CVE-2007-3999

Multiple Kerberos Implementations Authentication Context Stack Overflow Vulnerability

Severity Score

10.0

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.

Un desbordamiento de búfer en la región stack de la memoria en la función svcauth_gss_validate en el archivo lib/rpc/svc_auth_gss.c en la biblioteca RPCSEC_GSS RPC (librpcsecgss) en MIT Kerberos 5 (krb5) versiones 1.4 hasta 1.6.2, como es usado por demonio de administración de Kerberos (kadmind) y algunas aplicaciones de terceros que usan krb5 permiten a atacantes remotos causar una denegación de servicio (bloqueo del demonio) y probablemente ejecutar código arbitrario por medio de una cadena larga en un mensaje RPC.

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of MIT Kerberos. Authentication is not required to exploit this vulnerability.
The specific flaw exists in the svcauth_gss_validate() function. By sending a large authentication context over RPC, a stack based buffer overflow occurs, resulting in a situation allowing for remote code execution.
The vulnerable line of the function is:
memcpy((caddr_t)buf, oa->oa_base, oa->oa_length);
If 128 < oa->oa_length < 400, the exploitable situation occurs. Over 400 bytes is caught during a separate check for MAX_AUTH_SIZE earlier in the RPC packet decoding process.

*Credits: Tenable Network Security

CVSS Scores

NISTv2 10.0

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Complete

Integrity

Complete

Availability

Complete

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2007-07-25 CVE Reserved
2007-09-05 CVE Published
2024-08-07 CVE Updated
2024-09-23 EPSS Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer

CAPEC

References (63)

URL	Tag	Source
http://docs.info.apple.com/article.html?artnum=307041	X_refsource_confirm
http://lists.rpath.com/pipermail/security-announce/2007-September/000237.html	Mailing List
http://secunia.com/advisories/27756	Third Party Advisory
http://secunia.com/advisories/29247	Third Party Advisory
http://secunia.com/advisories/29270	Third Party Advisory
http://securityreason.com/securityalert/3092	Third Party Advisory
http://support.avaya.com/elmodocs2/security/ASA-2007-396.htm	X_refsource_confirm
http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2007-006.txt	X_refsource_confirm
http://www.kb.cert.org/vuls/id/883632	Third Party Advisory
http://www.securityfocus.com/archive/1/478748/100/0/threaded	Mailing List
http://www.securityfocus.com/archive/1/479251/100/0/threaded	Mailing List
http://www.securityfocus.com/bid/25534	Vdb Entry
http://www.securityfocus.com/bid/26444	Vdb Entry
http://www.securitytracker.com/id?1018647	Vdb Entry
http://www.us-cert.gov/cas/techalerts/TA07-319A.html	Third Party Advisory
http://www.vupen.com/english/advisories/2007/3051	Vdb Entry
http://www.vupen.com/english/advisories/2007/3052	Vdb Entry
http://www.vupen.com/english/advisories/2007/3060	Vdb Entry
http://www.vupen.com/english/advisories/2007/3868	Vdb Entry
http://www.vupen.com/english/advisories/2008/0803/references	Vdb Entry
http://www.zerodayinitiative.com/advisories/ZDI-07-052.html	X_refsource_misc
https://exchange.xforce.ibmcloud.com/vulnerabilities/36437	Vdb Entry
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A3162	Signature
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9379	Signature

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.apple.com/archives/security-announce/2007/Nov/msg00002.html	2020-01-21
http://secunia.com/advisories/26676	2020-01-21
http://secunia.com/advisories/26680	2020-01-21
http://secunia.com/advisories/26684	2020-01-21
http://secunia.com/advisories/26691	2020-01-21
http://secunia.com/advisories/26697	2020-01-21
http://secunia.com/advisories/26699	2020-01-21
http://secunia.com/advisories/26700	2020-01-21
http://secunia.com/advisories/26705	2020-01-21
http://secunia.com/advisories/26713	2020-01-21
http://secunia.com/advisories/26728	2020-01-21
http://secunia.com/advisories/26783	2020-01-21
http://secunia.com/advisories/26792	2020-01-21
http://secunia.com/advisories/26822	2020-01-21
http://secunia.com/advisories/26896	2020-01-21
http://secunia.com/advisories/26987	2020-01-21
http://secunia.com/advisories/27043	2020-01-21
http://secunia.com/advisories/27081	2020-01-21
http://secunia.com/advisories/27146	2020-01-21
http://secunia.com/advisories/27643	2020-01-21
http://security.gentoo.org/glsa/glsa-200710-01.xml	2020-01-21
http://sunsolve.sun.com/search/document.do?assetkey=1-26-103060-1	2020-01-21
http://sunsolve.sun.com/search/document.do?assetkey=1-66-201319-1	2020-01-21
http://www.debian.org/security/2007/dsa-1367	2020-01-21
http://www.debian.org/security/2007/dsa-1368	2020-01-21
http://www.gentoo.org/security/en/glsa/glsa-200709-01.xml	2020-01-21
http://www.mandriva.com/security/advisories?name=MDKSA-2007:174	2020-01-21
http://www.mandriva.com/security/advisories?name=MDKSA-2007:181	2020-01-21
http://www.novell.com/linux/security/advisories/2007_19_sr.html	2020-01-21
http://www.novell.com/linux/security/advisories/2007_24_sr.html	2020-01-21
http://www.redhat.com/support/errata/RHSA-2007-0858.html	2020-01-21
http://www.redhat.com/support/errata/RHSA-2007-0913.html	2020-01-21
http://www.redhat.com/support/errata/RHSA-2007-0951.html	2020-01-21
http://www.trustix.org/errata/2007/0026	2020-01-21
http://www.ubuntu.com/usn/usn-511-1	2020-01-21
https://bugzilla.redhat.com/show_bug.cgi?id=250973	2007-10-02
https://www.redhat.com/archives/fedora-package-announce/2007-September/msg00087.html	2020-01-21
https://www.redhat.com/archives/fedora-package-announce/2008-March/msg00173.html	2020-01-21
https://access.redhat.com/security/cve/CVE-2007-3999	2007-10-02

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.4 Search vendor "Mit" for product "Kerberos 5" and version "1.4"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.4.1 Search vendor "Mit" for product "Kerberos 5" and version "1.4.1"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.4.2 Search vendor "Mit" for product "Kerberos 5" and version "1.4.2"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.4.3 Search vendor "Mit" for product "Kerberos 5" and version "1.4.3"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.4.4 Search vendor "Mit" for product "Kerberos 5" and version "1.4.4"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.5 Search vendor "Mit" for product "Kerberos 5" and version "1.5"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.5.1 Search vendor "Mit" for product "Kerberos 5" and version "1.5.1"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.5.2 Search vendor "Mit" for product "Kerberos 5" and version "1.5.2"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.5.3 Search vendor "Mit" for product "Kerberos 5" and version "1.5.3"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.6 Search vendor "Mit" for product "Kerberos 5" and version "1.6"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.6.1 Search vendor "Mit" for product "Kerberos 5" and version "1.6.1"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.6.2 Search vendor "Mit" for product "Kerberos 5" and version "1.6.2"		-		Affected