CVE-2009-0360
pam-krb5 < 3.13 - Local Privilege Escalation
Severity Score
6.2
*CVSS v2
Exploit Likelihood
*EPSS
Affected Versions
*CPE
Public Exploits
1
*Multiple Sources
Exploited in Wild
-
*KEV
Decision
-
*SSVC
Descriptions
Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.
Russ Allbery pam-krb5 versiones anteriores a v3.13, cuando es enlazado a través de MIT Kerberos, no inicializa correctamente las librerías Kerberos al usarlas en la fijación de propietario, permitiendo a usuarios locales obtener privilegios al apuntar una variable de entorno a un fichero de configuración de Kerberos modificado, y después llamando a una aplicación de fijación de propietario basada en PAM.
*Credits:
N/A
CVSS Scores
Attack Vector
Attack Complexity
Authentication
Confidentiality
Integrity
Availability
* Common Vulnerability Scoring System
SSVC
- Decision:-
Exploitation
Automatable
Tech. Impact
* Organization's Worst-case Scenario
Timeline
- 2009-01-29 CVE Reserved
- 2009-02-11 CVE Published
- 2009-03-29 First Exploit
- 2023-03-08 EPSS Updated
- 2024-08-07 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
CWE
- CWE-287: Improper Authentication
CAPEC
References (19)
| URL | Tag | Source |
|---|---|---|
| http://secunia.com/advisories/34260 | Third Party Advisory | |
| http://secunia.com/advisories/34449 | Third Party Advisory | |
| http://securitytracker.com/id?1021711 | Vdb Entry | |
| http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm | X_refsource_confirm | |
| http://www.securityfocus.com/archive/1/500892/100/0/threaded | Mailing List | |
| http://www.securityfocus.com/bid/33740 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2009/0410 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2009/0426 | Vdb Entry | |
| http://www.vupen.com/english/advisories/2009/0979 | Vdb Entry | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5669 | Signature | |
| https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5732 | Signature |
| URL | Date | SRC |
|---|---|---|
| https://www.exploit-db.com/exploits/8303 | 2009-03-29 |
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| http://secunia.com/advisories/33914 | 2018-10-11 | |
| http://secunia.com/advisories/33917 | 2018-10-11 | |
| http://security.gentoo.org/glsa/glsa-200903-39.xml | 2018-10-11 | |
| http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1 | 2018-10-11 | |
| http://www.debian.org/security/2009/dsa-1721 | 2018-10-11 | |
| http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html | 2018-10-11 | |
| http://www.ubuntu.com/usn/USN-719-1 | 2018-10-11 |
Affected Vendors, Products, and Versions
| Vendor | Product | Version | Other | Status | ||||||
|---|---|---|---|---|---|---|---|---|---|---|
| Vendor | Product | Version | Other | Status | <-- --> | Vendor | Product | Version | Other | Status |
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | <= 3.12 Search vendor "Eyrie" for product "Pam-krb5" and version " <= 3.12" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 2.0 Search vendor "Eyrie" for product "Pam-krb5" and version "2.0" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 2.1 Search vendor "Eyrie" for product "Pam-krb5" and version "2.1" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 2.2 Search vendor "Eyrie" for product "Pam-krb5" and version "2.2" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 2.3 Search vendor "Eyrie" for product "Pam-krb5" and version "2.3" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 2.4 Search vendor "Eyrie" for product "Pam-krb5" and version "2.4" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 2.5 Search vendor "Eyrie" for product "Pam-krb5" and version "2.5" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 2.6 Search vendor "Eyrie" for product "Pam-krb5" and version "2.6" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.0 Search vendor "Eyrie" for product "Pam-krb5" and version "3.0" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.1 Search vendor "Eyrie" for product "Pam-krb5" and version "3.1" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.2 Search vendor "Eyrie" for product "Pam-krb5" and version "3.2" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.3 Search vendor "Eyrie" for product "Pam-krb5" and version "3.3" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.4 Search vendor "Eyrie" for product "Pam-krb5" and version "3.4" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.5 Search vendor "Eyrie" for product "Pam-krb5" and version "3.5" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.6 Search vendor "Eyrie" for product "Pam-krb5" and version "3.6" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.7 Search vendor "Eyrie" for product "Pam-krb5" and version "3.7" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.8 Search vendor "Eyrie" for product "Pam-krb5" and version "3.8" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.9 Search vendor "Eyrie" for product "Pam-krb5" and version "3.9" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.10 Search vendor "Eyrie" for product "Pam-krb5" and version "3.10" | - |
Affected
| ||||||
| Eyrie Search vendor "Eyrie" | Pam-krb5 Search vendor "Eyrie" for product "Pam-krb5" | 3.11 Search vendor "Eyrie" for product "Pam-krb5" and version "3.11" | - |
Affected
| ||||||