Kerberos AES and RC4 Decryption Integer Underflow Vulnerabilities

Last Update Date: 28 Jan 2011 Release Date: 14 Jan 2010 4808 Views

RISK: Medium Risk

Multiple vulnerabilities have been identified in Kerberos, which could be exploited by remote attackers to cause a denial of service or compromise a vulnerable system. These issues are caused by integer underflow errors in the AES and RC4 decryption operations when processing an invalid ciphertext, which could be exploited by remote unauthenticated attackers to crash KDC or execute arbitrary code.

Impact

Remote Code Execution

System / Technologies affected

MIT Kerberos krb5-1.3 and later

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

Upgrade to krb5-1.7.1 or krb5-1.6.4 :
http://web.mit.edu/kerberos/dist/index.html
Or apply patch for krb5-1.7 :
http://web.mit.edu/kerberos/advisories/2009-004-patch_1.7.txt
Or apply patch for krb5-1.6 :
http://web.mit.edu/kerberos/advisories/2009-004-patch_1.6.3.txt

Vulnerability Identifier

CVE-2009-4212

Source

Related Link

Share with

Oracle Products Multiple Vulnerabilities

13 Jan 2010 4821 Views

Adobe Reader and Acrobat Multiple Code Execution Vulnerabilities

14 Jan 2010 4815 Views