The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known whether an exploitable attack scenario exists for these issues.

Various return checks of setuid() and seteuid() calls have been fixed in kerberos client and server applications.

If these applications are setuid, it might have been possible for local attackers to gain root access. (CVE-2006-3083)

We are not affected by the seteuid() problems, tracked by CVE-2006-3084.

Michael Calmer and Marcus Meissner discovered that several krb5 tools did not check the return values from setuid() system calls. On systems that have configured user process limits, it may be possible for an attacker to cause setuid() to fail via resource starvation. In that situation, the tools will not reduce their privilege levels, and will continue operation as the root user.

By default, Ubuntu does not ship with user process limits.

Please note that these packages are not officially supported by Ubuntu (they are in the 'universe' component of the archive).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Various flaws have been reported that allow an attacker to execute arbitrary code with user privileges by tricking the user into opening a malicious email containing JavaScript. Please note that JavaScript is disabled by default for emails, and it is not recommended to enable it. (CVE-2006-3113, CVE-2006-3802, CVE-2006-3803, CVE-2006-3805, CVE-2006-3806, CVE-2006-3807, CVE-2006-3809, CVE-2006-3810, CVE-2006-3811, CVE-2006-3812)

A buffer overflow has been discovered in the handling of .vcard files.
By tricking a user into importing a malicious vcard into his contacts, this could be exploited to execute arbitrary code with the user's privileges. (CVE-2006-3084)

The 'enigmail' plugin has been updated to work with the new Thunderbird version.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Various return checks of setuid() and seteuid() calls have been fixed in kerberos client and server applications.

If these applications are setuid, it might have been possible for local attackers to gain root access (CVE-2006-3083).

We are not affected by the seteuid() problems, tracked by CVE-2006-3084.

This update incorporates a fix for a recently-announced bug found in the kadmind daemon.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was discovered in some bundled Kerberos-aware packages that would fail to check the results of the setuid() call. This call can fail in some circumstances on the Linux 2.6 kernel if certain user limits are reached, which could be abused by a local attacker to get the applications to continue to run as root, possibly leading to an elevation of privilege.

Updated packages have been patched to correct this issue.

In certain application programs packaged in the MIT Kerberos 5 source distribution, calls to setuid() and seteuid() are not always checked for success and may fail with some PAM configurations. A local user could exploit one of these vulnerabilities to result in privilege escalation. No exploit code is known to exist at this time.

The remote host is affected by the vulnerability described in GLSA-200608-21 (Heimdal: Multiple local privilege escalation vulnerabilities)

    The ftpd and rcp applications provided by Heimdal fail to check the     return value of calls to seteuid().
  Impact :

    A local attacker could exploit this vulnerability to execute arbitrary     code with elevated privileges.
  Workaround :

    There is no known workaround at this time.

The remote host is affected by the vulnerability described in GLSA-200608-15 (MIT Kerberos 5: Multiple local privilege escalation vulnerabilities)

    Unchecked calls to setuid() in krshd and v4rcp, as well as unchecked     calls to seteuid() in kftpd and in ksu, have been found in the MIT     Kerberos 5 program suite and may lead to a local root privilege     escalation.
  Impact :

    A local attacker could exploit this vulnerability to execute arbitrary     code with elevated privileges.
  Workaround :

    There is no known workaround at this time.

ID	Name	Product	Family	Severity
29496	SuSE 10 Security Update : krb5-apps-servers and krb5-apps-clients (ZYPP Patch Number 1938)	Nessus	SuSE Local Security Checks	high
27913	Ubuntu 5.04 / 5.10 / 6.06 LTS : krb5 vulnerabilities (USN-334-1)	Nessus	Ubuntu Local Security Checks	high
27908	Ubuntu 6.06 LTS : mozilla-thunderbird vulnerabilities (USN-329-1)	Nessus	Ubuntu Local Security Checks	critical
27312	openSUSE 10 Security Update : krb5-apps-clients (krb5-apps-clients-1937)	Nessus	SuSE Local Security Checks	high
24190	Fedora Core 5 : krb5-1.4.3-5.3 (2007-034)	Nessus	Fedora Local Security Checks	high
23888	Mandrake Linux Security Advisory : krb5 (MDKSA-2006:139)	Nessus	Mandriva Local Security Checks	high
22688	Debian DSA-1146-1 : krb5 - programming error	Nessus	Debian Local Security Checks	high
22283	GLSA-200608-21 : Heimdal: Multiple local privilege escalation vulnerabilities	Nessus	Gentoo Local Security Checks	high
22214	GLSA-200608-15 : MIT Kerberos 5: Multiple local privilege escalation vulnerabilities	Nessus	Gentoo Local Security Checks	high

Detections

Analytics

CVE-2006-3084

high

Tenable Plugins

high

high

critical

high

high

high

high

high

high