View Previous Alerts

Alert (TA07-177A)

MIT Kerberos Vulnerabilities

Original Release date: June 26, 2007 | Last revised: --

Systems Affected

Other products that use the RPC library provided with MIT Kerberos or other RPC libraries derived from SunRPC may also be affected.

Overview

The MIT Kerberos 5 implementation contains several vulnerabilities. Exploitation of these vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code or cause a denial of service on a vulnerable system.

Description

There are three vulnerabilities that affect MIT Kerberos 5:

Impact

A remote, unauthenticated attacker may be able to execute arbitrary code on KDCs, systems running kadmind, and application servers that use the RPC library. An attacker could also cause a denial of service on any of these systems. These vulnerabilities could result in the compromise of both the KDC and an entire Kerberos realm.


Solution

Check with your vendors for patches or updates. For information about a vendor, please see the systems affected section in the individual vulnerability notes or contact your vendor directly.

Alternatively, apply the appropriate source code patches referenced in MITKRB5-SA-2007-004 and MITKRB5-SA-2007-005 and recompile.

These vulnerabilities will also be addressed in the krb5-1.6.2 and krb5-1.5.4 releases.


References


Revision History

This product is provided subject to this Notification and this Privacy & Use policy.

Document Feedback

Was this document helpful?  Yes  |   Somewhat  |   No