Search...

Debian Security Advisory DSA 184-1 (krb4)

2008-01-17T00:00:00

ID OPENVAS:53434
Type openvas
Reporter Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com
Modified 2017-07-07T00:00:00

Description

The remote host is missing an update to krb4 announced via advisory DSA 184-1.

                                        
                                            # OpenVAS Vulnerability Test
# $Id: deb_184_1.nasl 6616 2017-07-07 12:10:49Z cfischer $
# Description: Auto-generated from advisory DSA 184-1
#
# Authors:
# Thomas Reinke &lt;reinke@securityspace.com&gt;
#
# Copyright:
# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com
# Text descriptions are largerly excerpted from the referenced
# advisory, and are Copyright (c) the respective author(s)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2,
# as published by the Free Software Foundation
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program; if not, write to the Free Software
# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
#

include("revisions-lib.inc");
tag_insight = "Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow
in the kadm_ser_wrap_in function in the Kerberos v4 administration
server.  This kadmind bug has a working exploit code circulating,
hence it is considered serious.

This problem has been fixed in version 1.1-8-2.2 for the current
stable distribution (woody), in version 1.0-2.2 for the old stable
distribution (potato) and in version 1.1-11-8 for the unstable
distribution (sid).

We recommend that you upgrade your krb4 packages immediately.";
tag_summary = "The remote host is missing an update to krb4
announced via advisory DSA 184-1.";

tag_solution = "https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20184-1";

if(description)
{
 script_id(53434);
 script_cve_id("CVE-2002-1235");
 script_version("$Revision: 6616 $");
 script_tag(name:"last_modification", value:"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $");
 script_tag(name:"creation_date", value:"2008-01-17 22:24:46 +0100 (Thu, 17 Jan 2008)");
 script_tag(name:"cvss_base", value:"10.0");
 script_tag(name:"cvss_base_vector", value:"AV:N/AC:L/Au:N/C:C/I:C/A:C");
 script_name("Debian Security Advisory DSA 184-1 (krb4)");



 script_category(ACT_GATHER_INFO);

 script_copyright("Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com");
 script_family("Debian Local Security Checks");
 script_dependencies("gather-package-list.nasl");
 script_mandatory_keys("ssh/login/debian_linux", "ssh/login/packages");
 script_tag(name : "solution" , value : tag_solution);
 script_tag(name : "insight" , value : tag_insight);
 script_tag(name : "summary" , value : tag_summary);
 script_tag(name:"qod_type", value:"package");
 script_tag(name:"solution_type", value:"VendorFix");
 exit(0);
}

#
# The script code starts here
#

include("pkg-lib-deb.inc");

res = "";
report = "";
if ((res = isdpkgvuln(pkg:"kerberos4kth-clients", ver:"1.0-2.2", rls:"DEB2.2")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-dev", ver:"1.0-2.2", rls:"DEB2.2")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-kdc", ver:"1.0-2.2", rls:"DEB2.2")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-services", ver:"1.0-2.2", rls:"DEB2.2")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-user", ver:"1.0-2.2", rls:"DEB2.2")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-x11", ver:"1.0-2.2", rls:"DEB2.2")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth1", ver:"1.0-2.2", rls:"DEB2.2")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-docs", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-services", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-user", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-x11", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth1", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-clients", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-clients-x", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-dev", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-dev-common", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-kdc", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-kip", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-servers", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"kerberos4kth-servers-x", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"libacl1-kerberos4kth", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"libkadm1-kerberos4kth", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"libkdb-1-kerberos4kth", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}
if ((res = isdpkgvuln(pkg:"libkrb-1-kerberos4kth", ver:"1.1-8-2.2", rls:"DEB3.0")) != NULL) {
    report += res;
}

if (report != "") {
    security_message(data:report);
} else if (__pkg_match) {
    exit(99); # Not vulnerable.
}

JSON Vulners Source

Initial Source

{"id": "OPENVAS:53434", "type": "openvas", "bulletinFamily": "scanner", "title": "Debian Security Advisory DSA 184-1 (krb4)", "description": "The remote host is missing an update to krb4\nannounced via advisory DSA 184-1.", "published": "2008-01-17T00:00:00", "modified": "2017-07-07T00:00:00", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=53434", "reporter": "Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com", "references": [], "cvelist": ["CVE-2002-1235"], "lastseen": "2017-07-24T12:49:55", "viewCount": 1, "enchantments": {"score": {"value": 8.3, "vector": "NONE", "modified": "2017-07-24T12:49:55", "rev": 2}, "dependencies": {"references": [{"type": "cve", "idList": ["CVE-2002-1235"]}, {"type": "openvas", "idList": ["OPENVAS:53435", "OPENVAS:53693"]}, {"type": "redhat", "idList": ["RHSA-2002:250"]}, {"type": "osvdb", "idList": ["OSVDB:4900", "OSVDB:5618", "OSVDB:4870"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:3686"]}, {"type": "nessus", "idList": ["DEBIAN_DSA-183.NASL", "REDHAT-RHSA-2003-021.NASL", "REDHAT-RHSA-2002-250.NASL", "DEBIAN_DSA-184.NASL", "MANDRAKE_MDKSA-2002-073.NASL", "DEBIAN_DSA-178.NASL", "DEBIAN_DSA-185.NASL"]}, {"type": "cert", "idList": ["VU:875073"]}], "modified": "2017-07-24T12:49:55", "rev": 2}, "vulnersScore": 8.3}, "pluginID": "53434", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_184_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 184-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow\nin the kadm_ser_wrap_in function in the Kerberos v4 administration\nserver. This kadmind bug has a working exploit code circulating,\nhence it is considered serious.\n\nThis problem has been fixed in version 1.1-8-2.2 for the current\nstable distribution (woody), in version 1.0-2.2 for the old stable\ndistribution (potato) and in version 1.1-11-8 for the unstable\ndistribution (sid).\n\nWe recommend that you upgrade your krb4 packages immediately.\";\ntag_summary = \"The remote host is missing an update to krb4\nannounced via advisory DSA 184-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20184-1\";\n\nif(description)\n{\n script_id(53434);\n script_cve_id(\"CVE-2002-1235\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:24:46 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 184-1 (krb4)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-clients\", ver:\"1.0-2.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-dev\", ver:\"1.0-2.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-kdc\", ver:\"1.0-2.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-services\", ver:\"1.0-2.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-user\", ver:\"1.0-2.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-x11\", ver:\"1.0-2.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth1\", ver:\"1.0-2.2\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-docs\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-services\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-user\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-x11\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth1\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-clients\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-clients-x\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-dev\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-dev-common\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-kdc\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-kip\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-servers\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"kerberos4kth-servers-x\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libacl1-kerberos4kth\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkadm1-kerberos4kth\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkdb-1-kerberos4kth\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkrb-1-kerberos4kth\", ver:\"1.1-8-2.2\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "naslFamily": "Debian Local Security Checks"}

{"cve": [{"lastseen": "2021-02-02T05:19:07", "description": "The kadm_ser_in function in (1) the Kerberos v4compatibility administration daemon (kadmind4) in the MIT Kerberos 5 (krb5) krb5-1.2.6 and earlier, (2) kadmind in KTH Kerberos 4 (eBones) before 1.2.1, and (3) kadmind in KTH Kerberos 5 (Heimdal) before 0.5.1 when compiled with Kerberos 4 support, does not properly verify the length field of a request, which allows remote attackers to execute arbitrary code via a buffer overflow attack.", "edition": 7, "cvss3": {}, "published": "2002-11-04T05:00:00", "title": "CVE-2002-1235", "type": "cve", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": true, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 10.0, "vectorString": "AV:N/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2002-1235"], "modified": "2020-01-21T16:47:00", "cpe": ["cpe:/o:debian:debian_linux:3.0", "cpe:/a:mit:kerberos_5:1.2.6"], "id": "CVE-2002-1235", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2002-1235", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:mit:kerberos_5:1.2.6:*:*:*:*:*:*:*", "cpe:2.3:o:debian:debian_linux:3.0:*:*:*:*:*:*:*"]}], "redhat": [{"lastseen": "2019-08-13T18:46:36", "bulletinFamily": "unix", "cvelist": ["CVE-2002-1235"], "description": "Kerberos is a network authentication system.\n\nA stack buffer overflow has been found in the implementation of the\nKerberos v4 compatibility administration daemon (kadmind4), which is part\nof the MIT krb5 distribution. This vulnerability is present in version\n1.2.6 and earlier of the MIT krb5 distribution and can be exploited to gain\nunauthorized root access to a KDC host. The attacker does not need to\nauthenticate to the daemon to successfully perform this attack.\n\nkadmind4 is included in the Kerberos packages in Red Hat Linux Advanced\nServer but is not enabled or used by default.\n\nAll users of Kerberos are advised to upgrade to these errata packages which\ncontain a backported patch and are not vulnerable to this issue.", "modified": "2018-02-18T04:30:39", "published": "2003-01-09T05:00:00", "id": "RHSA-2002:250", "href": "https://access.redhat.com/errata/RHSA-2002:250", "type": "redhat", "title": "(RHSA-2002:250) krb5 security update", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "osvdb": [{"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "cvelist": ["CVE-2002-1235"], "edition": 1, "description": "## Vulnerability Description\nHeimdal Kerberos contains a flaw that may allow a malicious user to exploit a buffer overflow condition. The issue is triggered because Heimdal does not properly verify the length field of a request to the Kerberos forwarding daemon. It is possible that the flaw may allow remote attackers to execute arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.\n## Technical Description\nkadmind in KTH Kerberos 5 (Heimdal) before 0.5.1 when compiled with Kerberos 4 support, does not properly verify the length field of a request, which allows remote attackers to execute arbitrary code via a buffer overflow attack.\n## Solution Description\nUpgrade to version 0.5.1 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nHeimdal Kerberos contains a flaw that may allow a malicious user to exploit a buffer overflow condition. The issue is triggered because Heimdal does not properly verify the length field of a request to the Kerberos forwarding daemon. It is possible that the flaw may allow remote attackers to execute arbitrary code resulting in a loss of confidentiality, integrity, and/or availability.\n## Manual Testing Notes\nTo tell if kadmind is vulnerable you can run:\n\n# /usr/heimdal/libexec/kadmind --version\nkadmind (Heimdal 0.5.1, KTH-KRB 1.2)\nCopyright (c) 1999-2002 Kungliga Tekniska H\u00f6gskolan\nSend bug-reports to heimdal-bugs@pdc.kth.se\n\nNon-vulnerable versions are Heimdal 0.5.1 and later, and binaries that DO NOT show a Kerberos 4 version string (KTH-KRB 1.2 in the example), indicating that they were not compiled with support for Kerberos 4. \n## References:\n[Vendor Specific Advisory URL](http://www.pdc.kth.se/heimdal/advisory/2002-09-11/)\n[Vendor Specific Advisory URL](http://www.pdc.kth.se/heimdal/advisory/2002-10-21/)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2002/dsa-178)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2002_034_heimdal.html)\n[Related OSVDB ID: 5618](https://vulners.com/osvdb/OSVDB:5618)\n[Related OSVDB ID: 5616](https://vulners.com/osvdb/OSVDB:5616)\n[Related OSVDB ID: 5617](https://vulners.com/osvdb/OSVDB:5617)\nISS X-Force ID: 10116\nGeneric Informational URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc\n[CVE-2002-1235](https://vulners.com/cve/CVE-2002-1235)\nBugtraq ID: 5731\n", "modified": "2002-10-21T00:00:00", "published": "2002-10-21T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:4900", "id": "OSVDB:4900", "title": "Heimdal Kerberos kadmind Forwarding Daemon Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:19:59", "bulletinFamily": "software", "cvelist": ["CVE-2002-1235"], "edition": 1, "description": "## Vulnerability Description\nA remote overflow exists in several implementations of Kerberos 4 and legacy compatibility for Kerberos 4 in kerberos 5 distributions. The kadmind daemon fails to do proper bounds checking, resulting in a stack overflow. With a specially crafted request, an attacker can cause the daemon to execute arbitrary commands on the server, resulting in a loss of integrity.\n## Technical Description\nAn attacker does not need to be authenticated to exploit this vulnerability.\nA successfull attack would yeld remote root privileges on the system, due to the fact that the affected daemon runs as root.\nSeveral reports advise that at least one exploit is actively beeing used on the wild.\n## Solution Description\nRefer to vendor and/or distribution specific corrective actions.\nKTH Heimdal users may upgrade to 0.5.1 and/or eBones 1.2.1 or higher, as it has been reported to fix this vulnerability.\nMIT and Heimdal released a patch to address this vulnerability.\nIt is also possible to correct the flaw by implementing the following workaround:\n\n- In kerberos 5 implementations, disable support for the legacy keberos 4 administration protocol.\n## Short Description\nA remote overflow exists in several implementations of Kerberos 4 and legacy compatibility for Kerberos 4 in kerberos 5 distributions. The kadmind daemon fails to do proper bounds checking, resulting in a stack overflow. With a specially crafted request, an attacker can cause the daemon to execute arbitrary commands on the server, resulting in a loss of integrity.\n## References:\n[Vendor Specific Advisory URL](http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt)\n[Vendor Specific Advisory URL](http://www.pdc.kth.se/heimdal/advisory/2002-10-21/)\nRedHat RHSA: RHSA-2002:250\nRedHat RHSA: RHSA-2002:242\nOther Advisory URL: http://www.linux-mandrake.com/en/security/2002/MDKSA-2002-073.php\nOther Advisory URL: http://www.debian.org/security/2002/dsa-185\nOther Advisory URL: http://www.debian.org/security/2002/dsa-184\nOther Advisory URL: http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000534\nOther Advisory URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc\nOther Advisory URL: http://www.debian.org/security/2002/dsa-183\nMail List Post: http://archives.neohapsis.com/archives/bugtraq/2002-10/0399.html\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103582805330339&w=2\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103564944215101&w=2\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103582517126392&w=2\nMail List Post: http://marc.theaimsgroup.com/?l=bugtraq&m=103539530729206&w=2\nKeyword: krb4,krb5,kadmind4\nISS X-Force ID: 10430\nGeneric Informational URL: http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt\n[CVE-2002-1235](https://vulners.com/cve/CVE-2002-1235)\nCERT VU: 875073\nCERT: CA-2002-29\nBugtraq ID: 6024\n", "modified": "2002-10-21T00:00:00", "published": "2002-10-21T00:00:00", "id": "OSVDB:4870", "href": "https://vulners.com/osvdb/OSVDB:4870", "title": "Kerberos4 Compatibility Administration Daemon Overflow", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-04-28T13:20:00", "bulletinFamily": "software", "cvelist": ["CVE-2002-1235"], "edition": 1, "description": "## Vulnerability Description\nMultiple remote overflows exist in Heimdal Kerberos. The 'kf' binary and the 'kfd' daemon fail to perform proper bounds checking resulting in multiple buffer overflows. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## Solution Description\nUpgrade to version 0.5 or higher, as it has been reported to fix this vulnerability. An upgrade is required as there are no known workarounds.\n## Short Description\nMultiple remote overflows exist in Heimdal Kerberos. The 'kf' binary and the 'kfd' daemon fail to perform proper bounds checking resulting in multiple buffer overflows. With a specially crafted request, a remote attacker can cause arbitrary code execution resulting in a loss of integrity.\n## References:\nVendor URL: http://www.pdc.kth.se/heimdal/\n[Vendor Specific Advisory URL](http://www.pdc.kth.se/heimdal/advisory/2002-09-11/)\n[Vendor Specific Advisory URL](http://www.debian.org/security/2002/dsa-178)\n[Vendor Specific Advisory URL](http://www.suse.de/de/security/2002_034_heimdal.html)\n[Related OSVDB ID: 5616](https://vulners.com/osvdb/OSVDB:5616)\n[Related OSVDB ID: 4900](https://vulners.com/osvdb/OSVDB:4900)\n[Related OSVDB ID: 5617](https://vulners.com/osvdb/OSVDB:5617)\nISS X-Force ID: 10116\nGeneric Informational URL: ftp://ftp.netbsd.org/pub/NetBSD/security/advisories/NetBSD-SA2002-018.txt.asc\n[CVE-2002-1235](https://vulners.com/cve/CVE-2002-1235)\nBugtraq ID: 5731\n", "modified": "2002-09-11T00:00:00", "published": "2002-09-11T00:00:00", "href": "https://vulners.com/osvdb/OSVDB:5618", "id": "OSVDB:5618", "title": "Heimdal Kerberos kf / kfd Multiple Buffer Overflows", "type": "osvdb", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "openvas": [{"lastseen": "2017-07-24T12:50:19", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1235"], "description": "The remote host is missing an update to krb5\nannounced via advisory DSA 183-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53693", "href": "http://plugins.openvas.org/nasl.php?oid=53693", "type": "openvas", "title": "Debian Security Advisory DSA 183-1 (krb5)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_183_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 183-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"Tom Yu and Sam Hartman of MIT discovered another stack buffer overflow\nin the kadm_ser_wrap_in function in the Kerberos v4 administration\nserver. This kadmind bug has a working exploit code circulating,\nhence it is considered serious. The MIT krb5 implementation\nincludes support for version 4, including a complete v4 library,\nserver side support for krb4, and limited client support for v4.\n\nThis problem has been fixed in version 1.2.4-5woody3 for the current\nstable distribution (woody) and in version 1.2.6-2 for the unstable\ndistribution (sid). The old stable distribution (potato) is not\naffected since no krb5 packages are included.\n\nWe recommend that you upgrade your krb5 packages immediately.\";\ntag_summary = \"The remote host is missing an update to krb5\nannounced via advisory DSA 183-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20183-1\";\n\nif(description)\n{\n script_id(53693);\n script_cve_id(\"CVE-2002-1235\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:24:46 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 183-1 (krb5)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"krb5-doc\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"krb5-admin-server\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"krb5-clients\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"krb5-ftpd\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"krb5-kdc\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"krb5-rsh-server\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"krb5-telnetd\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"krb5-user\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkadm55\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkrb5-17-heimdal\", ver:\"0.4e-7.woody.4\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkrb5-dev\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkrb53\", ver:\"1.2.4-5woody3\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"ssh-krb5\", ver:\"3.4p1-0woody1\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}, {"lastseen": "2017-07-24T12:50:23", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1235"], "description": "The remote host is missing an update to heimdal\nannounced via advisory DSA 185-1.", "modified": "2017-07-07T00:00:00", "published": "2008-01-17T00:00:00", "id": "OPENVAS:53435", "href": "http://plugins.openvas.org/nasl.php?oid=53435", "type": "openvas", "title": "Debian Security Advisory DSA 185-1 (heimdal)", "sourceData": "# OpenVAS Vulnerability Test\n# $Id: deb_185_1.nasl 6616 2017-07-07 12:10:49Z cfischer $\n# Description: Auto-generated from advisory DSA 185-1\n#\n# Authors:\n# Thomas Reinke <reinke@securityspace.com>\n#\n# Copyright:\n# Copyright (c) 2007 E-Soft Inc. http://www.securityspace.com\n# Text descriptions are largerly excerpted from the referenced\n# advisory, and are Copyright (c) the respective author(s)\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2,\n# as published by the Free Software Foundation\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n#\n\ninclude(\"revisions-lib.inc\");\ntag_insight = \"A stack buffer overflow in the kadm_ser_wrap_in function in the\nKerberos v4 administration server was discovered, which is provided by\nHeimdal as well. A working exploit for this kadmind bug is already\ncirculating, hence it is considered serious. The roken library also\ncontains a vulnerability which could lead to another root exploit.\n\nThese problems have been fixed in version 0.4e-7.woody.5 for the\ncurrent stable distribution (woody), in version 0.2l-7.6 for the old\nstable distribution (potato) and in version 0.4e-22 for the unstable\ndistribution (sid).\n\nWe recommend that you upgrade your heimdal packages immediately.\";\ntag_summary = \"The remote host is missing an update to heimdal\nannounced via advisory DSA 185-1.\";\n\ntag_solution = \"https://secure1.securityspace.com/smysecure/catid.html?in=DSA%20185-1\";\n\nif(description)\n{\n script_id(53435);\n script_cve_id(\"CVE-2002-1235\");\n script_version(\"$Revision: 6616 $\");\n script_tag(name:\"last_modification\", value:\"$Date: 2017-07-07 14:10:49 +0200 (Fri, 07 Jul 2017) $\");\n script_tag(name:\"creation_date\", value:\"2008-01-17 22:24:46 +0100 (Thu, 17 Jan 2008)\");\n script_tag(name:\"cvss_base\", value:\"10.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n script_name(\"Debian Security Advisory DSA 185-1 (heimdal)\");\n\n\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(\"Copyright (c) 2005 E-Soft Inc. http://www.securityspace.com\");\n script_family(\"Debian Local Security Checks\");\n script_dependencies(\"gather-package-list.nasl\");\n script_mandatory_keys(\"ssh/login/debian_linux\", \"ssh/login/packages\");\n script_tag(name : \"solution\" , value : tag_solution);\n script_tag(name : \"insight\" , value : tag_insight);\n script_tag(name : \"summary\" , value : tag_summary);\n script_tag(name:\"qod_type\", value:\"package\");\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n exit(0);\n}\n\n#\n# The script code starts here\n#\n\ninclude(\"pkg-lib-deb.inc\");\n\nres = \"\";\nreport = \"\";\nif ((res = isdpkgvuln(pkg:\"heimdal-docs\", ver:\"0.2l-7.6\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-clients\", ver:\"0.2l-7.6\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-clients-x\", ver:\"0.2l-7.6\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-dev\", ver:\"0.2l-7.6\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-kdc\", ver:\"0.2l-7.6\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-lib\", ver:\"0.2l-7.6\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-servers\", ver:\"0.2l-7.6\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-servers-x\", ver:\"0.2l-7.6\", rls:\"DEB2.2\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-docs\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-lib\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-clients\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-clients-x\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-dev\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-kdc\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-servers\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"heimdal-servers-x\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libasn1-5-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libcomerr1-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libgssapi1-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libhdb7-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkadm5clnt4-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkadm5srv7-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkafs0-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libkrb5-17-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libotp0-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libroken9-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libsl0-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\nif ((res = isdpkgvuln(pkg:\"libss0-heimdal\", ver:\"0.4e-7.woody.5\", rls:\"DEB3.0\")) != NULL) {\n report += res;\n}\n\nif (report != \"\") {\n security_message(data:report);\n} else if (__pkg_match) {\n exit(99); # Not vulnerable.\n}\n", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}], "cert": [{"lastseen": "2020-09-18T20:44:31", "bulletinFamily": "info", "cvelist": ["CVE-2002-1235"], "description": "### Overview \n\nMultiple Kerberos distributions contain a remotely exploitable buffer overflow in the Kerberos administration daemon. A remote attacker could exploit this vulnerability to gain root privileges on a vulnerable system.\n\n### Description \n\nA remotely exploitable buffer overflow exists in the Kerberos administration daemon in both the MIT and KTH Kerberos implementations. The administration daemon handles requests for changes to the Kerberos database and runs on the master Key Distribution Center (KDC) system of a Kerberos realm. The master KDC contains the authoritative copy of the Kerberos database, thus it is a critical part of a site's Kerberos infrastructure. The buffer overflow can be triggered when the daemon parses an un-checked length value contained in an administrative request read from the network. An attacker does not have to authenticate in order to exploit this vulnerability, and the Kerberos administration daemon runs with root privileges.\n\nFurther information is available in [MIT krb5 Security Advisory 2002-002](<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt>). MIT has also provided a [description](<http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt>) of the attack signature against `kadmind4`. \n \nIn the MIT Kerberos 5 distribution, `kadmind4` is included to provide legacy support for Kerberos 4 administrative clients. In the KTH Kerberos 5 (Heimdal) distribution, `kadmind` can be compiled with Kerberos 4 support. Therefore, sites using Kerberos 5 may be running vulnerable Kerberos administration daemon. Other implementations derived from MIT Kerberos 4 are likely to be affected, and many operating systems include Kerberos code from MIT or KTH. \n \n--- \n \n### Impact \n\nAn unauthenticated, remote attacker could execute arbitrary code with root privileges. \n \n--- \n \n### Solution \n\n \n**Patch or Upgrade** \n \nApply the appropriate patch or upgrade as specified by your vendor. \n \n--- \n \n \n**Disable Vulnerable Service** \n \nIf it is not needed, disable Kerberos 4 support. In MIT Kerberos 5, disable `kadmin4`. In KTH Heimdal, compile `kadmind` without Kerberos 4 support. This will prevent Kerberos 4 administrative clients from accessing the Kerberos database. \n \n**Block or Restrict Access** \n \nBlock access to the Kerberos administration server from untrusted networks such as the Internet. Furthermore, only allow access to the server from trusted administrative hosts. The assigned port for the Kerberos 4 administrative protocol is 751/tcp and 751/udp; however, this may be configured differently. It may also be necessary to block access to Kerberos 5 administration daemons that support the Kerberos 4 administration protocol. The assigned port for the Kerberos 5 administrative protocol is 749/tcp and 749/udp. Again, this may be configured differently. Note that this workaround will not prevent exploitation, but it will limit the possible sources of attacks. \n \n--- \n \n### Vendor Information\n\n875073\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Apple Computer Inc. __ Affected\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe Kerberos Administration Daemon was included in Mac OS X 10.0, but removed in Mac OS X 10.1 and later.\n\nWe encourage sites that use vulnerable Kerberos distributions to verify the integrity of their systems and apply patches or upgrade as appropriate.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Conectiva __ Affected\n\nNotified: October 24, 2002 Updated: November 06, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nOur MIT Kerberos 5 packages in Conectiva Linux 8 do contain the vulnerable kadmind4 daemon, but it is not used by default nor is it installed as a service.\n\nUpdated packages are being uploaded to our ftp server and should be available in a few hours at: \n<ftp://atualizacoes.conectiva.com.br/8/> \nThe krb5-server-1.2.3-3U8_3cl.i386.rpm package contains a patched kadmind4 daemon. An announcement will be sent to our security mailing list a few hours after the upload is complete.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see Conectiva Linux Announcement [CLSA-2002:534 (English)](<http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000534&idioma=en>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Debian __ Affected\n\nNotified: October 24, 2002 Updated: November 08, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPlease reference Debian Security Advisories [DSA-183](<http://www.debian.org/security/2002/dsa-183>) (krb5), [DSA-184](<http://www.debian.org/security/2002/dsa-184>) (krb4), and [DSA-185](<http://www.debian.org/security/2002/dsa-185>) (Heimdal).\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nIn the initial (2002-10-25) version of CERT Advisory [CA-2002-29](<http://www.cert.org/advisories/CA-2002-29.html>), we mistakenly included a reference to Debian Security Advisory [DSA-178](<http://www.debian.org/security/2002/dsa-178>). This was an error, DSA-178 does not address the vulnerability described in CA-2002-29 and VU#875073. Debian Security Advisory DSA-185 includes the Heimdal fixes in DSA-178 in addition to the fix for the vulnerability described in CA-2002-29 and VU#875073.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### FreeBSD __ Affected\n\nNotified: October 24, 2002 Updated: November 13, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nBoth the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons were vulnerable and have been corrected as of 23 October 2002. In addition, the heimdal and krb5 ports contained the same vulnerability and have been corrected as of 24 October 2002. A Security Advisory is in progress.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease see [FreeBSD-SA-02:40.kadmind](<ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-02:40.kadmind.asc>).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Gentoo Linux __ Affected\n\nUpdated: November 08, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n`-----BEGIN PGP SIGNED MESSAGE----- \nHash: SHA1 \n`\n\n`- - -------------------------------------------------------------------- \nGENTOO LINUX SECURITY ANNOUNCEMENT 200210-011 \n- - -------------------------------------------------------------------- \n` \n`PACKAGE : krb5 \nSUMMARY?: buffer overflow \nDATE ?? : 2002-10-28 14:10 UTC \nEXPLOIT : remote \n` \n`- - -------------------------------------------------------------------- \n` \n`A stack buffer overflow in the implementation of the Kerberos v4 \ncompatibility administration daemon (kadmind4) in the MIT krb5 \ndistribution can be exploited to gain unauthorized root access to a \nKDC host. The attacker does not need to authenticate to the daemon to \nsuccessfully perform this attack. At least one exploit is known to \nexist in the wild, and at least one attacker is reasonably competent \nat cleaning up traces of intrusion. \n` \n`Read the full advisory at \n``<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt>`` \n` \n`SOLUTION \n` \n`It is recommended that all Gentoo Linux users who are running \napp-crypt/krb5 and earlier update their systems as follows: \n` \n`emerge rsync \nemerge krb5 \nemerge clean \n` \n`- - -------------------------------------------------------------------- \naliz@gentoo.org - GnuPG key is available at www.gentoo.org/~aliz \n- - -------------------------------------------------------------------- \n-----BEGIN PGP SIGNATURE----- \nVersion: GnuPG v1.0.7 (GNU/Linux) \n` \n`iD8DBQE9vUr1fT7nyhUpoZMRAhvRAJ9zxSpTuroJ57RA9lVFegHfCODgkgCbBGRb \n4qBVkt0y6Ndn9pVFt0zrplo= \n=SacS \n-----END PGP SIGNATURE-----`\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Hewlett-Packard Company __ Affected\n\nNotified: October 24, 2002 Updated: February 14, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nSource: Hewlett-Packard Company Software Security Response Team\n\nRE: CERT VU#875073 CA-2002-29 \ncross reference id: SSRT2396 \n \nHP's implementation for the following Operating Systems Software are not affected by this potential buffer overflow vulnerability in the kadmind4 daemon. \n \nHP-UX \nHP-MPE/ix \nHP Tru64 UNIX \nHP OpenVMS \nHP NonStop Servers \nTo report potential security vulnerabilities in HP software, send an E-mail message to: [security-alert@hp.com](<%3Ca%20href=%22mailto:security-alert@hp.com%22%3Esecurity-alert@hp.com%3C/a%3E>)\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nHP Secure OS Software for Linux is affected (HPSBTL0211-077).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### IBM __ Affected\n\nNotified: October 24, 2002 Updated: February 14, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nThe IBM pSeries Parallel Systems Support Programs (PSSP) implementation of Kerberos V4 (shipped with PSSP) is potentially vulnerable to the Kerberos V4 administration daemon buffer overflow described in CA-2002-29. For more information, see:\n\n<http://techsupport.services.ibm.com/server/nav?fetch=/spflashes/home.html> \nClick on the Service Flash for \"Potential Kerberos V4 security vulnerability.\" This link also contains APAR numbers and solution information. \n \nThe IBM Network Authentication Service (NAS) product is not vulnerable to the buffer overflow vulnerability in the kadmind4 daemon. NAS is currently at release 1.3 and is available from the AIX Expansion Pack. The kadmind4 daemon is not part of the NAS product.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nIt is possible that PSSP and other IBM and third-party applications using DCE/Kerberos 5 may be vulnerable if they support Kerberos 4 administration.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### KTH Kerberos __ Affected\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nKTH has released updated versions of [eBones](<http://www.pdc.kth.se/kth-krb/>) (Kerberos 4) and [Heimdal](<http://www.pdc.kth.se/heimdal/>) (Kerberos 5).\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### MIT Kerberos Development Team __ Affected\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nMIT has released [MIT krb5 Security Advisory 2002-002](<http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt>).\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### MandrakeSoft __ Affected\n\nNotified: October 24, 2002 Updated: November 08, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPlease reference MandrakeSoft Security Advisory [MDKSA-2002:073](<http://www.mandrakesecure.net/en/advisories/2002/MDKSA-2002-073.php>).\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### NetBSD __ Affected\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nPlease see [NetBSD-SA2002-026](<ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002-026.txt.asc>).\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### OpenBSD __ Affected\n\nNotified: October 24, 2002 Updated: November 08, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nPlease reference [Security Fix 001](<http://www.openbsd.org/errata.html#kadmin>) for OpenBSD 3.2, [Security Fix 016](<http://www.openbsd.org/errata31.html#kadmin>) for OpenBSD 3.1, and [Security Fix 033](<http://www.openbsd.org/errata30.html#kadmin>) for OpenBSD 3.0.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Red Hat Inc. __ Affected\n\nNotified: October 24, 2002 Updated: November 07, 2002 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nReleases of Red Hat Linux version 6.2 and higher include versions of MIT Kerberos that are vulnerable to this issue; however the vulnerable administration server, kadmind4, has never been enabled by default. We are currently working on producing errata packages. When complete these will be available along with our advisory at the URL below. At the same time users of the Red Hat Network will be able to update their systems using the 'up2date' tool.\n\n<http://rhn.redhat.com/errata/RHSA-2002-242.html>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Sorceror Linux __ Affected\n\nUpdated: February 14, 2003 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\n<<http://online.securityfocus.com/archive/1/297604/2002-10-22/2002-10-28/2>>\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### BSDI __ Not Affected\n\nNotified: October 24, 2002 Updated: October 24, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nNo version of BSD/OS is vulnerable to this problem.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Cray Inc. __ Not Affected\n\nNotified: October 24, 2002 Updated: November 08, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nCray, Inc. is not vulnerable as the Kerberos administration daemon is not included in any of our operating systems.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Microsoft Corporation __ Not Affected\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nMicrosoft's implementation of Kerberos is not affected by this vulnerability.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Openwall GNU/*/Linux __ Not Affected\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nOpenwall GNU/*/Linux is not vulnerable. We don't provide Kerberos.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### SuSE Inc. __ Not Affected\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nSuSE Linux 7.2 and later are shipped with Heimdal Kerberos included, but Kerberos 4 support is disabled in all releases. Therefore, SuSE Linux and SuSE Enterprise Linux are not affected by this bug.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nIn the initial (emailed) version CERT Advisory [CA-2002-29](<http://www.cert.org/advisories/CA-2002-29.html>), we mistakenly included a reference to SuSE Security Announcement ([SuSE-SA:2002:034](<http://www.suse.com/de/security/2002_034_heimdal.html>)). This was an error, SuSE-SA:2002:034 does not address the vulnerability described in CA-2002-29 and VU#875073.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Sun Microsystems Inc. __ Not Affected\n\nNotified: October 24, 2002 Updated: November 08, 2002 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nThe Sun Enterprise Authentication Mechanism (SEAM), Sun's implementation of the Kerberos v5 protocols, is not affected by this issue. SEAM does not include support for the Kerberos v4 protocols and kadmind4 does not exist. Additional information regarding SEAM is available from:\n\n<http://wwws.sun.com/software/security/kerberos/>\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Xerox __ Not Affected\n\nNotified: October 24, 2002 Updated: February 25, 2003 \n\n### Status\n\nNot Affected\n\n### Vendor Statement\n\nA response to this advisory is available from our web site:\n\n[http://www.xerox.com/security](<http://www.xerox.com/security/>).\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### AT&T Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Alcatel Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Avaya Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Cisco Systems Inc. Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Computer Associates Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### D-Link Systems Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Data General Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### F5 Networks Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Fujitsu Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Guardian Digital Inc. Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Intel Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Juniper Networks Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Lucent Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### MontaVista Software Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Multinet Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### NEC Corporation Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Network Appliance Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Nortel Networks Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### SGI Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Sequent Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Sony Corporation Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### The SCO Group Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Unisphere Networks Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Unisys Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\n### Wirex Unknown\n\nNotified: October 24, 2002 Updated: October 30, 2002 \n\n### Status\n\nUnknown\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nThe CERT/CC has no additional comments at this time.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23875073 Feedback>).\n\nView all 46 vendors __View less vendors __\n\n \n\n\n### CVSS Metrics \n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References \n\n * <http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt>\n * <http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_patch.txt>\n * <http://web.mit.edu/kerberos/www/advisories/2002-002-kadm4_attacksig.txt>\n * <http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.html#SEC24>\n * <http://www.pdc.kth.se/kth-krb/>\n * <http://www.pdc.kth.se/heimdal/>\n * <http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Installing>\n * <ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.4e.kadmind-patch>\n\n### Acknowledgements\n\nThe CERT/CC thanks the MIT and KTH Kerberos development teams for information used in this document.\n\nThis document was written by Art Manion.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2002-1235](<http://web.nvd.nist.gov/vuln/detail/CVE-2002-1235>) \n---|--- \n**CERT Advisory:** | [CA-2002-29 ](<http://www.cert.org/advisories/CA-2002-29.html>) \n**Severity Metric:** | 20.53 \n**Date Public:** | 2002-09-30 \n**Date First Published:** | 2002-10-23 \n**Date Last Updated: ** | 2003-02-26 18:07 UTC \n**Document Revision: ** | 24 \n", "modified": "2003-02-26T18:07:00", "published": "2002-10-23T00:00:00", "id": "VU:875073", "href": "https://www.kb.cert.org/vuls/id/875073", "type": "cert", "title": "Kerberos administration daemon vulnerable to buffer overflow", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "nessus": [{"lastseen": "2021-01-07T11:51:17", "description": "A stack-based buffer overflow in the implementation of the Kerberos v4\ncompatibility administration daemon (kadmind4) in the krb5 package can\nbe exploited to gain unauthorized root access to a KDC host.\nAuthentication to the daemon is not required to successfully perform\nthe attack and according to MIT at least one exploit is known to\nexist. kadmind4 is used only by sites that require compatibility with\nlegacy administrative clients, and sites that do not have these needs\nare likely not using kadmind4 and are not affected.\n\nMandrakeSoft encourages all users who use Kerberos to upgrade to these\npackages immediately.\n\nUpdate :\n\nThe /etc/rc.d/init.d/kadmin initscript improperly pointed to a\nnon-existent location for the kadmind binary. This update corrects the\nproblem.", "edition": 24, "published": "2004-07-31T00:00:00", "title": "Mandrake Linux Security Advisory : krb5 (MDKSA-2002:073-1)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1235"], "modified": "2004-07-31T00:00:00", "cpe": ["p-cpe:/a:mandriva:linux:krb5-workstation", "p-cpe:/a:mandriva:linux:krb5-server", "cpe:/o:mandrakesoft:mandrake_linux:8.2", "p-cpe:/a:mandriva:linux:ftp-server-krb5", "cpe:/o:mandrakesoft:mandrake_linux:9.0", "p-cpe:/a:mandriva:linux:krb5-devel", "p-cpe:/a:mandriva:linux:ftp-client-krb5", "cpe:/o:mandrakesoft:mandrake_linux:8.1", "p-cpe:/a:mandriva:linux:telnet-client-krb5", "p-cpe:/a:mandriva:linux:telnet-server-krb5", "p-cpe:/a:mandriva:linux:krb5-libs"], "id": "MANDRAKE_MDKSA-2002-073.NASL", "href": "https://www.tenable.com/plugins/nessus/13973", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Mandrake Linux Security Advisory MDKSA-2002:073. \n# The text itself is copyright (C) Mandriva S.A.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(13973);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/06\");\n\n script_cve_id(\"CVE-2002-1235\");\n script_xref(name:\"CERT\", value:\"875073\");\n script_xref(name:\"MDKSA\", value:\"2002:073-1\");\n\n script_name(english:\"Mandrake Linux Security Advisory : krb5 (MDKSA-2002:073-1)\");\n script_summary(english:\"Checks rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\n\"The remote Mandrake Linux host is missing one or more security\nupdates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A stack-based buffer overflow in the implementation of the Kerberos v4\ncompatibility administration daemon (kadmind4) in the krb5 package can\nbe exploited to gain unauthorized root access to a KDC host.\nAuthentication to the daemon is not required to successfully perform\nthe attack and according to MIT at least one exploit is known to\nexist. kadmind4 is used only by sites that require compatibility with\nlegacy administrative clients, and sites that do not have these needs\nare likely not using kadmind4 and are not affected.\n\nMandrakeSoft encourages all users who use Kerberos to upgrade to these\npackages immediately.\n\nUpdate :\n\nThe /etc/rc.d/init.d/kadmin initscript improperly pointed to a\nnon-existent location for the kadmind binary. This update corrects the\nproblem.\"\n );\n # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?282e0fc0\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ftp-client-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:ftp-server-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:krb5-workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:telnet-client-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:mandriva:linux:telnet-server-krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.1\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:8.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:mandrakesoft:mandrake_linux:9.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/01/13\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/31\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Mandriva Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/cpu\", \"Host/Mandrake/release\", \"Host/Mandrake/rpm-list\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"rpm.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Mandrake/release\")) audit(AUDIT_OS_NOT, \"Mandriva / Mandake Linux\");\nif (!get_kb_item(\"Host/Mandrake/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (cpu !~ \"^(amd64|i[3-6]86|x86_64)$\") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Mandriva / Mandrake Linux\", cpu);\n\n\nflag = 0;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"ftp-client-krb5-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"ftp-server-krb5-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"krb5-devel-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"krb5-libs-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"krb5-server-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"krb5-workstation-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"telnet-client-krb5-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.1\", cpu:\"i386\", reference:\"telnet-server-krb5-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"ftp-client-krb5-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"ftp-server-krb5-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"krb5-devel-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"krb5-libs-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"krb5-server-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"krb5-workstation-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"telnet-client-krb5-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK8.2\", cpu:\"i386\", reference:\"telnet-server-krb5-1.2.2-17.3mdk\", yank:\"mdk\")) flag++;\n\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"ftp-client-krb5-1.2.5-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"ftp-server-krb5-1.2.5-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"krb5-devel-1.2.5-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"krb5-libs-1.2.5-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"krb5-server-1.2.5-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"krb5-workstation-1.2.5-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"telnet-client-krb5-1.2.5-1.2mdk\", yank:\"mdk\")) flag++;\nif (rpm_check(release:\"MDK9.0\", cpu:\"i386\", reference:\"telnet-server-krb5-1.2.5-1.2mdk\", yank:\"mdk\")) flag++;\n\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:45:35", "description": "A stack-based buffer overflow in the kadm_ser_wrap_in function in the\nKerberos v4 administration server was discovered, which is provided by\nHeimdal as well. A working exploit for this kadmind bug is already\ncirculating, hence it is considered serious. The broken library also\ncontains a vulnerability which could lead to another root exploit.\n\nThese problems have been fixed in version 0.4e-7.woody.5 for the\ncurrent stable distribution (woody), in version 0.2l-7.6 for the old\nstable distribution (potato) and in version 0.4e-22 for the unstable\ndistribution (sid).", "edition": 25, "published": "2004-09-29T00:00:00", "title": "Debian DSA-185-1 : heimdal - buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1235"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:heimdal"], "id": "DEBIAN_DSA-185.NASL", "href": "https://www.tenable.com/plugins/nessus/15022", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-185. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15022);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2002-1235\");\n script_xref(name:\"CERT\", value:\"875073\");\n script_xref(name:\"DSA\", value:\"185\");\n\n script_name(english:\"Debian DSA-185-1 : heimdal - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A stack-based buffer overflow in the kadm_ser_wrap_in function in the\nKerberos v4 administration server was discovered, which is provided by\nHeimdal as well. A working exploit for this kadmind bug is already\ncirculating, hence it is considered serious. The broken library also\ncontains a vulnerability which could lead to another root exploit.\n\nThese problems have been fixed in version 0.4e-7.woody.5 for the\ncurrent stable distribution (woody), in version 0.2l-7.6 for the old\nstable distribution (potato) and in version 0.4e-22 for the unstable\ndistribution (sid).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2002/dsa-185\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the heimdal packages immediately.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:heimdal\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/10/31\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/10/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-clients\", reference:\"0.2l-7.6\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-clients-x\", reference:\"0.2l-7.6\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-dev\", reference:\"0.2l-7.6\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-docs\", reference:\"0.2l-7.6\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-kdc\", reference:\"0.2l-7.6\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-lib\", reference:\"0.2l-7.6\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-servers\", reference:\"0.2l-7.6\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-servers-x\", reference:\"0.2l-7.6\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-clients\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-clients-x\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-dev\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-docs\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-kdc\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-lib\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-servers\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-servers-x\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libasn1-5-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libcomerr1-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libgssapi1-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libhdb7-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkadm5clnt4-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkadm5srv7-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkafs0-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkrb5-17-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libotp0-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libroken9-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libsl0-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libss0-heimdal\", reference:\"0.4e-7.woody.5\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:05:14", "description": "A remotely exploitable stack-based buffer overflow has been found in\nthe Kerberos v4 compatibility administration daemon distributed with\nthe Red Hat Linux krb5 packages.\n\n[Updated 09 Jan 2003] Added fixed packages for the Itanium (IA64)\narchitecture.\n\nKerberos is a network authentication system.\n\nA stack-based buffer overflow has been found in the implementation of\nthe Kerberos v4 compatibility administration daemon (kadmind4), which\nis part of the MIT krb5 distribution. This vulnerability is present in\nversion 1.2.6 and earlier of the MIT krb5 distribution and can be\nexploited to gain unauthorized root access to a KDC host. The attacker\ndoes not need to authenticate to the daemon to successfully perform\nthis attack.\n\nkadmind4 is included in the Kerberos packages in Red Hat Linux\nAdvanced Server but is not enabled or used by default.\n\nAll users of Kerberos are advised to upgrade to these errata packages\nwhich contain a backported patch and are not vulnerable to this issue.", "edition": 27, "published": "2004-07-06T00:00:00", "title": "RHEL 2.1 : krb5 (RHSA-2002:250)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1235"], "modified": "2004-07-06T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:krb5-libs", "p-cpe:/a:redhat:enterprise_linux:krb5-devel", "p-cpe:/a:redhat:enterprise_linux:krb5-workstation", "p-cpe:/a:redhat:enterprise_linux:krb5-server"], "id": "REDHAT-RHSA-2002-250.NASL", "href": "https://www.tenable.com/plugins/nessus/12331", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2002:250. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(12331);\n script_version(\"1.29\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2002-1235\");\n script_xref(name:\"RHSA\", value:\"2002:250\");\n\n script_name(english:\"RHEL 2.1 : krb5 (RHSA-2002:250)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"A remotely exploitable stack-based buffer overflow has been found in\nthe Kerberos v4 compatibility administration daemon distributed with\nthe Red Hat Linux krb5 packages.\n\n[Updated 09 Jan 2003] Added fixed packages for the Itanium (IA64)\narchitecture.\n\nKerberos is a network authentication system.\n\nA stack-based buffer overflow has been found in the implementation of\nthe Kerberos v4 compatibility administration daemon (kadmind4), which\nis part of the MIT krb5 distribution. This vulnerability is present in\nversion 1.2.6 and earlier of the MIT krb5 distribution and can be\nexploited to gain unauthorized root access to a KDC host. The attacker\ndoes not need to authenticate to the daemon to successfully perform\nthis attack.\n\nkadmind4 is included in the Kerberos packages in Red Hat Linux\nAdvanced Server but is not enabled or used by default.\n\nAll users of Kerberos are advised to upgrade to these errata packages\nwhich contain a backported patch and are not vulnerable to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2002-1235\"\n );\n # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm4.txt\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.nessus.org/u?282e0fc0\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2002:250\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/11/04\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/01/09\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2002:250\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"krb5-devel-1.2.2-15\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"krb5-libs-1.2.2-15\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"krb5-server-1.2.2-15\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"krb5-workstation-1.2.2-15\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"krb5-devel / krb5-libs / krb5-server / krb5-workstation\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:45:32", "description": "Tom Yu and Sam Hartman of MIT discovered another stack-based buffer\noverflow in the kadm_ser_wrap_in function in the Kerberos v4\nadministration server. This kadmind bug has a working exploit code\ncirculating, hence it is considered serious. The MIT krb5\nimplementation includes support for version 4, including a complete v4\nlibrary, server side support for krb4, and limited client support for\nv4.", "edition": 25, "published": "2004-09-29T00:00:00", "title": "Debian DSA-183-1 : krb5 - buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1235"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:krb5"], "id": "DEBIAN_DSA-183.NASL", "href": "https://www.tenable.com/plugins/nessus/15020", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-183. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15020);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2002-1235\");\n script_xref(name:\"CERT\", value:\"875073\");\n script_xref(name:\"DSA\", value:\"183\");\n\n script_name(english:\"Debian DSA-183-1 : krb5 - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tom Yu and Sam Hartman of MIT discovered another stack-based buffer\noverflow in the kadm_ser_wrap_in function in the Kerberos v4\nadministration server. This kadmind bug has a working exploit code\ncirculating, hence it is considered serious. The MIT krb5\nimplementation includes support for version 4, including a complete v4\nlibrary, server side support for krb4, and limited client support for\nv4.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2002/dsa-183\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the krb5 packages immediately.\n\nThis problem has been fixed in version 1.2.4-5woody3 for the current\nstable distribution (woody) and in version 1.2.6-2 for the unstable\ndistribution (sid). The old stable distribution (potato) is not\naffected since no krb5 packages are included.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:krb5\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/10/29\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/10/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"3.0\", prefix:\"krb5-admin-server\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"krb5-clients\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"krb5-doc\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"krb5-ftpd\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"krb5-kdc\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"krb5-rsh-server\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"krb5-telnetd\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"krb5-user\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkadm55\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkrb5-17-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkrb5-dev\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkrb53\", reference:\"1.2.4-5woody3\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"ssh-krb5\", reference:\"3.4p1-0woody1\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:45:32", "description": "Tom Yu and Sam Hartman of MIT discovered another stack-based buffer\noverflow in the kadm_ser_wrap_in function in the Kerberos v4\nadministration server. This kadmind bug has a working exploit code\ncirculating, hence it is considered serious.", "edition": 25, "published": "2004-09-29T00:00:00", "title": "Debian DSA-184-1 : krb4 - buffer overflow", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1235"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:krb4"], "id": "DEBIAN_DSA-184.NASL", "href": "https://www.tenable.com/plugins/nessus/15021", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-184. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15021);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2002-1235\");\n script_xref(name:\"CERT\", value:\"875073\");\n script_xref(name:\"DSA\", value:\"184\");\n\n script_name(english:\"Debian DSA-184-1 : krb4 - buffer overflow\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Tom Yu and Sam Hartman of MIT discovered another stack-based buffer\noverflow in the kadm_ser_wrap_in function in the Kerberos v4\nadministration server. This kadmind bug has a working exploit code\ncirculating, hence it is considered serious.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2002/dsa-184\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\n\"Upgrade the krb4 packages immediately.\n\nThis problem has been fixed in version 1.1-8-2.2 for the current\nstable distribution (woody), in version 1.0-2.2 for the old stable\ndistribution (potato) and in version 1.1-11-8 for the unstable\ndistribution (sid).\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:krb4\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/10/30\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/10/21\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"kerberos4kth-clients\", reference:\"1.0-2.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"kerberos4kth-dev\", reference:\"1.0-2.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"kerberos4kth-kdc\", reference:\"1.0-2.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"kerberos4kth-services\", reference:\"1.0-2.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"kerberos4kth-user\", reference:\"1.0-2.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"kerberos4kth-x11\", reference:\"1.0-2.2\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"kerberos4kth1\", reference:\"1.0-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-clients\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-clients-x\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-dev\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-dev-common\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-docs\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-kdc\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-kip\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-servers\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-servers-x\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-services\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-user\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth-x11\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"kerberos4kth1\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libacl1-kerberos4kth\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkadm1-kerberos4kth\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkdb-1-kerberos4kth\", reference:\"1.1-8-2.2\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkrb-1-kerberos4kth\", reference:\"1.1-8-2.2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-17T13:05:15", "description": "Updated packages fix a vulnerability found in the Kerberos FTP client\ndistributed with the Red Hat Linux Advanced Server krb5 packages.\n\n[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation\n2.1. For Advanced Workstation 2.1 these packages also fix\nCVE-2002-1235 as described in RHSA-2002:250\n\nKerberos is a network authentication system.\n\nA problem has been found in the Kerberos FTP client. When retrieving a\nfile with a name beginning with a pipe character, the FTP client will\npass the file name to the command shell in a system() call. This could\nallow a malicious FTP server to write to files outside of the current\ndirectory or execute commands as the user running the FTP client.\n\nThe Kerberos FTP client runs as the default FTP client when the\nKerberos package krb5-workstation is installed on a Red Hat Linux\nAdvanced Server distribution.\n\nAll users of Kerberos are advised to upgrade to these errata packages\nwhich contain a backported patch and are not vulnerable to this issue.", "edition": 27, "published": "2004-07-06T00:00:00", "title": "RHEL 2.1 : krb5 (RHSA-2003:021)", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2003-0041", "CVE-2002-1235"], "modified": "2004-07-06T00:00:00", "cpe": ["cpe:/o:redhat:enterprise_linux:2.1", "p-cpe:/a:redhat:enterprise_linux:krb5-libs", "p-cpe:/a:redhat:enterprise_linux:krb5-devel", "p-cpe:/a:redhat:enterprise_linux:krb5-workstation", "p-cpe:/a:redhat:enterprise_linux:krb5-server"], "id": "REDHAT-RHSA-2003-021.NASL", "href": "https://www.tenable.com/plugins/nessus/12353", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Red Hat Security Advisory RHSA-2003:021. The text \n# itself is copyright (C) Red Hat, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(12353);\n script_version(\"1.24\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/14\");\n\n script_cve_id(\"CVE-2003-0041\");\n script_xref(name:\"CERT\", value:\"258721\");\n script_xref(name:\"RHSA\", value:\"2003:021\");\n\n script_name(english:\"RHEL 2.1 : krb5 (RHSA-2003:021)\");\n script_summary(english:\"Checks the rpm output for the updated packages\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Red Hat host is missing one or more security updates.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"Updated packages fix a vulnerability found in the Kerberos FTP client\ndistributed with the Red Hat Linux Advanced Server krb5 packages.\n\n[Updated 06 Feb 2003] Added fixed packages for Advanced Workstation\n2.1. For Advanced Workstation 2.1 these packages also fix\nCVE-2002-1235 as described in RHSA-2002:250\n\nKerberos is a network authentication system.\n\nA problem has been found in the Kerberos FTP client. When retrieving a\nfile with a name beginning with a pipe character, the FTP client will\npass the file name to the command shell in a system() call. This could\nallow a malicious FTP server to write to files outside of the current\ndirectory or execute commands as the user running the FTP client.\n\nThe Kerberos FTP client runs as the default FTP client when the\nKerberos package krb5-workstation is installed on a Red Hat Linux\nAdvanced Server distribution.\n\nAll users of Kerberos are advised to upgrade to these errata packages\nwhich contain a backported patch and are not vulnerable to this issue.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/security/cve/cve-2003-0041\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719482\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=87602746719482\"\n );\n # http://marc.theaimsgroup.com/?l=bugtraq&m=87602746719527\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://marc.info/?l=bugtraq&m=87602746719527\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://access.redhat.com/errata/RHSA-2003:021\"\n );\n script_set_attribute(attribute:\"solution\", value:\"Update the affected packages.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-devel\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-libs\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-server\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:redhat:enterprise_linux:krb5-workstation\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:redhat:enterprise_linux:2.1\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2003/02/19\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2003/02/05\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Red Hat Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/RedHat/release\", \"Host/RedHat/rpm-list\", \"Host/cpu\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"global_settings.inc\");\ninclude(\"misc_func.inc\");\ninclude(\"rpm.inc\");\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nrelease = get_kb_item(\"Host/RedHat/release\");\nif (isnull(release) || \"Red Hat\" >!< release) audit(AUDIT_OS_NOT, \"Red Hat\");\nos_ver = pregmatch(pattern: \"Red Hat Enterprise Linux.*release ([0-9]+(\\.[0-9]+)?)\", string:release);\nif (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, \"Red Hat\");\nos_ver = os_ver[1];\nif (! preg(pattern:\"^2\\.1([^0-9]|$)\", string:os_ver)) audit(AUDIT_OS_NOT, \"Red Hat 2.1\", \"Red Hat \" + os_ver);\n\nif (!get_kb_item(\"Host/RedHat/rpm-list\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\ncpu = get_kb_item(\"Host/cpu\");\nif (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);\nif (\"x86_64\" >!< cpu && cpu !~ \"^i[3-6]86$\" && \"s390\" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, \"Red Hat\", cpu);\nif (cpu !~ \"^i[3-6]86$\") audit(AUDIT_ARCH_NOT, \"i386\", cpu);\n\nyum_updateinfo = get_kb_item(\"Host/RedHat/yum-updateinfo\");\nif (!empty_or_null(yum_updateinfo)) \n{\n rhsa = \"RHSA-2003:021\";\n yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa);\n if (!empty_or_null(yum_report))\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : yum_report \n );\n exit(0);\n }\n else\n {\n audit_message = \"affected by Red Hat security advisory \" + rhsa;\n audit(AUDIT_OS_NOT, audit_message);\n }\n}\nelse\n{\n flag = 0;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"krb5-devel-1.2.2-16\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"krb5-libs-1.2.2-16\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"krb5-server-1.2.2-16\")) flag++;\n if (rpm_check(release:\"RHEL2.1\", cpu:\"i386\", reference:\"krb5-workstation-1.2.2-16\")) flag++;\n\n if (flag)\n {\n security_report_v4(\n port : 0,\n severity : SECURITY_HOLE,\n extra : rpm_report_get() + redhat_report_package_caveat()\n );\n exit(0);\n }\n else\n {\n tested = pkg_tests_get();\n if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);\n else audit(AUDIT_PACKAGE_NOT_INSTALLED, \"krb5-devel / krb5-libs / krb5-server / krb5-workstation\");\n }\n}\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}, {"lastseen": "2021-01-06T09:45:21", "description": "The SuSE Security Team has reviewed critical parts of the Heimdal\npackage such as the kadmind and kdc server. While doing so several\npotential buffer overflows and other bugs have been uncovered and\nfixed. Remote attackers can probably gain remote root access on\nsystems without fixes. Since these services usually run on\nauthentication servers these bugs are considered very serious.\n\nThese problems have been fixed in version 0.4e-7.woody.4 for the\ncurrent stable distribution (woody), in version 0.2l-7.4 for the old\nstable distribution (potato) and version 0.4e-21 for the unstable\ndistribution (sid).", "edition": 25, "published": "2004-09-29T00:00:00", "title": "Debian DSA-178-1 : heimdal - remote command execution", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2002-1225", "CVE-2002-1226", "CVE-2002-1235"], "modified": "2004-09-29T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:2.2", "cpe:/o:debian:debian_linux:3.0", "p-cpe:/a:debian:debian_linux:heimdal"], "id": "DEBIAN_DSA-178.NASL", "href": "https://www.tenable.com/plugins/nessus/15015", "sourceData": "#%NASL_MIN_LEVEL 70300\n\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were \n# extracted from Debian Security Advisory DSA-178. The text \n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(15015);\n script_version(\"1.22\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/04\");\n\n script_cve_id(\"CVE-2002-1225\", \"CVE-2002-1226\", \"CVE-2002-1235\");\n script_xref(name:\"CERT\", value:\"875073\");\n script_xref(name:\"DSA\", value:\"178\");\n\n script_name(english:\"Debian DSA-178-1 : heimdal - remote command execution\");\n script_summary(english:\"Checks dpkg output for the updated package\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security-related update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"The SuSE Security Team has reviewed critical parts of the Heimdal\npackage such as the kadmind and kdc server. While doing so several\npotential buffer overflows and other bugs have been uncovered and\nfixed. Remote attackers can probably gain remote root access on\nsystems without fixes. Since these services usually run on\nauthentication servers these bugs are considered very serious.\n\nThese problems have been fixed in version 0.4e-7.woody.4 for the\ncurrent stable distribution (woody), in version 0.2l-7.4 for the old\nstable distribution (potato) and version 0.4e-21 for the unstable\ndistribution (sid).\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"http://www.debian.org/security/2002/dsa-178\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the Heimdal packages immediately.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:heimdal\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:2.2\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:3.0\");\n\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2002/10/17\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2004/09/29\");\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2002/09/11\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2004-2021 Tenable Network Security, Inc.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-clients\", reference:\"0.2l-7.4\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-clients-x\", reference:\"0.2l-7.4\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-dev\", reference:\"0.2l-7.4\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-docs\", reference:\"0.2l-7.4\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-kdc\", reference:\"0.2l-7.4\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-lib\", reference:\"0.2l-7.4\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-servers\", reference:\"0.2l-7.4\")) flag++;\nif (deb_check(release:\"2.2\", prefix:\"heimdal-servers-x\", reference:\"0.2l-7.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-clients\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-clients-x\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-dev\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-docs\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-kdc\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-lib\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-servers\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"heimdal-servers-x\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libasn1-5-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libcomerr1-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libgssapi1-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libhdb7-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkadm5clnt4-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkadm5srv7-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkafs0-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libkrb5-17-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libotp0-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libroken9-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libsl0-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\nif (deb_check(release:\"3.0\", prefix:\"libss0-heimdal\", reference:\"0.4e-7.woody.4\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());\n else security_hole(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 10.0, "vector": "AV:N/AC:L/Au:N/C:C/I:C/A:C"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:06", "bulletinFamily": "software", "cvelist": ["CVE-2002-1235"], "description": "\r\n\r\n-----BEGIN PGP SIGNED MESSAGE-----\r\n\r\nCERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon\r\n\r\n Original issue date: October 25, 2002\r\n Last revised: --\r\n Source: CERT/CC\r\n\r\n A complete revision history is at the end of this file.\r\n\r\n\r\nSystems Affected\r\n\r\n * MIT Kerberos version 4 and version 5 up to and including\r\n krb5-1.2.6\r\n * KTH eBones prior to version 1.2.1 and KTH Heimdal prior to version\r\n 0.5.1\r\n * Other Kerberos implementations derived from vulnerable MIT or KTH\r\n code\r\n\r\n\r\nOverview\r\n\r\n Multiple Kerberos distributions contain a remotely exploitable buffer\r\n overflow in the Kerberos administration daemon. A remote attacker\r\n could exploit this vulnerability to gain root privileges on a\r\n vulnerable system.\r\n\r\n The CERT/CC has received reports that indicate that this vulnerability\r\n is being exploited. In addition, MIT advisory MITKRB5-SA-2002-002\r\n notes that an exploit is circulating.\r\n\r\n We strongly encourage sites that use vulnerable Kerberos distributions\r\n to verify the integrity of their systems and apply patches or upgrade\r\n as appropriate.\r\n\r\n\r\nI. Description\r\n\r\n Kerberos is a widely used network protocol that uses strong\r\n cryptography to authenticate clients and servers. The Kerberos\r\n administration daemon (typically called kadmind) handles password\r\n change and other requests to modify the Kerberos database. The daemon\r\n runs on the master Key Distribution Center (KDC) server of a Kerberos\r\n realm.\r\n\r\n The code that provides legacy support for the Kerberos 4\r\n administration protocol contains a remotely exploitable buffer\r\n overflow. The vulnerable code does not adequately validate data read\r\n from a network request. This data is subsequently used as an argument\r\n to a memcpy() call, which can overflow a buffer allocated on the\r\n stack. An attacker does not have to authenticate in order to exploit\r\n this vulnerability, and the Kerberos administration daemon runs with\r\n root privileges.\r\n\r\n Both Massachusetts Institute of Technology (MIT) and Kungl Tekniska\r\n H\u0416gskolan (KTH) Kerberos are affected, as well as operating systems,\r\n applications, and other Kerberos implementations that use vulnerable\r\n code derived from either the MIT or KTH distributions. In MIT Kerberos\r\n 5, the Kerberos 4 administration daemon is implemented in kadmind4. In\r\n KTH Kerberos 4 (eBones), the Kerberos administration daemon is\r\n implemented in kadmind. KTH Kerberos 5 (Heimdal) also implements the\r\n daemon in kadmind; however, the Heimdal daemon is only affected if\r\n compiled with Kerberos 4 support. Since the vulnerable Kerberos\r\n administration daemon is included in the MIT Kerberos 5 and KTH\r\n Heimdal distributions, both Kerberos 4 sites and Kerberos 5 sites that\r\n enable support for the Kerberos 4 administration protocol are\r\n affected.\r\n\r\n Further information about this vulnerability may be found in\r\n VU#875073.\r\n\r\n MIT has released an advisory that contains information about this\r\n vulnerability:\r\n\r\n http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kadm\r\n 4.txt\r\n\r\n The KTH eBones and Heimdal web sites also contain information about\r\n this vulnerability:\r\n\r\n KTH eBones\r\n http://www.pdc.kth.se/kth-krb/\r\n\r\n KTH Heimdal\r\n http://www.pdc.kth.se/kth-krb/\r\n\r\n In addition to resolving the vulnerability described in VU#875073,\r\n version 0.51 of KTH Heimdal contains other fixes related to the KDC.\r\n See the ChangeLog for more information:\r\n\r\n ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.5-0.5.1.diff.gz\r\n\r\n This vulnerability has been assigned CAN-2002-1235 by the Common\r\n Vulnerabilities and Exposures (CVE) group.\r\n\r\n\r\nII. Impact\r\n\r\n An unauthenticated, remote attacker could execute arbitrary code with\r\n root privileges. If an attacker is able to gain control of a master\r\n KDC, the integrity of the entire Kerberos realm is compromised,\r\n including user and host identities and other systems that accept\r\n Kerberos authentication.\r\n\r\n\r\nIII. Solution\r\n\r\nApply a patch or upgrade\r\n\r\n Apply the appropriate patch or upgrade as specified by your vendor.\r\n See Appendix A below and the Systems Affected section of VU#875073 for\r\n specific information.\r\n\r\nDisable vulnerable service\r\n\r\n Disable support for the Kerberos 4 administration protocol if it is\r\n not needed. In MIT Kerberos 5, this can be achieved by disabling\r\n kadmind4. For information about disabling all Kerberos 4 support in\r\n MIT Kerberos 5 at compile time, see\r\n\r\n http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.htm\r\n l#SEC24\r\n\r\n In KTH Heimdal, it is necessary to recompile kadmind in order to\r\n disable support for the Kerberos 4 administration protocol. For\r\n information about disabling all Kerberos 4 support in KTH Heimdal at\r\n compile time, see\r\n\r\n http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Install\r\n ing\r\n\r\n This solution will prevent Kerberos 4 administrative clients from\r\n accessing the Kerberos database. It will also prevent users with\r\n Kerberos 4 clients from changing their passwords. In general, the\r\n CERT/CC recommends disabling any service that is not explicitly\r\n required.\r\n\r\nBlock or restrict access\r\n\r\n Block access to the Kerberos administration service from untrusted\r\n networks such as the Internet. Furthermore, only allow access to the\r\n service from trusted administrative hosts. By default, the Kerberos 4\r\n administration daemon listens on 751/tcp and 751/udp, and the Kerberos\r\n 5 administration daemon listens on 749/tcp and 749/udp. It may be\r\n necessary to block access to the Kerberos 5 administration service if\r\n the daemon also supports the Kerberos 4 administration protocol. This\r\n workaround will prevent administrative connections and password change\r\n requests from blocked networks. Note that this workaround will not\r\n prevent exploitation, but it will limit the possible sources of\r\n attacks.\r\n\r\n\r\nAppendix A. Vendor Information\r\n\r\n This appendix contains information provided by vendors. When vendors\r\n report new information, this section is updated and the changes are\r\n noted in the revision history. If a vendor is not listed below, we\r\n have not received their comments.\r\n\r\nApple Computer, Inc.\r\n\r\n The Kerberos Administration Daemon was included in Mac OS X 10.0,\r\n but removed in Mac OS X 10.1 and later.\r\n We encourage sites that use vulnerable Kerberos distributions to\r\n verify the integrity of their systems and apply patches or upgrade\r\n as appropriate.\r\n\r\nConectiva\r\n\r\n Our MIT Kerberos 5 packages in Conectiva Linux 8 do contain the\r\n vulnerable kadmind4 daemon, but it is not used by default nor is it\r\n installed as a service.\r\n\r\n Updated packages are being uploaded to our ftp server and should be\r\n available in a few hours at:\r\n\r\n ftp://atualizacoes.conectiva.com.br/8/\r\n\r\n The krb5-server-1.2.3-3U8_3cl.i386.rpm package contains a patched\r\n kadmind4 daemon. An announcement will be sent to our security\r\n mailing list a few hours after the upload is complete.\r\n\r\nDebian\r\n\r\n Debian has released DSA-178:\r\n\r\n http://www.debian.org/security/2002/dsa-178\r\n\r\nFreeBSD\r\n\r\n Both the FreeBSD base Kerberos 4 (kadmind) and Kerberos 5 (k5admind\r\n v4 compatibility) daemons were vulnerable and have been corrected\r\n as of 23 October 2002. In addition, the heimdal and krb5 ports\r\n contained the same vulnerability and have been corrected as of 24\r\n October 2002. A Security Advisory is in progress.\r\n\r\nKTH Kerberos\r\n\r\n The eBones and Heimdal web sites have information about this\r\n vulnerability:\r\n\r\n KTH eBones\r\n http://www.pdc.kth.se/kth-krb/\r\n \r\n KTH Heimdal\r\n http://www.pdc.kth.se/kth-krb/\r\n\r\nMicrosoft Corporation\r\n\r\n Microsoft's implementation of Kerberos is not affected by this\r\n vulnerability.\r\n\r\nMIT Kerberos\r\n\r\n MIT has released MIT krb5 Security Advisory 2002-002:\r\n\r\n http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-ka\r\n dm4.txt\r\n\r\nNetBSD\r\n\r\n NetBSD has released NetBSD-SA2002-026:\r\n\r\n ftp://ftp.NetBSD.org/pub/NetBSD/security/advisories/NetBSD-SA2002\r\n -026.txt.asc\r\n\r\nOpenBSD\r\n\r\n OpenBSD has released Security Fix 016 for OpenBSD 3.1 and Security\r\n Fix 033 for OpenBSD 3.0.\r\n\r\n OpenBSD 3.1\r\n http://www.openbsd.org/errata31.html#kadmin\r\n\r\n OpenBSD 3.0\r\n http://www.openbsd.org/errata30.html#kadmin\r\n\r\nOpenwall\r\n\r\n Openwall GNU/*/Linux is not vulnerable. We don't provide Kerberos.\r\n\r\nSuSE\r\n\r\n SuSE Linux 7.2 and later are shipped with Heimdal Kerberos\r\n included, but Kerberos 4 support is disabled in all releases.\r\n Therefore, SuSE Linux and SuSE Enterprise Linux are not affected by\r\n this bug. [See also: SuSE-SA:2002:034]\r\n\r\nWind River Systems (BSDI)\r\n\r\n No version of BSD/OS is vulnerable to this problem.\r\n\r\n\r\nAppendix B. References\r\n\r\n * http://web.mit.edu/kerberos/www/\r\n * http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2002-002-kad\r\n m4.txt\r\n * http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.6/doc/install.ht\r\n ml#SEC24\r\n * http://www.pdc.kth.se/kth-krb/\r\n * http://www.pdc.kth.se/heimdal/\r\n * http://www.pdc.kth.se/heimdal/heimdal.html#Building%20and%20Instal\r\n ling\r\n\r\n _________________________________________________________________\r\n\r\n Authors: Art Manion and Jason A. Rafail.\r\n ______________________________________________________________________\r\n\r\n This document is available from:\r\n http://www.cert.org/advisories/CA-2002-29.html\r\n ______________________________________________________________________\r\n\r\n\r\nCERT/CC Contact Information\r\n\r\n Email: cert@cert.org\r\n Phone: +1 412-268-7090 (24-hour hotline)\r\n Fax: +1 412-268-6989\r\n Postal address:\r\n CERT Coordination Center\r\n Software Engineering Institute\r\n Carnegie Mellon University\r\n Pittsburgh PA 15213-3890\r\n U.S.A.\r\n\r\n CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /\r\n EDT(GMT-4) Monday through Friday; they are on call for emergencies\r\n during other hours, on U.S. holidays, and on weekends.\r\n\r\nUsing encryption\r\n\r\n We strongly urge you to encrypt sensitive information sent by email.\r\n Our public PGP key is available from\r\n http://www.cert.org/CERT_PGP.key\r\n\r\n If you prefer to use DES, please call the CERT hotline for more\r\n information.\r\n\r\nGetting security information\r\n\r\n CERT publications and other security information are available from\r\n our web site\r\n http://www.cert.org/\r\n\r\n To subscribe to the CERT mailing list for advisories and bulletins,\r\n send email to majordomo@cert.org. Please include in the body of your\r\n message\r\n\r\n subscribe cert-advisory\r\n\r\n * "CERT" and "CERT Coordination Center" are registered in the U.S.\r\n Patent and Trademark Office.\r\n ______________________________________________________________________\r\n\r\n NO WARRANTY\r\n Any material furnished by Carnegie Mellon University and the Software\r\n Engineering Institute is furnished on an "as is" basis. Carnegie\r\n Mellon University makes no warranties of any kind, either expressed or\r\n implied as to any matter including, but not limited to, warranty of\r\n fitness for a particular purpose or merchantability, exclusivity or\r\n results obtained from use of the material. Carnegie Mellon University\r\n does not make any warranty of any kind with respect to freedom from\r\n patent, trademark, or copyright infringement.\r\n _________________________________________________________________\r\n\r\n Conditions for use, disclaimers, and sponsorship information\r\n\r\n Copyright 2002 Carnegie Mellon University.\r\n\r\n Revision History\r\n\r\n October 25, 2002: Initial release\r\n\r\n\r\n-----BEGIN PGP SIGNATURE-----\r\nVersion: PGP 6.5.8\r\n\r\niQCVAwUBPbluwGjtSoHZUTs5AQFRbgQApOEHrz7fSu37W8quhTH34fn4E3Jq/Aih\r\nfTTy4b+hVwLujxlws+5lgug9vBd/QVrZEPT+g7xqBNtpsG+XBlAvUDIZJytKz6vN\r\nrTZbMEyKc6PK92n4OJ1iRgG7WaZibEXaeScZSclEgY8yAkQmoVZUzvwzgZaFXXfQ\r\nihRKZyB9lbc=\r\n=/bkR\r\n-----END PGP SIGNATURE-----", "edition": 1, "modified": "2002-10-26T00:00:00", "published": "2002-10-26T00:00:00", "id": "SECURITYVULNS:DOC:3686", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:3686", "title": "CERT Advisory CA-2002-29 Buffer Overflow in Kerberos Administration Daemon", "type": "securityvulns", "cvss": {"score": 10.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}}]}