Kerberos AES and RC4 Decryption Integer Underflow Vulnerabilities
Last Update Date:
28 Jan 2011
Release Date:
14 Jan 2010
5486
Views
RISK: Medium Risk
Multiple vulnerabilities have been identified in Kerberos, which could be exploited by remote attackers to cause a denial of service or compromise a vulnerable system. These issues are caused by integer underflow errors in the AES and RC4 decryption operations when processing an invalid ciphertext, which could be exploited by remote unauthenticated attackers to crash KDC or execute arbitrary code.
Impact
- Remote Code Execution
System / Technologies affected
- MIT Kerberos krb5-1.3 and later
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- Upgrade to krb5-1.7.1 or krb5-1.6.4 :
http://web.mit.edu/kerberos/dist/index.html - Or apply patch for krb5-1.7 :
http://web.mit.edu/kerberos/advisories/2009-004-patch_1.7.txt - Or apply patch for krb5-1.6 :
http://web.mit.edu/kerberos/advisories/2009-004-patch_1.6.3.txt
Vulnerability Identifier
Source
Related Link
Share with