CVSS: 9.0EPSS: 0%CPEs: 1EXPL: 0CVE-2007-5972
https://notcve.org/view.php?id=CVE-2007-5972
Double free vulnerability in the krb5_def_store_mkey function in lib/kdb/kdb_default.c in MIT Kerberos 5 (krb5) 1.5 has unknown impact and remote authenticated attack vectors. NOTE: the free operations occur in code that stores the krb5kdc master key, and so the attacker must have privileges to store this key. Una vulnerabilidad de doble liberación en la función krb5_def_store_mkey en la biblioteca lib/kdb/kdb_default.c en MIT Kerberos 5 (krb5) versión 1.5 presenta un impacto desconocido y vectores de ataque autenticados remotos. NOTA: las operaciones de liberación se producen en el código que almacena la clave maestra krb5kdc, por lo que el atacante requiere privilegios para almacenar esta clave. • http://bugs.gentoo.org/show_bug.cgi?id=199211 http://osvdb.org/44747 http://seclists.org/fulldisclosure/2007/Dec/0176.html http://seclists.org/fulldisclosure/2007/Dec/0321.html http://secunia.com/advisories/28636 http://secunia.com/advisories/39290 http://secunia.com/advisories/39784 http://ubuntu.com/usn/usn-924-1 http://www.novell.com/linux/security/advisories/suse_security_summary_report.html http://www.securityfocus.com/bid/26750 http://www.ubuntu.com/usn/USN& • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 52%CPEs: 12EXPL: 0CVE-2007-4743 – krb5 incomplete fix for CVE-2007-3999
https://notcve.org/view.php?id=CVE-2007-4743
The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack. El parche original para la CVE-2007-3999 en el svc_auth_gss.c de la librería RPCSEC_GSS RPC en el MIT Kerberos 5 (krb5) 1.4 hasta el 1.6.2, como el utilizado en el demonio de administración del Kerberos (kadmind) y otras aplicaciones que utlizan el krb5, no verifica correctamente la longitud del búfer en algunos entornos y arquitecturas, lo que puede permitir a atacantes remotos llevar a cabo un ataque de desbordamiento de búfer. • http://article.gmane.org/gmane.comp.encryption.kerberos.announce/86 http://docs.info.apple.com/article.html?artnum=307041 http://lists.apple.com/archives/security-announce/2007/Nov/msg00002.html http://secunia.com/advisories/26699 http://secunia.com/advisories/26987 http://secunia.com/advisories/27643 http://www.debian.org/security/2007/dsa-1387 http://www.novell.com/linux/security/advisories/2007_19_sr.html http://www.redhat.com/support/errata/RHSA-2007-0892.html http:// • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 8.5EPSS: 31%CPEs: 2EXPL: 0CVE-2007-4000 – krb5 kadmind uninitialized pointer
https://notcve.org/view.php?id=CVE-2007-4000
The kadm5_modify_policy_internal function in lib/kadm5/srv/svr_policy.c in the Kerberos administration daemon (kadmind) in MIT Kerberos 5 (krb5) 1.5 through 1.6.2 does not properly check return values when the policy does not exist, which might allow remote authenticated users with the "modify policy" privilege to execute arbitrary code via unspecified vectors that trigger a write to an uninitialized pointer. La función kadm5_modify_policy_internal en lib/kadm5/srv/svr_policy.c del demonio de administración de Kerberos (kadmind) en MIT Kerberos 5 (krb5) 1.5 hasta 1.6.2 no comprueba adecuadamente los valores de retorno cuando no existe política, lo cual podría permitir a usuarios autenticados remotos con el privilegio de "modificar política" ejecutar código de su elección mediante vectores no especificados que provocan una escritura en un puntero no inicializado. • http://secunia.com/advisories/26676 http://secunia.com/advisories/26680 http://secunia.com/advisories/26700 http://secunia.com/advisories/26728 http://secunia.com/advisories/26783 http://secunia.com/advisories/26987 http://securityreason.com/securityalert/3092 http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt http://www.gentoo.org/security/en/glsa/glsa-200709-01.xml http://www.kb.cert.org/vuls/id/377544 http://www.mandriva.com/security/advisories?name=MDKSA&# • CWE-824: Access of Uninitialized Pointer •
CVSS: 10.0EPSS: 96%CPEs: 12EXPL: 0CVE-2007-3999 – Multiple Kerberos Implementations Authentication Context Stack Overflow Vulnerability
https://notcve.org/view.php?id=CVE-2007-3999
Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message. Un desbordamiento de búfer en la región stack de la memoria en la función svcauth_gss_validate en el archivo lib/rpc/svc_auth_gss.c en la biblioteca RPCSEC_GSS RPC (librpcsecgss) en MIT Kerberos 5 (krb5) versiones 1.4 hasta 1.6.2, como es usado por demonio de administración de Kerberos (kadmind) y algunas aplicaciones de terceros que usan krb5 permiten a atacantes remotos causar una denegación de servicio (bloqueo del demonio) y probablemente ejecutar código arbitrario por medio de una cadena larga en un mensaje RPC. This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of MIT Kerberos. Authentication is not required to exploit this vulnerability. The specific flaw exists in the svcauth_gss_validate() function. By sending a large authentication context over RPC, a stack based buffer overflow occurs, resulting in a situation allowing for remote code execution. The vulnerable line of the function is: memcpy((caddr_t)buf, oa->oa_base, oa->oa_length); If 128 < oa->oa_length < 400, the exploitable situation occurs. • http://docs.info.apple.com/article.html?artnum=307041 http://lists.apple.com/archives/security-announce/2007/Nov/msg00002.html http://lists.rpath.com/pipermail/security-announce/2007-September/000237.html http://secunia.com/advisories/26676 http://secunia.com/advisories/26680 http://secunia.com/advisories/26684 http://secunia.com/advisories/26691 http://secunia.com/advisories/26697 http://secunia.com/advisories/26699 http://secunia.com/advisories/26700 http://secunia.com/advisories&#x • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer •
CVSS: 10.0EPSS: 96%CPEs: 6EXPL: 0CVE-2007-2442 – krb5 RPC library unitialized pointer free
https://notcve.org/view.php?id=CVE-2007-2442
The gssrpc__svcauth_gssapi function in the RPC library in MIT Kerberos 5 (krb5) 1.6.1 and earlier might allow remote attackers to execute arbitrary code via a zero-length RPC credential, which causes kadmind to free an uninitialized pointer during cleanup. La función gssrpc__svcauth_gssapi en la librería RPC de MIT Kerberos 5 (krb5) 1.6.1 y anteriores podría permitir a atacantes remotos ejecutar código de su elección mediante credenciales RPC de longitud cero, lo cual provoca que kadmind libere un puntero no inicializado durante la limpieza. • ftp://patches.sgi.com/support/free/security/advisories/20070602-01-P.asc http://docs.info.apple.com/article.html?artnum=306172 http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c02257427 http://lists.apple.com/archives/security-announce//2007/Jul/msg00004.html http://lists.grok.org.uk/pipermail/full-disclosure/2007-September/065902.html http://osvdb.org/36596 http://secunia.com/advisories/25800 http://secunia.com/advisories/25801 http://secunia.com/advisories/258 • CWE-824: Access of Uninitialized Pointer •