GLSA Advocate
Joined: 12 May 2004 Posts: 2663
|
Posted: Thu Aug 10, 2006 4:26 pm Post subject: [ GLSA 200608-15 ] MIT Kerberos 5: Multiple local privilege |
|
|
Gentoo Linux Security Advisory
Title: MIT Kerberos 5: Multiple local privilege escalation vulnerabilities (GLSA 200608-15)
Severity: high
Exploitable: local
Date: August 10, 2006
Bug(s): #143240
ID: 200608-15
Synopsis
Some applications shipped with MIT Kerberos 5 are vulnerable to local privilege escalation.
Background
MIT Kerberos 5 is a suite of applications that implement the Kerberos network protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography.
Affected Packages
Package: app-crypt/mit-krb5
Vulnerable: < 1.4.3-r3
Unaffected: >= 1.4.3-r3
Architectures: All supported architectures
Description
Unchecked calls to setuid() in krshd and v4rcp, as well as unchecked calls to seteuid() in kftpd and in ksu, have been found in the MIT Kerberos 5 program suite and may lead to a local root privilege escalation.
Impact
A local attacker could exploit this vulnerability to execute arbitrary code with elevated privileges.
Workaround
There is no known workaround at this time.
Resolution
All MIT Kerberos 5 users should upgrade to the latest version: Code: | # emerge --sync
# emerge --ask --oneshot --verbose ">=app-crypt/mit-krb5-1.4.3-r3" |
References
CVE-2006-3083
CVE-2006-3084 |
|