Related information

MIT Kerberos multiple security vulnerabilities

MITKRB5-SA-2008-002: array overrun in RPC library used by kadmin

MITKRB5-SA-2008-001: double-free, uninitialized data vulnerabilities in krb5kdc

From:	CERT <cert_(at)_cert.gov>
Date:	19.03.2008
Subject:	US-CERT Technical Cyber Security Alert TA08-079B -- MIT Kerberos Updates for Multiple Vulnerabilities

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

       National Cyber Alert System
  
 Technical Cyber Security Alert TA08-079B


MIT Kerberos Updates for Multiple Vulnerabilities

  Original release date: March 19, 2008
  Last revised: --
  Source: US-CERT

Systems Affected

    * MIT Kerberos

Overview

  The  MIT  Kerberos  implementation  contains  several vulnerabilities.
  Exploitation   of   these   vulnerabilities   could  allow  a  remote,
  unauthenticated attacker to execute arbitrary code, compromise the key
  database or cause a denial of service on a vulnerable system.

I. Description

  The  MIT  Kerberos  Development  Team  has  released MIT krb5 Security
  Advisory  2008-002  to address vulnerabilities in multiple versions of
  MIT  Kerberos.  More  information  about  these vulnerabilities can be
  found in VU#895609 and VU#374121.

II. Impact

  Potential  consequences include arbitrary code execution, key database
  compromise, and denial of service.

III. Solution

Install updates from your vendor

  Check  with your vendors for patches or updates. For information about
  a  vendor,  please  see  the systems affected section in vulnerability
  notes  VU#895609  and  VU#374121  or  contact  your  vendor  directly.
  Administrators  who  compile  MIT Kerberos from source should refer to
  MIT Security Advisory 2008-002 for more information.

IV. References

* US-CERT Vulnerability Note VU#895609 -
  <http://www.kb.cert.org/vuls/id/895609>
    
* US-CERT Vulnerability Note VU#374121 -
  <http://www.kb.cert.org/vuls/id/374121>
    
* MIT krb5 Security Advisory 2008-002 -
  <http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt2>

_________________________________________________________________

 The most recent version of this document can be found at:

   <http://www.us-cert.gov/cas/techalerts/TA08-079B.html>
_________________________________________________________________

 Feedback can be directed to US-CERT Technical Staff. Please send
 email to <cert@cert.org> with "TA08-079B Feedback VU#895609" in the
 subject.
_________________________________________________________________

 For instructions on subscribing to or unsubscribing from this
 mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
_________________________________________________________________

 Produced 2008 by US-CERT, a government organization.

 Terms of use:

   <http://www.us-cert.gov/legal.html>
____________________________________________________________________

  Revision History

  March 19, 2008: Initial release
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iQEVAwUBR+E+pPRFkHkM87XOAQK1jwf/ZDEomMLCZvsmN7KVXa0Il5PqXlfRvG2Y
jdWPUCi92qmgvm8LdqoNgAUxnUGYzCHLQzw8ebmnz37AMigDNsYIzFHStgnoJDVi
iK6UGC6gHLnGJFuG+otEC9jZaVeIiUbKddB2+vzvmDWLnvIsyxzmHf6lJe0IrZlH
ho/cCgpfRctgZHM5Ke+pPPqMjZZ7u0OUQnM7MIcSsZbKxw8x2CyUpaSiheMDhf8p
8JGyx+nkyvZoja6Ee4WCRq3xtVaUlp/sg8IZYY5nav2VuSh15rJXLJCWDBXUU+oV
aAXPa2JEx5Cn3S0CFz8SIJ4NoLUp09usVMFyeNd57FMBKRjTAC/DBw==
=4wkz
-----END PGP SIGNATURE-----