Vulnerabilities > CVE-2007-1216 - Double Free vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding".
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200704-02.NASL description The remote host is affected by the vulnerability described in GLSA-200704-02 (MIT Kerberos 5: Arbitrary remote code execution) The Kerberos telnet daemon fails to properly handle usernames allowing unauthorized access to any account (CVE-2007-0956). The Kerberos administration daemon, the KDC and possibly other applications using the MIT Kerberos libraries are vulnerable to the following issues. The krb5_klog_syslog function from the kadm5 library fails to properly validate input leading to a stack overflow (CVE-2007-0957). The GSS-API library is vulnerable to a double-free attack (CVE-2007-1216). Impact : By exploiting the telnet vulnerability a remote attacker may obtain access with root privileges. The remaining vulnerabilities may allow an authenticated remote attacker to execute arbitrary code with root privileges. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 24935 published 2007-04-05 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/24935 title GLSA-200704-02 : MIT Kerberos 5: Arbitrary remote code execution code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Gentoo Linux Security Advisory GLSA 200704-02. # # The advisory text is Copyright (C) 2001-2015 Gentoo Foundation, Inc. # and licensed under the Creative Commons - Attribution / Share Alike # license. See http://creativecommons.org/licenses/by-sa/3.0/ # include("compat.inc"); if (description) { script_id(24935); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:44"); script_cve_id("CVE-2007-0956", "CVE-2007-0957", "CVE-2007-1216"); script_xref(name:"GLSA", value:"200704-02"); script_name(english:"GLSA-200704-02 : MIT Kerberos 5: Arbitrary remote code execution"); script_summary(english:"Checks for updated package(s) in /var/db/pkg"); script_set_attribute( attribute:"synopsis", value: "The remote Gentoo host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The remote host is affected by the vulnerability described in GLSA-200704-02 (MIT Kerberos 5: Arbitrary remote code execution) The Kerberos telnet daemon fails to properly handle usernames allowing unauthorized access to any account (CVE-2007-0956). The Kerberos administration daemon, the KDC and possibly other applications using the MIT Kerberos libraries are vulnerable to the following issues. The krb5_klog_syslog function from the kadm5 library fails to properly validate input leading to a stack overflow (CVE-2007-0957). The GSS-API library is vulnerable to a double-free attack (CVE-2007-1216). Impact : By exploiting the telnet vulnerability a remote attacker may obtain access with root privileges. The remaining vulnerabilities may allow an authenticated remote attacker to execute arbitrary code with root privileges. Workaround : There is no known workaround at this time." ); script_set_attribute( attribute:"see_also", value:"https://security.gentoo.org/glsa/200704-02" ); script_set_attribute( attribute:"solution", value: "All MIT Kerberos 5 users should upgrade to the latest version: # emerge --sync # emerge --ask --oneshot --verbose '>=app-crypt/mit-krb5-1.5.2-r1'" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:gentoo:linux:mit-krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:gentoo:linux"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/05"); script_set_attribute(attribute:"vuln_publication_date", value:"2007/04/03"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 Tenable Network Security, Inc."); script_family(english:"Gentoo Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Gentoo/release", "Host/Gentoo/qpkg-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("qpkg.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Gentoo/release")) audit(AUDIT_OS_NOT, "Gentoo"); if (!get_kb_item("Host/Gentoo/qpkg-list")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (qpkg_check(package:"app-crypt/mit-krb5", unaffected:make_list("ge 1.5.2-r1"), vulnerable:make_list("lt 1.5.2-r1"))) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:qpkg_report_get()); else security_hole(0); exit(0); } else { tested = qpkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "MIT Kerberos 5"); }NASL family Debian Local Security Checks NASL id DEBIAN_DSA-1276.NASL description Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0956 It was discovered that the krb5 telnet daemon performs insufficient validation of usernames, which might allow unauthorized logins or privilege escalation. - CVE-2007-0957 iDefense discovered that a buffer overflow in the logging code of the KDC and the administration daemon might lead to arbitrary code execution. - CVE-2007-1216 It was discovered that a double free in the RPCSEC_GSS part of the GSS library code might lead to arbitrary code execution. last seen 2020-06-01 modified 2020-06-02 plugin id 25010 published 2007-04-10 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/25010 title Debian DSA-1276-1 : krb5 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-1276. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(25010); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:20"); script_cve_id("CVE-2007-0956", "CVE-2007-0957", "CVE-2007-1216"); script_xref(name:"DSA", value:"1276"); script_name(english:"Debian DSA-1276-1 : krb5 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several remote vulnerabilities have been discovered in the MIT reference implementation of the Kerberos network authentication protocol suite, which may lead to the execution of arbitrary code. The Common Vulnerabilities and Exposures project identifies the following problems : - CVE-2007-0956 It was discovered that the krb5 telnet daemon performs insufficient validation of usernames, which might allow unauthorized logins or privilege escalation. - CVE-2007-0957 iDefense discovered that a buffer overflow in the logging code of the KDC and the administration daemon might lead to arbitrary code execution. - CVE-2007-1216 It was discovered that a double free in the RPCSEC_GSS part of the GSS library code might lead to arbitrary code execution." ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-0956" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-0957" ); script_set_attribute( attribute:"see_also", value:"https://security-tracker.debian.org/tracker/CVE-2007-1216" ); script_set_attribute( attribute:"see_also", value:"https://www.debian.org/security/2007/dsa-1276" ); script_set_attribute( attribute:"solution", value: "Upgrade the Kerberos packages. For the stable distribution (sarge) these problems have been fixed in version 1.3.6-2sarge4. For the upcoming stable distribution (etch) these problems have been fixed in version 1.4.4-7etch1." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:4.0"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/04/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.1", prefix:"krb5-admin-server", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"krb5-clients", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"krb5-doc", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"krb5-ftpd", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"krb5-kdc", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"krb5-rsh-server", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"krb5-telnetd", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"krb5-user", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"libkadm55", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"libkrb5-dev", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"3.1", prefix:"libkrb53", reference:"1.3.6-2sarge4")) flag++; if (deb_check(release:"4.0", prefix:"krb5-admin-server", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"krb5-clients", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"krb5-doc", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"krb5-ftpd", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"krb5-kdc", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"krb5-rsh-server", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"krb5-telnetd", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"krb5-user", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"libkadm55", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"libkrb5-dbg", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"libkrb5-dev", reference:"1.4.4-7etch1")) flag++; if (deb_check(release:"4.0", prefix:"libkrb53", reference:"1.4.4-7etch1")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-449-1.NASL description The krb5 telnet service did not appropriately verify user names. A remote attacker could log in as the root user by requesting a specially crafted user name. (CVE-2007-0956) The krb5 syslog library did not correctly verify the size of log messages. A remote attacker could send a specially crafted message and execute arbitrary code with root privileges. (CVE-2007-0957) The krb5 administration service was vulnerable to a double-free in the GSS RPC library. A remote attacker could send a specially crafted request and execute arbitrary code with root privileges. (CVE-2007-1216). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 28046 published 2007-11-10 reporter Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/28046 title Ubuntu 5.10 / 6.06 LTS / 6.10 : krb5 vulnerabilities (USN-449-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Ubuntu Security Notice USN-449-1. The text # itself is copyright (C) Canonical, Inc. See # <http://www.ubuntu.com/usn/>. Ubuntu(R) is a registered # trademark of Canonical, Inc. # include("compat.inc"); if (description) { script_id(28046); script_version("1.18"); script_cvs_date("Date: 2019/08/02 13:33:01"); script_cve_id("CVE-2007-0956", "CVE-2007-0957", "CVE-2007-1216"); script_xref(name:"USN", value:"449-1"); script_name(english:"Ubuntu 5.10 / 6.06 LTS / 6.10 : krb5 vulnerabilities (USN-449-1)"); script_summary(english:"Checks dpkg output for updated packages."); script_set_attribute( attribute:"synopsis", value: "The remote Ubuntu host is missing one or more security-related patches." ); script_set_attribute( attribute:"description", value: "The krb5 telnet service did not appropriately verify user names. A remote attacker could log in as the root user by requesting a specially crafted user name. (CVE-2007-0956) The krb5 syslog library did not correctly verify the size of log messages. A remote attacker could send a specially crafted message and execute arbitrary code with root privileges. (CVE-2007-0957) The krb5 administration service was vulnerable to a double-free in the GSS RPC library. A remote attacker could send a specially crafted request and execute arbitrary code with root privileges. (CVE-2007-1216). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://usn.ubuntu.com/449-1/" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"exploit_framework_canvas", value:"true"); script_set_attribute(attribute:"canvas_package", value:'D2ExploitPack'); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:krb5-admin-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:krb5-clients"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:krb5-doc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:krb5-ftpd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:krb5-kdc"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:krb5-rsh-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:krb5-telnetd"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:krb5-user"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libkadm55"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libkrb5-dbg"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libkrb5-dev"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:canonical:ubuntu_linux:libkrb53"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:5.10"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.06:-:lts"); script_set_attribute(attribute:"cpe", value:"cpe:/o:canonical:ubuntu_linux:6.10"); script_set_attribute(attribute:"patch_publication_date", value:"2007/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2007/11/10"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"Ubuntu Security Notice (C) 2007-2019 Canonical, Inc. / NASL script (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Ubuntu Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/cpu", "Host/Ubuntu", "Host/Ubuntu/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("ubuntu.inc"); include("misc_func.inc"); if ( ! get_kb_item("Host/local_checks_enabled") ) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/Ubuntu/release"); if ( isnull(release) ) audit(AUDIT_OS_NOT, "Ubuntu"); release = chomp(release); if (! ereg(pattern:"^(5\.10|6\.06|6\.10)$", string:release)) audit(AUDIT_OS_NOT, "Ubuntu 5.10 / 6.06 / 6.10", "Ubuntu " + release); if ( ! get_kb_item("Host/Debian/dpkg-l") ) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Ubuntu", cpu); flag = 0; if (ubuntu_check(osver:"5.10", pkgname:"krb5-admin-server", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"krb5-clients", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"krb5-doc", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"krb5-ftpd", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"krb5-kdc", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"krb5-rsh-server", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"krb5-telnetd", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"krb5-user", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"libkadm55", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"libkrb5-dev", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"5.10", pkgname:"libkrb53", pkgver:"1.3.6-4ubuntu0.2")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"krb5-admin-server", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"krb5-clients", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"krb5-doc", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"krb5-ftpd", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"krb5-kdc", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"krb5-rsh-server", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"krb5-telnetd", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"krb5-user", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libkadm55", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libkrb5-dev", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.06", pkgname:"libkrb53", pkgver:"1.4.3-5ubuntu0.3")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"krb5-admin-server", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"krb5-clients", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"krb5-doc", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"krb5-ftpd", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"krb5-kdc", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"krb5-rsh-server", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"krb5-telnetd", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"krb5-user", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libkadm55", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libkrb5-dbg", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libkrb5-dev", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (ubuntu_check(osver:"6.10", pkgname:"libkrb53", pkgver:"1.4.3-9ubuntu1.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : ubuntu_report_get() ); exit(0); } else { tested = ubuntu_pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-admin-server / krb5-clients / krb5-doc / krb5-ftpd / krb5-kdc / etc"); }NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD2007-004.NASL description The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2007-004 applied. This update fixes security flaws in the following applications : AFP Client AirPort CarbonCore diskdev_cmds fetchmail ftpd gnutar Help Viewer HID Family Installer Kerberos Libinfo Login Window network_cmds SMB System Configuration URLMount Video Conference WebDAV last seen 2020-06-01 modified 2020-06-02 plugin id 25081 published 2007-04-21 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/25081 title Mac OS X Multiple Vulnerabilities (Security Update 2007-004) code # # (C) Tenable Network Security, Inc. # if ( ! defined_func("bn_random") ) exit(0); if (NASL_LEVEL < 3000) exit(0); include("compat.inc"); if(description) { script_id(25081); script_version ("1.22"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2006-0300", "CVE-2006-5867", "CVE-2006-6143", "CVE-2006-6652", "CVE-2007-0022", "CVE-2007-0465", "CVE-2007-0646", "CVE-2007-0724", "CVE-2007-0725", "CVE-2007-0729", "CVE-2007-0732", "CVE-2007-0734", "CVE-2007-0735", "CVE-2007-0736", "CVE-2007-0737", "CVE-2007-0738", "CVE-2007-0739", "CVE-2007-0741", "CVE-2007-0742", "CVE-2007-0743", "CVE-2007-0744", "CVE-2007-0746", "CVE-2007-0747", "CVE-2007-0957", "CVE-2007-1216"); script_bugtraq_id(23569); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2007-004)"); script_set_attribute(attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes a security issue." ); script_set_attribute(attribute:"description", value: "The remote host is running a version of Mac OS X 10.4 that does not have Security Update 2007-004 applied. This update fixes security flaws in the following applications : AFP Client AirPort CarbonCore diskdev_cmds fetchmail ftpd gnutar Help Viewer HID Family Installer Kerberos Libinfo Login Window network_cmds SMB System Configuration URLMount Video Conference WebDAV" ); # http://web.archive.org/web/20071213053008/http://docs.info.apple.com/article.html?artnum=305391 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?cf3b0926" ); script_set_attribute(attribute:"solution", value: "Install Security Update 2007-004 : # http://web.archive.org/web/20070423190224/http://www.apple.com/support/downloads/securityupdate2007004universal.html http://www.nessus.org/u?f44d0fd9" ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119, 134, 264); script_set_attribute(attribute:"plugin_publication_date", value: "2007/04/21"); script_set_attribute(attribute:"vuln_publication_date", value: "2007/04/09"); script_set_attribute(attribute:"patch_publication_date", value: "2007/04/19"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_summary(english:"Check for the presence of Security Update 2007-004"); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2007-2018 Tenable Network Security, Inc."); script_family(english:"MacOS X Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } # packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.[0-9]\.)", string:uname) ) { if (!egrep(pattern:"^SecUpd(Srvr)?(2007-00[4-9]|200[89]-|20[1-9][0-9]-)", string:packages)) security_hole(0); }NASL family SuSE Local Security Checks NASL id SUSE_KRB5-3045.NASL description A bug in the function krb5_klog_syslog() leads to a buffer overflow which could be exploited to execute arbitrary code (CVE-2007-0957). A double-free bug in the GSS-API library could crash kadmind. It last seen 2020-06-01 modified 2020-06-02 plugin id 27308 published 2007-10-17 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/27308 title openSUSE 10 Security Update : krb5 (krb5-3045) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_34991.NASL description s700_800 11.23 KRB5-Client Version 1.0 Cumulative patch : A potential security vulnerability has been identified on HP-UX running Kerberos. The vulnerability could be exploited by remote authorized users to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 26144 published 2007-09-25 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/26144 title HP-UX PHSS_34991 : HP-UX running Kerberos, Remote Arbitrary Code Execution (HPSBUX02217 SSRT071337 rev.2) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2007-0095.NASL description Updated krb5 packages that fix a number of issues are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues : Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 24919 published 2007-04-05 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24919 title CentOS 3 / 4 : krb5 (CESA-2007:0095) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_36286.NASL description s700_800 11.11 KRB5-Client Version 1.0 cumulative patch : A potential security vulnerability has been identified on HP-UX running Kerberos. The vulnerability could be exploited by remote authorized users to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 26152 published 2007-09-25 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/26152 title HP-UX PHSS_36286 : HP-UX running Kerberos, Remote Arbitrary Code Execution (HPSBUX02217 SSRT071337 rev.2) NASL family SuSE Local Security Checks NASL id SUSE_KRB5-3046.NASL description A bug in the function krb5_klog_syslog() leads to a buffer overflow which could be exploited to execute arbitrary code. (CVE-2007-0957) A double-free bug in the GSS-API library could crash kadmind. It last seen 2020-06-01 modified 2020-06-02 plugin id 29492 published 2007-12-13 reporter This script is Copyright (C) 2007-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/29492 title SuSE 10 Security Update : Kerberos 5 (ZYPP Patch Number 3046) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2007-0095.NASL description From Red Hat Security Advisory 2007:0095 : Updated krb5 packages that fix a number of issues are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues : Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 67458 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/67458 title Oracle Linux 3 / 4 / 5 : krb5 (ELSA-2007-0095) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2007-0095.NASL description Updated krb5 packages that fix a number of issues are now available. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other through use of symmetric encryption and a trusted third party, the KDC. A flaw was found in the username handling of the MIT krb5 telnet daemon (telnetd). A remote attacker who can access the telnet port of a target machine could log in as root without requiring a password. (CVE-2007-0956) Note that the krb5 telnet daemon is not enabled by default in any version of Red Hat Enterprise Linux. In addition, the default firewall rules block remote access to the telnet port. This flaw does not affect the telnet daemon distributed in the telnet-server package. For users who have enabled the krb5 telnet daemon and have it accessible remotely, this update should be applied immediately. Whilst we are not aware at this time that the flaw is being actively exploited, we have confirmed that the flaw is very easily exploitable. This update also fixes two additional security issues : Buffer overflows were found which affect the Kerberos KDC and the kadmin server daemon. A remote attacker who can access the KDC could exploit this bug to run arbitrary code with the privileges of the KDC or kadmin server processes. (CVE-2007-0957) A double-free flaw was found in the GSSAPI library used by the kadmin server daemon. Red Hat Enterprise Linux 4 and 5 contain checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 and 5 successful exploitation of this issue can only lead to a denial of service. Applications which use this library in earlier releases of Red Hat Enterprise Linux may also be affected. (CVE-2007-1216) All users are advised to update to these erratum packages which contain a backported fix to correct these issues. Red Hat would like to thank MIT and iDefense for reporting these vulnerabilities. last seen 2020-06-01 modified 2020-06-02 plugin id 24948 published 2007-04-05 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24948 title RHEL 2.1 / 3 / 4 / 5 : krb5 (RHSA-2007:0095) NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2007-077.NASL description A vulnerability was found in the username handling of the MIT krb5 telnet daemon. A remote attacker that could access the telnet port of a target machine could login as root without requiring a password (CVE-2007-0956). Buffer overflows in the kadmin server daemon were discovered that could be exploited by a remote attacker able to access the KDC. Successful exploitation could allow for the execution of arbitrary code with the privileges of the KDC or kadmin server processes (CVE-2007-0957). Finally, a double-free flaw was discovered in the GSSAPI library used by the kadmin server daemon, which could lead to a denial of service condition or the execution of arbitrary code with the privileges of the KDC or kadmin server processes (CVE-2007-1216). Updated packages have been patched to address this issue. Update : Packages for Mandriva Linux 2007.1 are now available. last seen 2020-06-01 modified 2020-06-02 plugin id 24943 published 2007-04-05 reporter This script is Copyright (C) 2007-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/24943 title Mandrake Linux Security Advisory : krb5 (MDKSA-2007:077-1) NASL family HP-UX Local Security Checks NASL id HPUX_PHSS_36361.NASL description s700_800 11.31 KRB5-Client Version 1.3.5.03 Cumulative patch : A potential security vulnerability has been identified on HP-UX running Kerberos. The vulnerability could be exploited by remote authorized users to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 26153 published 2007-09-25 reporter This script is Copyright (C) 2007-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/26153 title HP-UX PHSS_36361 : HP-UX running Kerberos, Remote Arbitrary Code Execution (HPSBUX02217 SSRT071337 rev.2)
Oval
| accepted | 2013-04-29T04:11:45.539-04:00 | ||||||||||||||||||||||||||||||||
| class | vulnerability | ||||||||||||||||||||||||||||||||
| contributors |
| ||||||||||||||||||||||||||||||||
| definition_extensions |
| ||||||||||||||||||||||||||||||||
| description | Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding". | ||||||||||||||||||||||||||||||||
| family | unix | ||||||||||||||||||||||||||||||||
| id | oval:org.mitre.oval:def:11135 | ||||||||||||||||||||||||||||||||
| status | accepted | ||||||||||||||||||||||||||||||||
| submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||||||||||||||||||||||
| title | Double free vulnerability in the GSS-API library (lib/gssapi/krb5/k5unseal.c), as used by the Kerberos administration daemon (kadmind) in MIT krb5 before 1.6.1, when used with the authentication method provided by the RPCSEC_GSS RPC library, allows remote authenticated users to execute arbitrary code and modify the Kerberos key database via a message with an "an invalid direction encoding". | ||||||||||||||||||||||||||||||||
| version | 27 |
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- ftp://patches.sgi.com/support/free/security/advisories/20070401-01-P.asc
- http://docs.info.apple.com/article.html?artnum=305391
- http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?lang=en&cc=us&objectID=c01056923
- http://lists.apple.com/archives/Security-announce/2007/Apr/msg00001.html
- http://lists.suse.com/archive/suse-security-announce/2007-Apr/0001.html
- http://secunia.com/advisories/24706
- http://secunia.com/advisories/24735
- http://secunia.com/advisories/24736
- http://secunia.com/advisories/24740
- http://secunia.com/advisories/24750
- http://secunia.com/advisories/24757
- http://secunia.com/advisories/24785
- http://secunia.com/advisories/24786
- http://secunia.com/advisories/24817
- http://secunia.com/advisories/24966
- http://secunia.com/advisories/25388
- http://security.gentoo.org/glsa/glsa-200704-02.xml
- http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2007-003.txt
- http://www.debian.org/security/2007/dsa-1276
- http://www.kb.cert.org/vuls/id/419344
- http://www.mandriva.com/security/advisories?name=MDKSA-2007:077
- http://www.redhat.com/support/errata/RHSA-2007-0095.html
- http://www.securityfocus.com/archive/1/464591/100/0/threaded
- http://www.securityfocus.com/archive/1/464666/100/0/threaded
- http://www.securityfocus.com/archive/1/464814/30/7170/threaded
- http://www.securityfocus.com/bid/23282
- http://www.securitytracker.com/id?1017852
- http://www.ubuntu.com/usn/usn-449-1
- http://www.us-cert.gov/cas/techalerts/TA07-093B.html
- http://www.us-cert.gov/cas/techalerts/TA07-109A.html
- http://www.vupen.com/english/advisories/2007/1218
- http://www.vupen.com/english/advisories/2007/1470
- http://www.vupen.com/english/advisories/2007/1916
- https://exchange.xforce.ibmcloud.com/vulnerabilities/33413
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11135