IBM Information for VU#875073
Kerberos administration daemon vulnerable to buffer overflow
- Vendor Information Help Date Notified: 24 Oct 2002
- Statement Date:
- Date Updated: 14 Feb 2003
The IBM pSeries Parallel Systems Support Programs (PSSP) implementation of Kerberos V4 (shipped with PSSP) is potentially vulnerable to the Kerberos V4 administration daemon buffer overflow described in CA-2002-29. For more information, see:
Click on the Service Flash for "Potential Kerberos V4 security vulnerability." This link also contains APAR numbers and solution information.
The IBM Network Authentication Service (NAS) product is not vulnerable to the buffer overflow vulnerability in the kadmind4 daemon. NAS is currently at release 1.3 and is available from the AIX Expansion Pack. The kadmind4 daemon is not part of the NAS product.
The vendor has not provided us with any further information regarding this vulnerability.
It is possible that PSSP and other IBM and third-party applications using DCE/Kerberos 5 may be vulnerable if they support Kerberos 4 administration.
If you have feedback, comments, or additional information about this vulnerability, please send us email.