ID CVE-2004-0523
Summary Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.
References
Vulnerable Configurations
  • cpe:2.3:a:mit:kerberos:1.0
    cpe:2.3:a:mit:kerberos:1.0
  • cpe:2.3:a:mit:kerberos:1.0.8
    cpe:2.3:a:mit:kerberos:1.0.8
  • cpe:2.3:a:mit:kerberos:1.2.2.beta1
    cpe:2.3:a:mit:kerberos:1.2.2.beta1
  • MIT Kerberos 5 5.0_1.1
    cpe:2.3:a:mit:kerberos:5-1.1
  • MIT Kerberos 5 1.2
    cpe:2.3:a:mit:kerberos:5-1.2
  • MIT Kerberos 5 1.2.1
    cpe:2.3:a:mit:kerberos:5-1.2.1
  • MIT Kerberos 5 1.2.2
    cpe:2.3:a:mit:kerberos:5-1.2.2
  • MIT Kerberos 5 1.2.3
    cpe:2.3:a:mit:kerberos:5-1.2.3
  • MIT Kerberos 5 1.2.4
    cpe:2.3:a:mit:kerberos:5-1.2.4
  • MIT Kerberos 5 1.2.5
    cpe:2.3:a:mit:kerberos:5-1.2.5
  • MIT Kerberos 5 1.2.6
    cpe:2.3:a:mit:kerberos:5-1.2.6
  • MIT Kerberos 5 1.2.7
    cpe:2.3:a:mit:kerberos:5-1.2.7
  • MIT Kerberos 5 1.3
    cpe:2.3:a:mit:kerberos:5-1.3
  • MIT Kerberos 5 1.3 alpha1
    cpe:2.3:a:mit:kerberos:5-1.3:alpha1
  • MIT Kerberos 5 krb5_1.0
    cpe:2.3:a:mit:kerberos:5_1.0
  • MIT Kerberos 5 1.0.6
    cpe:2.3:a:mit:kerberos:5_1.0.6
  • MIT Kerberos 5 1.1
    cpe:2.3:a:mit:kerberos:5_1.1
  • MIT Kerberos 5 1.1.1
    cpe:2.3:a:mit:kerberos:5_1.1.1
  • MIT Kerberos 5 5.0_1.2 Beta1
    cpe:2.3:a:mit:kerberos:5_1.2:beta1
  • MIT Kerberos 5 5.0_1.2 Beta2
    cpe:2.3:a:mit:kerberos:5_1.2:beta2
  • MIT Kerberos 5 5.0_1.3.3
    cpe:2.3:a:mit:kerberos:5_1.3.3
  • SGI ProPack 2.4
    cpe:2.3:a:sgi:propack:2.4
  • SGI ProPack 3.0
    cpe:2.3:a:sgi:propack:3.0
  • Sun SEAM 1.0
    cpe:2.3:a:sun:seam:1.0
  • Sun SEAM 1.0.1
    cpe:2.3:a:sun:seam:1.0.1
  • Sun SEAM 1.0.2
    cpe:2.3:a:sun:seam:1.0.2
  • cpe:2.3:a:tinysofa:tinysofa_enterprise_server:1.0
    cpe:2.3:a:tinysofa:tinysofa_enterprise_server:1.0
  • cpe:2.3:a:tinysofa:tinysofa_enterprise_server:1.0_u1
    cpe:2.3:a:tinysofa:tinysofa_enterprise_server:1.0_u1
  • cpe:2.3:o:sun:solaris:8.0:-:x86
    cpe:2.3:o:sun:solaris:8.0:-:x86
  • cpe:2.3:o:sun:solaris:9.0:-:sparc
    cpe:2.3:o:sun:solaris:9.0:-:sparc
  • cpe:2.3:o:sun:solaris:9.0:-:x86
    cpe:2.3:o:sun:solaris:9.0:-:x86
  • Sun SunOS (Solaris 8) 5.8
    cpe:2.3:o:sun:sunos:5.8
CVSS
Base: 10.0 (as of 01-01-2004 - 00:00)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_115168.NASL
    description SunOS 5.9_x86: krb5, gss patch. Date this patch was last updated by Sun : Sep/14/10
    last seen 2018-09-01
    modified 2016-12-09
    plugin id 13620
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13620
    title Solaris 9 (x86) : 115168-24
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_112908.NASL
    description SunOS 5.9: krb5, gss patch. Date this patch was last updated by Sun : Sep/14/10
    last seen 2018-09-01
    modified 2016-12-09
    plugin id 13520
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13520
    title Solaris 9 (sparc) : 112908-38
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2004-056.NASL
    description Multiple buffer overflows exist in the krb5_aname_to_localname() library function that if exploited could lead to unauthorized root privileges. In order to exploit this flaw, an attacker must first successfully authenticate to a vulnerable service, which must be configured to enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname, which is not a default configuration. Mandrakesoft encourages all users to upgrade to these patched krb5 packages. Update : The original patch provided contained a bug where rule-based entries on systems without HAVE_REGCOMP would not work. These updated packages provide the second patch provided by Kerberos development team which fixes that behaviour.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 14155
    published 2004-07-31
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14155
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2004:056-1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200406-21.NASL
    description The remote host is affected by the vulnerability described in GLSA-200406-21 (mit-krb5: Multiple buffer overflows in krb5_aname_to_localname) The library function krb5_aname_to_localname() contains multiple buffer overflows. This is only exploitable if explicit mapping or rules-based mapping is enabled. These are not enabled as default. With explicit mapping enabled, an attacker must authenticate using a principal name listed in the explicit mapping list. With rules-based mapping enabled, an attacker must first be able to create arbitrary principal names either in the local realm Kerberos realm or in a remote realm from which the local realm's service are reachable by cross-realm authentication. Impact : An attacker could use these vulnerabilities to execute arbitrary code with the permissions of the user running mit-krb5, which could be the root user. Workaround : There is no known workaround at this time. All users are encouraged to upgrade to the latest available version.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 14532
    published 2004-08-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14532
    title GLSA-200406-21 : mit-krb5: Multiple buffer overflows in krb5_aname_to_localname
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD20040907.NASL
    description The remote host is missing Security Update 2004-09-07. This security update fixes the following components : - CoreFoundation - IPSec - Kerberos - libpcap - lukemftpd - NetworkConfig - OpenLDAP - OpenSSH - PPPDialer - rsync - Safari - tcpdump These applications contain multiple vulnerabilities that may allow a remote attacker to execute arbitrary code.
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 14676
    published 2004-09-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=14676
    title Mac OS X Multiple Vulnerabilities (Security Update 2004-09-07)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-150.NASL
    description Bugs have been fixed in the krb5_aname_to_localname library function. Specifically, buffer overflows were possible for all Kerberos versions up to and including 1.3.3. The krb5_aname_to_localname function translates a Kerberos principal name to a local account name, typically a UNIX username. This function is frequently used when performing authorization checks. If configured with mappings from particular Kerberos principals to particular UNIX user names, certain functions called by krb5_aname_to_localname will not properly check the lengths of buffers used to store portions of the principal name. If configured to map principals to user names using rules, krb5_aname_to_localname would consistently write one byte past the end of a buffer allocated from the heap. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0523 to this issue. Only configurations which enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are vulnerable. These configurations are not the default. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 13711
    published 2004-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13711
    title Fedora Core 2 : krb5-1.3.3-7 (2004-150)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2004-149.NASL
    description Bugs have been fixed in the krb5_aname_to_localname library function. Specifically, buffer overflows were possible for all Kerberos versions up to and including 1.3.3. The krb5_aname_to_localname function translates a Kerberos principal name to a local account name, typically a UNIX username. This function is frequently used when performing authorization checks. If configured with mappings from particular Kerberos principals to particular UNIX user names, certain functions called by krb5_aname_to_localname will not properly check the lengths of buffers used to store portions of the principal name. If configured to map principals to user names using rules, krb5_aname_to_localname would consistently write one byte past the end of a buffer allocated from the heap. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0523 to this issue. Only configurations which enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are vulnerable. These configurations are not the default. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 13710
    published 2004-07-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13710
    title Fedora Core 1 : krb5-1.3.3-6 (2004-149)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2004-236.NASL
    description Updated Kerberos 5 (krb5) packages which correct buffer overflows in the krb5_aname_to_localname function are now available. Kerberos is a network authentication system. Bugs have been fixed in the krb5_aname_to_localname library function. Specifically, buffer overflows were possible for all Kerberos versions up to and including 1.3.3. The krb5_aname_to_localname function translates a Kerberos principal name to a local account name, typically a UNIX username. This function is frequently used when performing authorization checks. If configured with mappings from particular Kerberos principals to particular UNIX user names, certain functions called by krb5_aname_to_localname will not properly check the lengths of buffers used to store portions of the principal name. If configured to map principals to user names using rules, krb5_aname_to_localname would consistently write one byte past the end of a buffer allocated from the heap. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0523 to this issue. Only configurations which enable the explicit mapping or rules-based mapping functionality of krb5_aname_to_localname() are vulnerable. These configurations are not the default. Users of Kerberos are advised to upgrade to these erratum packages which contain backported security patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 12502
    published 2004-07-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=12502
    title RHEL 2.1 / 3 : krb5 (RHSA-2004:236)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS7_X86_112537.NASL
    description SEAM 1.0 Jumbo patch for Solaris 2.7_x86. Date this patch was last updated by Sun : Oct/03/05
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 23294
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23294
    title Solaris 7 (x86) : 112537-06
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-520.NASL
    description In their advisory MITKRB5-SA-2004-001, the MIT Kerberos announced the existence of buffer overflow vulnerabilities in the krb5_aname_to_localname function. This function is only used if aname_to_localname is enabled in the configuration (this is not enabled by default).
    last seen 2019-02-21
    modified 2018-07-20
    plugin id 15357
    published 2004-09-29
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=15357
    title Debian DSA-520-1 : krb5 - buffer overflows
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS7_112536.NASL
    description SEAM 1.0 Jumbo patch for Solaris 2.7. Date this patch was last updated by Sun : Oct/03/05
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 23248
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23248
    title Solaris 7 (sparc) : 112536-06
oval via4
  • accepted 2013-04-29T04:04:23.104-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    description Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.
    family unix
    id oval:org.mitre.oval:def:10295
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.
    version 23
  • accepted 2006-09-27T12:29:12.225-04:00
    class vulnerability
    contributors
    • name Brian Soby
      organization The MITRE Corporation
    • name Brian Soby
      organization The MITRE Corporation
    • name Matthew Wojcik
      organization The MITRE Corporation
    description Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.
    family unix
    id oval:org.mitre.oval:def:2002
    status accepted
    submitted 2004-10-11T12:00:00.000-04:00
    title Multiple Buffer Overflows in Kerberos 5 (krb5_aname_to_localname)
    version 32
  • accepted 2011-05-09T04:01:44.632-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Nabil Ouchn
      organization Security-Database
    • name Shane Shaffer
      organization G2, Inc.
    description Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.
    family unix
    id oval:org.mitre.oval:def:724
    status accepted
    submitted 2006-09-22T05:52:00.000-04:00
    title MIT Kerberos 5 KRB5_AName_To_Localname Multiple Principal Name Buffer Overrun Vulnerabilities
    version 34
  • accepted 2014-06-09T04:01:50.447-04:00
    class vulnerability
    contributors
    • name Jay Beale
      organization Bastille Linux
    • name Thomas R. Jones
      organization Maitreya Security
    • name Jerome Athias
      organization McAfee, Inc.
    description Multiple buffer overflows in krb5_aname_to_localname for MIT Kerberos 5 (krb5) 1.3.3 and earlier allow remote attackers to execute arbitrary code as root.
    family unix
    id oval:org.mitre.oval:def:991
    status accepted
    submitted 2004-06-29T12:00:00.000-04:00
    title Multiple BO Vulnerabilities in MIT Kerberos 5
    version 35
redhat via4
advisories
rhsa
id RHSA-2004:236
refmap via4
bid 10448
bugtraq
  • 20040601 MITKRB5-SA-2004-001: buffer overflows in krb5_aname_to_localname
  • 20040602 TSSA-2004-009 - kerberos5
cert-vn VU#686862
conectiva CLA-2004:860
debian DSA-520
fedora FEDORA-2004-149
gentoo GLSA-200406-21
mandrake MDKSA-2004:056
sgi
  • 20040604-01-U
  • 20040605-01-U
sunalert 101512
trustix 2004-0032
xf Kerberos-krb5anametolocalname-bo(16268)
Last major update 17-10-2016 - 22:45
Published 18-08-2004 - 00:00
Last modified 30-10-2018 - 12:25
Back to Top