Vulnerability Note VU#686862
MIT Kerberos 5 krb5_aname_to_localname() contains several heap overflows
MIT Kerberos 5 contains several heap buffer overflow vulnerabilities in code that translates Kerberos principal names to local UNIX account names. An authenticated, remote attacker could execute arbitrary code on a vulnerable system with root privileges.
MIT Kerberos 5 contains several heap buffer overflow vulnerabilities in a library that translates Kerberos principal names to local UNIX account names. From MIT krb5 Security Advisory 2004-001:
krb5_aname_to_localname() translates a Kerberos principal name to a local account name, typically a UNIX username. In the file src/lib/krb5/os/an_to_ln.c, the helper functions aname_replacer(), do_replacement(), and rule_an_to_ln() do not perform adequate checks of the lengths of strings which contain the name of the principal whose authorization is being checked.
Only kerberos enabled services that enable explicit or rules-based krb5_aname_to_localname() mapping are vulnerable. In the case of the explicit mapping vulnerability, the attacker would need to authenticate using a principal name that is present in the explicit mapping list. In the case of the rules-based mapping vulnerabilities, the attacker would need the ability to create specially crafted principal names in the local realm or in a realm accessible via cross-realm authentication.
An authenticated, remote attacker could execute arbitrary code on a system using krb5_aname_to_localname() mapping. The vulnerable library is loaded by services that use Kerberos authentication (e.g., telnetd, klogind), and in most cases these services run with root privileges.
Apply a patch or upgrade
Systems Affected (Learn More)
|Vendor||Status||Date Notified||Date Updated|
|Apple Computer Inc.||Affected||02 Jun 2004||10 May 2005|
|Conectiva||Affected||02 Jun 2004||03 Jun 2004|
|Debian||Affected||02 Jun 2004||03 Jun 2004|
|MIT Kerberos Development Team||Affected||-||02 Jun 2004|
|tinysofa||Affected||-||03 Jun 2004|
|Trustix Secure Linux||Affected||-||03 Jun 2004|
|Microsoft Corporation||Not Affected||02 Jun 2004||03 Jun 2004|
|SuSE Inc.||Not Affected||02 Jun 2004||03 Jun 2004|
|WRQ||Not Affected||02 Jun 2004||03 Jun 2004|
|Cray Inc.||Unknown||-||03 Jun 2004|
|EMC Corporation||Unknown||-||03 Jun 2004|
|FreeBSD||Unknown||-||03 Jun 2004|
|Fujitsu||Unknown||-||03 Jun 2004|
|Guardian Digital Inc.||Unknown||-||03 Jun 2004|
|Heimdal Kerberos Project||Unknown||-||03 Jun 2004|
CVSS Metrics (Learn More)
This vulnerability was reported by the MIT Kerberos Development Team.
This document was written by Art Manion.
- CVE IDs: Unknown
- Date Public: 02 Jun 2004
- Date First Published: 02 Jun 2004
- Date Last Updated: 28 Jun 2004
- Severity Metric: 6.43
- Document Revision: 17
If you have feedback, comments, or additional information about this vulnerability, please send us email.