ID CVE-2007-2798
Summary Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
References
Vulnerable Configurations
  • MIT Kerberos 5
    cpe:2.3:a:mit:kerberos:5
  • MIT Kerberos 5 5.0_1.1
    cpe:2.3:a:mit:kerberos:5-1.1
  • MIT Kerberos 5 1.2
    cpe:2.3:a:mit:kerberos:5-1.2
  • MIT Kerberos 5 1.2.1
    cpe:2.3:a:mit:kerberos:5-1.2.1
  • MIT Kerberos 5 1.2.2
    cpe:2.3:a:mit:kerberos:5-1.2.2
  • MIT Kerberos 5 1.2.3
    cpe:2.3:a:mit:kerberos:5-1.2.3
  • MIT Kerberos 5 1.2.4
    cpe:2.3:a:mit:kerberos:5-1.2.4
  • MIT Kerberos 5 1.2.5
    cpe:2.3:a:mit:kerberos:5-1.2.5
  • MIT Kerberos 5 1.2.6
    cpe:2.3:a:mit:kerberos:5-1.2.6
  • MIT Kerberos 5 1.2.7
    cpe:2.3:a:mit:kerberos:5-1.2.7
  • MIT Kerberos 5 1.2.8
    cpe:2.3:a:mit:kerberos:5-1.2.8
  • MIT Kerberos 5 1.3
    cpe:2.3:a:mit:kerberos:5-1.3
  • MIT Kerberos 5 1.3 alpha1
    cpe:2.3:a:mit:kerberos:5-1.3:alpha1
  • MIT Kerberos 5 1.3.1
    cpe:2.3:a:mit:kerberos:5-1.3.1
  • MIT Kerberos 5 1.3.2
    cpe:2.3:a:mit:kerberos:5-1.3.2
  • MIT Kerberos 5 1.3.3
    cpe:2.3:a:mit:kerberos:5-1.3.3
  • MIT Kerberos 5 1.3.4
    cpe:2.3:a:mit:kerberos:5-1.3.4
  • MIT Kerberos 5 1.3.5
    cpe:2.3:a:mit:kerberos:5-1.3.5
  • MIT Kerberos 5 1.3.6
    cpe:2.3:a:mit:kerberos:5-1.3.6
  • MIT Kerberos 5 1.4
    cpe:2.3:a:mit:kerberos:5-1.4
  • MIT Kerberos 5 1.4.1
    cpe:2.3:a:mit:kerberos:5-1.4.1
  • MIT Kerberos 5 1.4.2
    cpe:2.3:a:mit:kerberos:5-1.4.2
  • MIT Kerberos 5 1.4.3
    cpe:2.3:a:mit:kerberos:5-1.4.3
  • MIT Kerberos 5 1.4.4
    cpe:2.3:a:mit:kerberos:5-1.4.4
  • MIT Kerberos 5 1.5
    cpe:2.3:a:mit:kerberos:5-1.5
  • MIT Kerberos 5 1.5.1
    cpe:2.3:a:mit:kerberos:5-1.5.1
  • MIT Kerberos 5 1.5.2
    cpe:2.3:a:mit:kerberos:5-1.5.2
  • MIT Kerberos 5 1.5.3
    cpe:2.3:a:mit:kerberos:5-1.5.3
  • MIT Kerberos 5 1.6
    cpe:2.3:a:mit:kerberos:5-1.6
  • MIT Kerberos 5 1.6.1
    cpe:2.3:a:mit:kerberos:5-1.6.1
CVSS
Base: 7.4 (as of 27-06-2007 - 14:18)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
ADJACENT_NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
nessus via4
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHSS_41166.NASL
    description s700_800 11.11 KRB5-Client Version 1.0 cumulative patch : Potential security vulnerabilities have been identified on HP-UX running Kerberos. These vulnerabilities could be exploited by remote unauthenticated users to create a Denial of Service (DoS) or to execute arbitrary code.
    last seen 2019-01-16
    modified 2018-07-12
    plugin id 47147
    published 2010-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47147
    title HP-UX PHSS_41166 : HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code (HPSBUX02544 SSRT100107 rev.1)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_120473.NASL
    description SunOS 5.10: libc nss ldap PAM zfs patch. Date this patch was last updated by Sun : Jul/11/07
    last seen 2018-09-02
    modified 2018-08-13
    plugin id 25069
    published 2007-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25069
    title Solaris 10 (sparc) : 120473-12
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2007-0006.NASL
    description Problems addressed by these patches : I Arbitrary code execution and denial of service vulnerabilities This release fixes a security vulnerability that could allow a guest operating system user with administrative privileges to cause memory corruption in a host process, and thus potentially execute arbitrary code on the host. (CVE-2007-4496) This release fixes a denial of service vulnerability that could allow a guest operating system to cause a host process to become unresponsive or exit unexpectedly. (CVE-2007-4497) Thanks to Rafal Wojtczvk of McAfee for identifying and reporting these issues. II Hosted products DHCP security vulnerabilities addressed This release fixes several vulnerabilities in the DHCP server that could enable a specially crafted packets to gain system-level privileges. (CVE-2007-0061, CVE-2007-0062, CVE-2007-0063) Thanks to Neel Mehta and Ryan Smith of the IBM Internet Security Systems X-Force for discovering and researching these vulnerabilities. III Windows based hosted product vulnerability in IntraProcessLogging.dll and vielib.dll. This release fixes a security vulnerability that could allow a malicious remote user to exploit the library file IntraProcessLogging.dll to overwrite files in a system. (CVE-2007-4059) This release fixes a security vulnerability that could allow a malicious remote user to exploit the library file vielib.dll to overwrite files in a system. (CVE-2007-4155) Thanks to the Goodfellas Security Research Team for discovering and researching these vulnerabilities. IV Escalation of privileges on Windows hosted systems This release fixes a security vulnerability in which Workstation was starting registered Windows services in an insecure manner. This vulnerability could allow a malicious user to escalate user privileges. Thanks to Foundstone for discovering this vulnerability. V Potential denial of service using VMware Player This release fixes a problem that prevented VMware Player from launching. This problem was accompanied by the error message VMware Player unrecoverable error: (player) Exception 0xc0000005 (access violation) has occurred. VI ESX Service Console updates a. Service console package Samba, has been updated to address the following issues : Various bugs were found in NDR parsing, used to decode MS-RPC requests in Samba. A remote attacker could have sent carefully crafted requests causing a heap overflow, which may have led to the ability to execute arbitrary code on the server. (CVE-2007-2446) Unescaped user input parameters were being passed as arguments to /bin/sh. A remote, authenticated, user could have triggered this flaw and executed arbitrary code on the server. Additionally, this flaw could be triggered by a remote unauthenticated user if Samba was configured to use the non-default username map script option. (CVE-2007-2447) Thanks to the Samba developers, TippingPoint, and iDefense for identifying and reporting these issues. Note: These issues only affect the service console network, and are not remote vulnerabilities for ESX Server hosts that have been set up with the security best practices provided by VMware. http://www.vmware.com/resources/techresources/726 b. Updated bind package for the service console fixes a flaw with the way ISC BIND processed certain DNS query responses. ISC BIND (Berkeley Internet Name Domain) is an implementation of the DNS (Domain Name System) protocols. Under some circumstances, a malicious remote user could launch a Denial-of-Service attack on ESX Server hosts that had enabled DNSSEC validation. (CVE-2007-0494) Note: These issues only affect the service console network, and are not remote vulnerabilities for ESX Server hosts that have been set up with the security best practices provided by VMware. http://www.vmware.com/resources/techresources/726 c. This patch provides updated service console package krb5 update. The Common Vulnerabilities and Exposures project (cve.mitre.org) assigned the names CVE-2007-2442, CVE-2007-2443, and CVE-2007-2798 to these security issues. Thanks to Wei Wang of McAfee Avert Labs discovered these vulnerabilities. Note: The VMware service console does not provide the kadmind binary, and is not affected by these issues, but a update has been provided for completeness. d. Service console update for vixie-cron This patch provides an updated service console package vixie-cron. Cron is a standard UNIX daemon that runs specified programs at scheduled times. A denial of service issue was found in the way vixie-cron verified crontab file integrity. A local user with the ability to create a hardlink to /etc/crontab could potentially prevent vixie-cron from executing certain system cron jobs. (CVE-2007-1856) Thanks to Raphael Marichez for identifying this issue. e. Service console update for shadow-utils This patch provides an updated shadow-utils package. A new user's mailbox, when created, could have random permissions for a short period. This could enable a local malicious user to read or modify the mailbox. (CVE-2006-1174) f. Service console update for OpenLDAP This patch provides a updated OpenLDAP package. A flaw could allow users with selfwrite access to modify the distinguished name of any user, instead of being limited to modify only their own distinguished name. (CVE-2006-4600) g. Service console update for PAM This patch provides an updated PAM package A vulnerability was found that could allow console users with access to certain device files to cause damage to recordable CD drives. Certain file permissions have now been modified to disallow access. (CVE-2004-0813) A flaw was found with console device permissions. It was possible for various console devices to retain ownership of the previoius console user after logging out, which could result in leakage of information to an unauthorized user. (CVE-2007-1716) h. Service console update for GCC This patch provides security fixes for the service console GNU Compiler Collection (GCC) packages that include C, C++, Java, Fortran 77, Objective C, and Ada 95 GNU compilers and related support libraries. A flaw was found in the fastjar utility that could potentially allow a malicious user to create a JAR file which, if unpacked using fastjar, could write to any file that an authorized user had write access to. (CVE-2006-3619) Thanks to Jürgen Weigert for identifying this issue. i. Service Console update for GDB This patch provides a security fix for the service console GNU debugger (GDB). Various vulnerabilities were found in GDB. These vulnerabilities may allow a malicious user to deceive a user into loading debugging information into GDB, enabling the execution of arbitrary code with the privileges of the user. (CVE-2006-4146)
    last seen 2019-01-16
    modified 2018-08-06
    plugin id 40370
    published 2009-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40370
    title VMSA-2007-0006 : Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_110060.NASL
    description SEAM 1.0.1: patch for Solaris 8. Date this patch was last updated by Sun : Jul/24/07
    last seen 2017-10-29
    modified 2013-03-30
    plugin id 23323
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23323
    title Solaris 5.8 (sparc) : 110060-22
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_112925.NASL
    description SunOS 5.9: ktutil kdb5_util kadmin kadmin.local kadmind Patch. Date this patch was last updated by Sun : Nov/08/07
    last seen 2018-09-02
    modified 2014-08-30
    plugin id 13524
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13524
    title Solaris 9 (sparc) : 112925-08
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS10_X86_120037.NASL
    description SunOS 5.10_x86: libc nss ldap PAM zfs patc. Date this patch was last updated by Sun : Jul/17/07
    last seen 2018-09-01
    modified 2018-08-13
    plugin id 24384
    published 2007-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=24384
    title Solaris 10 (x86) : 120037-22
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2007-007.NASL
    description The remote host is running a version of Mac OS X 10.4 or 10.3 which does not have the security update 2007-007 applied. This update contains several security fixes for the following programs : - bzip2 - CFNetwork - CoreAudio - cscope - gnuzip - iChat - Kerberos - mDNSResponder - PDFKit - PHP - Quartz Composer - Samba - SquirrelMail - Tomcat - WebCore - WebKit
    last seen 2019-01-16
    modified 2018-07-14
    plugin id 25830
    published 2007-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25830
    title Mac OS X Multiple Vulnerabilities (Security Update 2007-007)
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHSS_41167.NASL
    description s700_800 11.23 KRB5-Client Version 1.0 Cumulative patch : Potential security vulnerabilities have been identified on HP-UX running Kerberos. These vulnerabilities could be exploited by remote unauthenticated users to create a Denial of Service (DoS) or to execute arbitrary code.
    last seen 2019-01-16
    modified 2018-07-12
    plugin id 47148
    published 2010-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47148
    title HP-UX PHSS_41167 : HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code (HPSBUX02544 SSRT100107 rev.1)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_110061.NASL
    description SEAM 1.0.1_x86: patch for Solaris 8_x86. Date this patch was last updated by Sun : Jul/27/07
    last seen 2016-09-26
    modified 2013-03-30
    plugin id 36315
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36315
    title Solaris 5.8 (sparc) : 110061-22
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS8_X86_110061.NASL
    description SEAM 1.0.1_x86: patch for Solaris 8_x86. Date this patch was last updated by Sun : Jul/27/07
    last seen 2016-09-26
    modified 2013-03-30
    plugin id 23444
    published 2006-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=23444
    title Solaris 5.8 (x86) : 110061-22
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS9_X86_116044.NASL
    description SunOS 5.9_x86: kadmind & kdb5_util patch. Date this patch was last updated by Sun : Aug/10/07
    last seen 2018-09-01
    modified 2014-08-30
    plugin id 13624
    published 2004-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=13624
    title Solaris 9 (x86) : 116044-04
  • NASL family HP-UX Local Security Checks
    NASL id HPUX_PHSS_41168.NASL
    description s700_800 11.31 KRB5-Client Version 1.3.5.03 Cumulative patch : Potential security vulnerabilities have been identified on HP-UX running Kerberos. These vulnerabilities could be exploited by remote unauthenticated users to create a Denial of Service (DoS) or to execute arbitrary code.
    last seen 2019-01-16
    modified 2018-07-12
    plugin id 47149
    published 2010-06-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=47149
    title HP-UX PHSS_41168 : HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code (HPSBUX02544 SSRT100107 rev.1)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200707-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-200707-11 (MIT Kerberos 5: Arbitrary remote code execution) kadmind is affected by multiple vulnerabilities in the RPC library shipped with MIT Kerberos 5. It fails to properly handle zero-length RPC credentials (CVE-2007-2442) and the RPC library can write past the end of the stack buffer (CVE-2007-2443). Furthermore kadmind fails to do proper bounds checking (CVE-2007-2798). Impact : A remote unauthenticated attacker could exploit these vulnerabilities to execute arbitrary code with root privileges. Workaround : There is no known workaround at this time.
    last seen 2019-01-16
    modified 2015-04-13
    plugin id 25793
    published 2007-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25793
    title GLSA-200707-11 : MIT Kerberos 5: Arbitrary remote code execution
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0562.NASL
    description Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux 4 and 5, glibc detects attempts to free invalid pointers. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 25580
    published 2007-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25580
    title CentOS 4 / 5 : krb5 (CESA-2007:0562)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0562.NASL
    description From Red Hat Security Advisory 2007:0562 : Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux 4 and 5, glibc detects attempts to free invalid pointers. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues.
    last seen 2019-01-16
    modified 2018-07-18
    plugin id 67535
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67535
    title Oracle Linux 4 / 5 : krb5 (ELSA-2007-0562)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-477-1.NASL
    description Wei Wang discovered that the krb5 RPC library did not correctly handle certain error conditions. A remote attacker could cause kadmind to free an uninitialized pointer, leading to a denial of service or possibly execution of arbitrary code with root privileges. (CVE-2007-2442) Wei Wang discovered that the krb5 RPC library did not correctly check the size of certain communications. A remote attacker could send a specially crafted request to kadmind and execute arbitrary code with root privileges. (CVE-2007-2443) It was discovered that the kadmind service could be made to overflow its stack. A remote attacker could send a specially crafted request and execute arbitrary code with root privileges. (CVE-2007-2798). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2018-11-28
    plugin id 28078
    published 2007-11-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=28078
    title Ubuntu 6.06 LTS / 6.10 / 7.04 : krb5 vulnerabilities (USN-477-1)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0384.NASL
    description Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash or potentially execute arbitrary code as root. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) For Red Hat Enterprise Linux 2.1, several portability bugs which would lead to unexpected crashes on the ia64 platform have also been fixed. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues.
    last seen 2019-01-16
    modified 2018-11-16
    plugin id 25604
    published 2007-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25604
    title RHEL 2.1 / 3 : krb5 (RHSA-2007:0384)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1323.NASL
    description Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-2442 Wei Wang discovered that the free of an uninitialised pointer in the Kerberos RPC library may lead to the execution of arbitrary code. - CVE-2007-2443 Wei Wang discovered that insufficient input sanitising in the Kerberos RPC library may lead to the execution of arbitrary code. - CVE-2007-2798 It was discovered that a buffer overflow in the Kerberos administration daemon may lead to the execution of arbitrary code.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 25628
    published 2007-07-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25628
    title Debian DSA-1323-1 : krb5 - several vulnerabilities
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-3821.NASL
    description This update fixes a stack-based buffer overflow in kadmind which can be exploited by authenticated remote users to gain root. (CVE-2007-2798) Additionally two bugs in the RPC library of kadmind were fixed that can lead to remote system compromise. (CVE-2007-2442 / CVE-2007-2443) Note that third-party applications using the RPC library are vulnerable, too.
    last seen 2019-01-16
    modified 2013-03-30
    plugin id 29493
    published 2007-12-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=29493
    title SuSE 10 Security Update : krb5 (ZYPP Patch Number 3821)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2007-0562.NASL
    description Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 4 and 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux 4 and 5, glibc detects attempts to free invalid pointers. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues.
    last seen 2019-01-16
    modified 2018-11-16
    plugin id 25611
    published 2007-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25611
    title RHEL 4 / 5 : krb5 (RHSA-2007:0562)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2007-0740.NASL
    description This update incorporates fixes for a stack-based buffer overflow and heap corruption in the RPC library, and a fix for a potential stack-based buffer overflow in kadmind. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-01-16
    modified 2015-10-21
    plugin id 27678
    published 2007-11-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27678
    title Fedora 7 : krb5-1.6.1-2.1.fc7 (2007-0740)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2007-137.NASL
    description David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who could access kadmind could trigger the flaw causing kadmind to crash or possibly execute arbitrary code (CVE-2007-2442). David Coffey also discovered an overflow flaw in the same RPC library. A remote unauthenticated attacker who could access kadmind could trigger the flaw causing kadmind to crash or possibly execute arbitrary code (CVE-2007-2443). Finally, a stack-based buffer overflow vulnerability was found in kadmind that allowed an unauthenticated user able to access kadmind the ability to trigger the vulnerability and possibly execute arbitrary code (CVE-2007-2798). Updated packages have been patched to prevent this issue.
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 25603
    published 2007-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25603
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2007:137)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-3820.NASL
    description This update fixes a stack-based buffer overflow in kadmind which can be exploited by authenticated remote users to gain root. (CVE-2007-2798) Additionally two bugs in the RPC library of kadmind were fixed that can lead to remote system compromise. (CVE-2007-2442, CVE-2007-2443) Note that third-party applications using the RPC library are vulnerable, too.
    last seen 2019-01-16
    modified 2018-07-19
    plugin id 27309
    published 2007-10-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=27309
    title openSUSE 10 Security Update : krb5 (krb5-3820)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20070626_KRB5_ON_SL3.NASL
    description David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash or potentially execute arbitrary code as root. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Scientific Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798)
    last seen 2019-01-16
    modified 2019-01-07
    plugin id 60218
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60218
    title Scientific Linux Security Update : krb5 on SL3.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2007-0384.NASL
    description From Red Hat Security Advisory 2007:0384 : Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash or potentially execute arbitrary code as root. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) For Red Hat Enterprise Linux 2.1, several portability bugs which would lead to unexpected crashes on the ia64 platform have also been fixed. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues.
    last seen 2019-01-16
    modified 2015-12-01
    plugin id 67503
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67503
    title Oracle Linux 3 : krb5 (ELSA-2007-0384)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20070626_KRB5_ON_SL5_X.NASL
    description David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. On Scientific Linux 4 and 5, glibc detects attempts to free invalid pointers. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Scientific Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798)
    last seen 2019-01-16
    modified 2019-01-07
    plugin id 60219
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60219
    title Scientific Linux Security Update : krb5 on SL5.x, SL4.x, SL3.x i386/x86_64
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2007-0384.NASL
    description Updated krb5 packages that fix several security flaws are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. kadmind is the KADM5 administration server. David Coffey discovered an uninitialized pointer free flaw in the RPC library used by kadmind. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash or potentially execute arbitrary code as root. (CVE-2007-2442) David Coffey also discovered an overflow flaw in the RPC library used by kadmind. On Red Hat Enterprise Linux, exploitation of this flaw is limited to a denial of service. A remote unauthenticated attacker who can access kadmind could trigger this flaw and cause kadmind to crash. (CVE-2007-2443) A stack-based buffer overflow flaw was found in kadmind. An authenticated attacker who can access kadmind could trigger this flaw and potentially execute arbitrary code on the Kerberos server. (CVE-2007-2798) For Red Hat Enterprise Linux 2.1, several portability bugs which would lead to unexpected crashes on the ia64 platform have also been fixed. Users of krb5-server are advised to update to these erratum packages which contain backported fixes to correct these issues.
    last seen 2019-01-16
    modified 2018-11-10
    plugin id 25574
    published 2007-06-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=25574
    title CentOS 3 : krb5 (CESA-2007:0384)
oval via4
  • accepted 2007-11-16T08:14:19.297-05:00
    class vulnerability
    contributors
    • name Nicholas Hansen
      organization Opsware, Inc.
    • name Nicholas Hansen
      organization Opsware, Inc.
    definition_extensions
    • comment Solaris 8 (SPARC) is installed
      oval oval:org.mitre.oval:def:1539
    • comment Solaris 8 (x86) is installed
      oval oval:org.mitre.oval:def:2059
    • comment Solaris 9 (SPARC) is installed
      oval oval:org.mitre.oval:def:1457
    • comment Solaris 9 (x86) is installed
      oval oval:org.mitre.oval:def:1683
    • comment Solaris 10 (SPARC) is installed
      oval oval:org.mitre.oval:def:1440
    • comment Solaris 10 (x86) is installed
      oval oval:org.mitre.oval:def:1926
    description Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
    family unix
    id oval:org.mitre.oval:def:1726
    status accepted
    submitted 2007-06-28T09:00:00.000-04:00
    title Security Vulnerability in the Kerberos Administration Daemon (kadmind(1M)) May Lead to Arbitrary Code Execution
    version 32
  • accepted 2015-04-20T04:02:34.917-04:00
    class vulnerability
    contributors
    • name Chandan M C
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
    family unix
    id oval:org.mitre.oval:def:7550
    status accepted
    submitted 2010-10-25T11:35:23.000-05:00
    title HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code
    version 43
  • accepted 2013-04-29T04:24:00.367-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
    family unix
    id oval:org.mitre.oval:def:9996
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
    version 24
redhat via4
advisories
  • bugzilla
    id 245549
    title CVE-2007-2798 krb5 kadmind buffer overflow
    oval
    AND
    • comment Red Hat Enterprise Linux 3 is installed
      oval oval:com.redhat.rhsa:tst:20060015001
    • OR
      • AND
        • comment krb5-devel is earlier than 0:1.2.7-66
          oval oval:com.redhat.rhsa:tst:20070384004
        • comment krb5-devel is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070095007
      • AND
        • comment krb5-libs is earlier than 0:1.2.7-66
          oval oval:com.redhat.rhsa:tst:20070384006
        • comment krb5-libs is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070095003
      • AND
        • comment krb5-server is earlier than 0:1.2.7-66
          oval oval:com.redhat.rhsa:tst:20070384002
        • comment krb5-server is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070095009
      • AND
        • comment krb5-workstation is earlier than 0:1.2.7-66
          oval oval:com.redhat.rhsa:tst:20070384008
        • comment krb5-workstation is signed with Red Hat master key
          oval oval:com.redhat.rhsa:tst:20070095005
    rhsa
    id RHSA-2007:0384
    released 2007-06-26
    severity Critical
    title RHSA-2007:0384: krb5 security update (Critical)
  • bugzilla
    id 245549
    title CVE-2007-2798 krb5 kadmind buffer overflow
    oval
    OR
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhsa:tst:20060016001
      • OR
        • AND
          • comment krb5-devel is earlier than 0:1.3.4-49
            oval oval:com.redhat.rhsa:tst:20070562004
          • comment krb5-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070095007
        • AND
          • comment krb5-libs is earlier than 0:1.3.4-49
            oval oval:com.redhat.rhsa:tst:20070562006
          • comment krb5-libs is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070095003
        • AND
          • comment krb5-server is earlier than 0:1.3.4-49
            oval oval:com.redhat.rhsa:tst:20070562008
          • comment krb5-server is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070095009
        • AND
          • comment krb5-workstation is earlier than 0:1.3.4-49
            oval oval:com.redhat.rhsa:tst:20070562002
          • comment krb5-workstation is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20070095005
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhsa:tst:20070055001
      • OR
        • AND
          • comment krb5-devel is earlier than 0:1.5-26
            oval oval:com.redhat.rhsa:tst:20070562011
          • comment krb5-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095021
        • AND
          • comment krb5-libs is earlier than 0:1.5-26
            oval oval:com.redhat.rhsa:tst:20070562015
          • comment krb5-libs is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095019
        • AND
          • comment krb5-server is earlier than 0:1.5-26
            oval oval:com.redhat.rhsa:tst:20070562017
          • comment krb5-server is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095023
        • AND
          • comment krb5-workstation is earlier than 0:1.5-26
            oval oval:com.redhat.rhsa:tst:20070562013
          • comment krb5-workstation is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095017
    rhsa
    id RHSA-2007:0562
    released 2007-06-26
    severity Important
    title RHSA-2007:0562: krb5 security update (Important)
rpms
  • krb5-devel-0:1.2.7-66
  • krb5-libs-0:1.2.7-66
  • krb5-server-0:1.2.7-66
  • krb5-workstation-0:1.2.7-66
  • krb5-devel-0:1.3.4-49
  • krb5-libs-0:1.3.4-49
  • krb5-server-0:1.3.4-49
  • krb5-workstation-0:1.3.4-49
  • krb5-devel-0:1.5-26
  • krb5-libs-0:1.5-26
  • krb5-server-0:1.5-26
  • krb5-workstation-0:1.5-26
refmap via4
apple APPLE-SA-2007-07-31
bid
  • 24653
  • 25159
bugtraq
  • 20070626 MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow
  • 20070628 FLEA-2007-0029-1: krb5 krb5-workstation
  • 20070629 TSLSA-2007-0021 - kerberos5
cert TA07-177A
cert-vn VU#554257
confirm
debian DSA-1323
fulldisc 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player
gentoo GLSA-200707-11
hp
  • HPSBUX02544
  • SSRT100107
idefense 20070626 Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability
mandriva MDKSA-2007:137
osvdb 36595
sectrack 1018295
secunia
  • 25800
  • 25801
  • 25814
  • 25821
  • 25870
  • 25875
  • 25888
  • 25890
  • 25894
  • 25911
  • 26033
  • 26228
  • 26235
  • 26909
  • 27706
  • 40346
sgi 20070602-01-P
sunalert 102985
suse SUSE-SA:2007:038
trustix 2007-0021
ubuntu USN-477-1
vupen
  • ADV-2007-2337
  • ADV-2007-2370
  • ADV-2007-2491
  • ADV-2007-2732
  • ADV-2007-3229
  • ADV-2010-1574
xf kerberos-renameprincipal2svc-bo(35080)
Last major update 30-10-2012 - 22:36
Published 26-06-2007 - 18:30
Last modified 16-10-2018 - 12:45
Back to Top