A MIT krb5 Security Advisory reports :

The MIT Kerberos 5 administration library (libkadm5srv) contains a heap buffer overflow in password history handling code which could be exploited to execute arbitrary code on a Key Distribution Center (KDC) host. The overflow occurs during a password change of a principal with a certain password history state. An administrator must have performed a certain password policy change in order to create the vulnerable state.

An authenticated user, not necessarily one with administrative privileges, could execute arbitrary code on the KDC host, compromising an entire Kerberos realm.

The remote host is affected by the vulnerability described in GLSA-200501-05 (mit-krb5: Heap overflow in libkadm5srv)

    The MIT Kerberos 5 administration library libkadm5srv contains a     heap overflow in the code handling password changing.
  Impact :

    Under specific circumstances an attacker could execute arbitary     code with the permissions of the user running mit-krb5, which could be     the root user.
  Workaround :

    There is no known workaround at this time.

Michael Tautschnig discovered a possible buffer overflow in the add_to_history() function in the MIT Kerberos 5 implementation.
Performing a password change did not properly track the password policy's history count and the maximum number of keys. This could cause an array overflow and may have allowed authenticated users (not necessarily one with administrative privileges) to execute arbitrary code on the KDC host, compromising an entire Kerberos realm.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 4 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2005:045 advisory.

    Kerberos is a networked authentication system that uses a trusted third     party (a KDC) to authenticate clients and servers to each other.

    A heap based buffer overflow bug was found in the administration library of     Kerberos 1.3.5 and earlier.  This bug could allow an authenticated remote     attacker to execute arbitrary commands on a realm's master Kerberos KDC.
    The Common Vulnerabilities and Exposures project (cve.mitre.org) has     assigned the name CAN-2004-1189 to this issue.

    All users of krb5 should upgrade to these updated packages, which contain     backported security patches to resolve these issues.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied.

This security update contains fixes for the following products :

  - Apache 2
  - AppKit
  - Bluetooth
  - CoreFoundation
  - CUPS
  - Directory Services
  - HItoolbox
  - Kerberos
  - loginwindow
  - Mail
  - MySQL
  - OpenSSL
  - QuartzComposerScreenSaver
  - ping
  - Safari
  - SecurityInterface
  - servermgrd
  - servermgr_ipfilter
  - SquirelMail
  - traceroute
  - WebKit
  - WebLog Server
  - X11
  - zlib

Michael Tautschnig discovered a heap buffer overflow in the history handling code of libkadm5srv which could be exploited by an authenticated user to execute arbitrary code on a Key Distribution Center (KDC) server.

The updated packages have been patched to prevent this problem.

A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This overflow in the password history handling code could allow an authenticated remote attacker to execute commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1189 to this issue.

Additionally a temporary file bug was found in the Kerberos krb5-send-pr command. It is possible that an attacker could create a specially crafted temporary file that could allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0971 to this issue.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated Kerberos (krb5) packages that correct buffer overflow and temporary file bugs are now available for Red Hat Enterprise Linux.

Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other.

A heap based buffer overflow bug was found in the administration library of Kerberos 1.3.5 and earlier. This bug could allow an authenticated remote attacker to execute arbitrary commands on a realm's master Kerberos KDC. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-1189 to this issue.

Additionally a temporary file bug was found in the Kerberos krb5-send-pr program. It is possible that an attacker could create a temporary file that would allow an arbitrary file to be overwritten which the victim has write access to. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0971 to this issue.

All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues.

A buffer overflow has been discovered in the MIT Kerberos 5 administration library (libkadm5srv) that could lead to the execution of arbitrary code upon exploitation by an authenticated user, not necessarily one with administrative privileges.

ID	Name	Product	Family	Published	Updated	Severity
18834	FreeBSD : krb5 -- heap buffer overflow vulnerability in libkadm5srv (0bb7677d-52f3-11d9-a9e7-0001020eed82)	Nessus	FreeBSD Local Security Checks	7/13/2005	1/6/2021	high
16396	GLSA-200501-05 : mit-krb5: Heap overflow in libkadm5srv	Nessus	Gentoo Local Security Checks	2/14/2005	1/6/2021	high
20676	Ubuntu 4.10 : krb5 vulnerability (USN-58-1)	Nessus	Ubuntu Local Security Checks	1/15/2006	1/19/2021	high
17173	RHEL 4 : krb5 (RHSA-2005:045)	Nessus	Red Hat Local Security Checks	2/22/2005	11/4/2024	critical
19463	Mac OS X Multiple Vulnerabilities (Security Update 2005-007)	Nessus	MacOS X Local Security Checks	8/18/2005	5/28/2024	critical
16037	Mandrake Linux Security Advisory : krb5 (MDKSA-2004:156)	Nessus	Mandriva Local Security Checks	12/23/2004	1/6/2021	high
16028	Fedora Core 2 : krb5-1.3.6-1 (2004-563)	Nessus	Fedora Local Security Checks	12/23/2004	1/11/2021	high
16221	RHEL 2.1 / 3 : krb5 (RHSA-2005:012)	Nessus	Red Hat Local Security Checks	1/19/2005	1/14/2021	high
16029	Fedora Core 3 : krb5-1.3.6-2 (2004-564)	Nessus	Fedora Local Security Checks	12/23/2004	1/11/2021	high
16112	Debian DSA-629-1 : krb5 - buffer overflow	Nessus	Debian Local Security Checks	1/7/2005	1/4/2021	high

Detections

Analytics

Plugins Search

high

high

high

critical

critical

high

high

high

high

high