ID CVE-2007-2798
Summary Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
References
Vulnerable Configurations
  • cpe:2.3:a:mit:kerberos_5:-:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:-:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.0:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.0:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.0:-:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.0:-:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.0:patch_level1:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.0:patch_level1:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.0:patch_level2:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.0:patch_level2:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.0:patch_level3:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.0:patch_level3:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.0.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.0.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.0.5:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.0.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.0.6:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.0.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.0.7:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.0.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.1.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.1.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2:-:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2:-:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2:beta1:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2:beta1:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2:beta2:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2:beta2:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2.5:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2.6:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2.7:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.2.8:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.2.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.3:-:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.3:-:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.3:alpha1:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.3:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.3.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.3.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.3.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.3.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.3.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.3.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.3.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.3.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.3.5:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.3.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.3.6:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.3.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.4.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.4.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.4.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.4.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.4.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.4.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.4.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.4.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.5:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.5.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.5.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.5.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.5.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.5.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.5.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.5.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.5.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.6:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos_5:1.6.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos_5:1.6.1:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:6.06:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:6.10:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:6.10:*:*:*:*:*:*:*
  • cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
    cpe:2.3:o:canonical:ubuntu_linux:7.04:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:3.1:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:3.1:*:*:*:*:*:*:*
  • cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
    cpe:2.3:o:debian:debian_linux:4.0:*:*:*:*:*:*:*
CVSS
Base: 9.0 (as of 02-02-2021 - 18:32)
Impact:
Exploitability:
CWE CWE-787
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
COMPLETE COMPLETE COMPLETE
cvss-vector via4 AV:N/AC:L/Au:S/C:C/I:C/A:C
oval via4
  • accepted 2007-11-16T08:14:19.297-05:00
    class vulnerability
    contributors
    • name Nicholas Hansen
      organization Opsware, Inc.
    • name Nicholas Hansen
      organization Opsware, Inc.
    definition_extensions
    • comment Solaris 8 (SPARC) is installed
      oval oval:org.mitre.oval:def:1539
    • comment Solaris 8 (x86) is installed
      oval oval:org.mitre.oval:def:2059
    • comment Solaris 9 (SPARC) is installed
      oval oval:org.mitre.oval:def:1457
    • comment Solaris 9 (x86) is installed
      oval oval:org.mitre.oval:def:1683
    • comment Solaris 10 (SPARC) is installed
      oval oval:org.mitre.oval:def:1440
    • comment Solaris 10 (x86) is installed
      oval oval:org.mitre.oval:def:1926
    description Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
    family unix
    id oval:org.mitre.oval:def:1726
    status accepted
    submitted 2007-06-28T09:00:00.000-04:00
    title Security Vulnerability in the Kerberos Administration Daemon (kadmind(1M)) May Lead to Arbitrary Code Execution
    version 36
  • accepted 2015-04-20T04:02:34.917-04:00
    class vulnerability
    contributors
    • name Chandan M C
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Sushant Kumar Singh
      organization Hewlett-Packard
    • name Prashant Kumar
      organization Hewlett-Packard
    • name Mike Cokus
      organization The MITRE Corporation
    description Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
    family unix
    id oval:org.mitre.oval:def:7550
    status accepted
    submitted 2010-10-25T11:35:23.000-05:00
    title HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code
    version 47
  • accepted 2013-04-29T04:24:00.367-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 3
      oval oval:org.mitre.oval:def:11782
    • comment CentOS Linux 3.x
      oval oval:org.mitre.oval:def:16651
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
    family unix
    id oval:org.mitre.oval:def:9996
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title Stack-based buffer overflow in the rename_principal_2_svc function in kadmind for MIT Kerberos 1.5.3, 1.6.1, and other versions allows remote authenticated users to execute arbitrary code via a crafted request to rename a principal.
    version 30
redhat via4
advisories
  • bugzilla
    id 245549
    title CVE-2007-2798 krb5 kadmind buffer overflow
    oval
    OR
    • comment Red Hat Enterprise Linux must be installed
      oval oval:com.redhat.rhba:tst:20070304026
    • AND
      • comment Red Hat Enterprise Linux 4 is installed
        oval oval:com.redhat.rhba:tst:20070304025
      • OR
        • AND
          • comment krb5-devel is earlier than 0:1.3.4-49
            oval oval:com.redhat.rhsa:tst:20070562001
          • comment krb5-devel is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060612002
        • AND
          • comment krb5-libs is earlier than 0:1.3.4-49
            oval oval:com.redhat.rhsa:tst:20070562003
          • comment krb5-libs is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060612004
        • AND
          • comment krb5-server is earlier than 0:1.3.4-49
            oval oval:com.redhat.rhsa:tst:20070562005
          • comment krb5-server is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060612006
        • AND
          • comment krb5-workstation is earlier than 0:1.3.4-49
            oval oval:com.redhat.rhsa:tst:20070562007
          • comment krb5-workstation is signed with Red Hat master key
            oval oval:com.redhat.rhsa:tst:20060612008
    • AND
      • comment Red Hat Enterprise Linux 5 is installed
        oval oval:com.redhat.rhba:tst:20070331005
      • OR
        • AND
          • comment krb5-devel is earlier than 0:1.5-26
            oval oval:com.redhat.rhsa:tst:20070562010
          • comment krb5-devel is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095011
        • AND
          • comment krb5-libs is earlier than 0:1.5-26
            oval oval:com.redhat.rhsa:tst:20070562012
          • comment krb5-libs is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095013
        • AND
          • comment krb5-server is earlier than 0:1.5-26
            oval oval:com.redhat.rhsa:tst:20070562014
          • comment krb5-server is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095015
        • AND
          • comment krb5-workstation is earlier than 0:1.5-26
            oval oval:com.redhat.rhsa:tst:20070562016
          • comment krb5-workstation is signed with Red Hat redhatrelease key
            oval oval:com.redhat.rhsa:tst:20070095017
    rhsa
    id RHSA-2007:0562
    released 2007-06-26
    severity Important
    title RHSA-2007:0562: krb5 security update (Important)
  • rhsa
    id RHSA-2007:0384
rpms
  • krb5-debuginfo-0:1.2.7-66
  • krb5-devel-0:1.2.2-47
  • krb5-devel-0:1.2.7-66
  • krb5-libs-0:1.2.2-47
  • krb5-libs-0:1.2.7-66
  • krb5-server-0:1.2.2-47
  • krb5-server-0:1.2.7-66
  • krb5-workstation-0:1.2.2-47
  • krb5-workstation-0:1.2.7-66
  • krb5-debuginfo-0:1.3.4-49
  • krb5-debuginfo-0:1.5-26
  • krb5-devel-0:1.3.4-49
  • krb5-devel-0:1.5-26
  • krb5-libs-0:1.3.4-49
  • krb5-libs-0:1.5-26
  • krb5-server-0:1.3.4-49
  • krb5-server-0:1.5-26
  • krb5-workstation-0:1.3.4-49
  • krb5-workstation-0:1.5-26
refmap via4
apple APPLE-SA-2007-07-31
bid
  • 24653
  • 25159
bugtraq
  • 20070626 MITKRB5-SA-2007-005: kadmind vulnerable to buffer overflow
  • 20070628 FLEA-2007-0029-1: krb5 krb5-workstation
  • 20070629 TSLSA-2007-0021 - kerberos5
cert TA07-177A
cert-vn VU#554257
confirm
debian DSA-1323
fulldisc 20070920 VMSA-2007-0006 Critical security updates for all supported versions of VMware ESX Server, VMware Server, VMware Workstation, VMware ACE, and VMware Player
gentoo GLSA-200707-11
hp
  • HPSBUX02544
  • SSRT100107
idefense 20070626 Multiple Vendor Kerberos kadmind Rename Principal Buffer Overflow Vulnerability
mandriva MDKSA-2007:137
osvdb 36595
sectrack 1018295
secunia
  • 25800
  • 25801
  • 25814
  • 25821
  • 25870
  • 25875
  • 25888
  • 25890
  • 25894
  • 25911
  • 26033
  • 26228
  • 26235
  • 26909
  • 27706
  • 40346
sgi 20070602-01-P
sunalert 102985
suse SUSE-SA:2007:038
trustix 2007-0021
ubuntu USN-477-1
vupen
  • ADV-2007-2337
  • ADV-2007-2370
  • ADV-2007-2491
  • ADV-2007-2732
  • ADV-2007-3229
  • ADV-2010-1574
xf kerberos-renameprincipal2svc-bo(35080)
Last major update 02-02-2021 - 18:32
Published 26-06-2007 - 22:30
Last modified 02-02-2021 - 18:32
Back to Top