKSA-2007:137.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

MontaVista Software, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NEC Corporation

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

NetBSD

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Nokia

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Novell, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Openwall GNU/*/Linux

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

QNX, Software Systems, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

SUSE Linux

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Silicon Graphics, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Slackware Linux Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Sony Corporation

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

The SCO Group

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Trustix Secure Linux

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Turbolinux

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Unisys

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Wind River Systems, Inc.

Notified:  June 18, 2007 Updated:  June 18, 2007

Status

  Unknown

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

View all 45 vendors View less vendors


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to MIT for reporting this vulnerability, who in turn credit an anonymous discoverer working with iDefense.

This document was written by Will Dormann.

Other Information

CVE IDs: CVE-2007-2798
Severity Metric: 16.80
Date Public: 2007-06-26
Date First Published: 2007-06-26
Date Last Updated: 2007-08-14 20:06 UTC
Document Revision: 16

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.