|
|
Info |
Last Modified |
| 5 months ago |
|
|
|
|
Description |
MIT Kerberos Key Distribution Center (KDC) contains a flaw that may allow a remote attacker to crash the service and possibly execute arbitrary code. The issue is due to format string flaws in the logging routines and Kerberos principal name specifiers of the KDC. If an attacker provides a specially crafted request, they can crash the service or execute arbitrary code with the same privilege the server runs under.
|
|
Classification |
Location:
Remote/Network Access Required
Attack Type:
Authentication Management,
Denial of Service
Impact:
Loss of Integrity,
Loss of Availability
Exploit:
Exploit Available
Disclosure:
OSVDB Verified
|
|
Solution |
Upgrade to version 1.2.5 or higher, as it has been reported to fix this vulnerability. It is possible to partially correct the flaw by implementing the following workaround: Start KDC from a loop in a shell script, or from inittab. Please note that inittab is not recommended because it may fail if the KDC is crashed often in a short period. However, this workaround does not address the possibility of exploiting the format string vulnerability to gain access to the host system, so an upgrade is strongly recommended.
|
|
Products |
|
Kerberos 5
 |
1.2.4 |
|
|
|
|
|
|
Credit |
- E. Larry Lidz - ellidz
 eridu.uchicago.edu -
|
|
BlogsProvided by Technorati
|
None found at this time
|
|
|
