Kerberos GSS-API code execution

kerberos-gssapi-code-execution (31417) The risk level is classified as HighHigh Risk

Description:

Kerberos could allow a remote attacker to execute arbitrary code, caused by a memory corruption vulnerability in the GSS-API implementation of the kadmind daemon. A remote attacker could send a specially-crafted packet to the mechglue abstraction interface, which could allow the attacker to execute arbitrary code on the vulnerable system or crash the application.

Note: Other applications that use the GSS-API may also be affected by this vulnerability.

Platforms Affected:

  • Gentoo, Linux
  • IBM, AIX
  • MIT, Kerberos 5-1.5
  • MIT, Kerberos 5-1.5.1
  • Novell, OpenSUSE 10.2
  • OpenPKG, OpenPKG 2-STABLE
  • OpenPKG, OpenPKG CURRENT
  • OpenPKG, OpenPKG Enterprise E1.0-SOLID
  • SuSE, SuSE Linux 10.0
  • SuSE, SuSE Linux 10.1
  • SuSE, SuSE Linux 9.3
  • SuSE, SuSE SLED 10
  • SuSE, SuSE SLES 10

Remedy:

Refer to MITkrb5 Security Advisory 2006-003 for patch information. See References.

For SUSE Linux:
Refer to SUSE Security Announcement SUSE-SA:2007:00 for patch, upgrade, or suggested workaround information. See References.

For OpenPKG:
Refer to OpenPKG-SA-2007.006 for patch, upgrade, or suggested workaround information. See References.

For other distributions:
Contact your vendor for upgrade or patch information.

Consequences:

Gain Access

References:

  • MIT krb5 Security Advisory 2006-003, kadmind (via GSS-API mechglue) frees uninitialized pointers at http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2006-003-mechglue.txt.
  • ASA-2007-030: Third-party Applications Using GSS-API May Be Vulnerable to Compromise (SUN 102772)
  • BID-21975: MIT Kerberos Administration Daemon Free Pointers Remote Code Execution Vulnerability
  • CVE-2006-6144: The mechglue abstraction interface of the GSS-API library for Kerberos 5 1.5 through 1.5.1, as used in Kerberos administration daemon (kadmind) and other products that use this library, allows remote attackers to cause a denial of service (crash) via unspecified vectors that cause mechglue to free uninitialized pointers.
  • GLSA-200701-21: MIT Kerberos 5: Arbitrary Remote Code Execution
  • OpenPKG-SA-2007.006: MIT Kerberos
  • SA23690: Kerberos kadmind "mechglue" Code Execution Vulnerability
  • SECTRACK ID: 1017494: Kerberos kadmind GSS-API `mechglue` Memory Error Lets Remote Users Execute Arbitrary Code
  • SUSE-SA:2007:004: krb5 security problems
  • US-CERT VU#831452: Kerberos administration daemon may free uninitialized pointers
  • VUPEN/ADV-2007-0111: Kerberos V5 Kadmind RPC and GSS-API Modules Remote Code Execution Vulnerabilities
  • VUPEN/ADV-2007-0112: Sun Solaris Generic Security Services Library Remote Command Execution Vulnerability

Reported:

Jan 09, 2007

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

Copyright (c) 1994-2008 Internet Security Systems, Inc. All rights reserved worldwide.

For corrections or additions please email xforce@iss.net

Return to the main page