Information Security all in one place!

Gentoo Linux Security Advisory: MIT Kerberos 5: Multiple vulnerabilities X2

Multiple Vulnerabilities have been identified MIT Kerberos 5

Severity: High
Title: MIT Kerberos 5: Multiple vulnerabilities

Vulnerability Number 1

Synopsis
========

Multiple vulnerabilities have been found in MIT Kerberos 5, the most
severe of which may allow remote execution of arbitrary code.

Background
==========

MIT Kerberos 5 is a suite of applications that implement the Kerberos
network protocol.

 

English: Kerberos negotiations

 

 

 

 

 

 

 

 

 

 

 

Affected packages =================

1 app-crypt/mit-krb5 < 1.9.2-r1 >= 1.9.2-r1

Description
===========

Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please
review the CVE identifiers referenced below for details.

Impact
======

A remote attacker may be able to execute arbitrary code with the
privileges of the administration daemon or the Key Distribution Center
(KDC) daemon, cause a Denial of Service condition, or possibly obtain
sensitive information. Furthermore, a remote attacker may be able to
spoof Kerberos authorization, modify KDC responses, forge user data
messages, forge tokens, forge signatures, impersonate a client, modify
user-visible prompt text, or have other unspecified impact.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MIT Kerberos 5 users should upgrade to the latest version:

# emerge –sync
# emerge –ask –oneshot –verbose “>=app-crypt/mit-krb5-1.9.2-r1”

References
==========

[  1 ] CVE-2009-3295
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-3295
[  2 ] CVE-2009-4212
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-4212
[  3 ] CVE-2010-0283
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0283
[  4 ] CVE-2010-0629
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-0629

 
US Store PDP. BitDefender Antivirus Plus 2012 – Buy Now from authorised BitDefender Store, from only $39.95!Click Here

 
Vulnerability Number 2

Severity: Normal

Title: MIT Kerberos 5 Applications: Multiple vulnerabilities

Synopsis
========

Multiple vulnerabilities have been found in MIT Kerberos 5
Applications, the most severe of which may allow execution of arbitrary
code.

Background
==========

A suite of applications that implement the Kerberos 5 network protocol
from MIT.

Affected packages
=================

——————————————————————-
Package              /     Vulnerable     /            Unaffected
——————————————————————-
1  app-crypt/mit-krb5-appl     < 1.0.2-r1               >= 1.0.2-r1

Description
===========

Multiple vulnerabilities have been discovered in MIT Kerberos 5
Applications:

* An error in the FTP daemon prevents it from dropping its initial
effective group identifier (CVE-2011-1526).
* A boundary error in the telnet daemon and client could cause a buffer
overflow (CVE-2011-4862).

Impact
======

An unauthenticated remote attacker may be able to execute arbitrary
code with the privileges of the user running the telnet daemon or
client. Furthermore, an authenticated remote attacker may be able to
read or write files owned by the same group as the effective group of
the FTP daemon.

Workaround
==========

There is no known workaround at this time.

Resolution
==========

All MIT Kerberos 5 Applications users should upgrade to the latest
version:

# emerge –sync
# emerge –ask –oneshot -v “>=app-crypt/mit-krb5-appl-1.0.2-r1”

References
==========

[ 1 ] CVE-2011-1526
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-1526
[ 2 ] CVE-2011-4862
http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-4862

 

 

 

 

 

Advertisements

2 responses

  1. Pingback: Gentoo Linux Security Advisory: MIT Kerberos 5: Multiple … | Linux Blog

  2. Pingback: eBank IT Online Banking – Multiple Web Vulnerabilities « NetSecurityIT

Let's hear what you have to say.

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s