Korean

<< Back VID 13013 Severity 30 Port 88,750 Protocol UDP Class Protocol Detailed Description The system is running Kerberos 5 protocol. Multiple vulnerabilities have been found in MIT Kerberos 5 releases 1.2.7 and earlier, like the followings: - A remote user can crash the KDC. - A user authenticated in a remote realm may be able to claim to be other non-local users to an application server. - It may be possible for a user to gain access to the KDC system and database. - Corruption of malloc pool, probably leading to program crash. - Reference to data just past the end of an array in the KDC, for comparison against certain fixed data. May result in crashing the KDC. * Note: This check solely relied on the presence of the Kerberos 5 service to assess this vulnerability, so this might be a false positive. * References: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt http://www.kb.cert.org/vuls/id/587579 http://www.kb.cert.org/vuls/id/787523 http://www.kb.cert.org/vuls/id/661243 http://www.kb.cert.org/vuls/id/684563 http://www.kb.cert.org/vuls/id/623217 http://www.kb.cert.org/vuls/id/442569 * Affected Softwares: Kerberos 5 (krb5) 1.3-alpha1 and earlier Recommendation Upgrade to the latest version (1.3 or later) of MIT Kerberos 5, available from the MIT Kerberos Web site, http://web.mit.edu/kerberos/www/ -- OR -- If the version 1.3 of MIT Kerberos 5 is still not available, upgrade to the version 1.2.7 of MIT Kerberos 5, available from the MIT Kerberos Web site, http://web.mit.edu/kerberos/www/ . and apply the historical patches for Kerberos 5, available from MIT Kerberos Security Advisories, http://web.mit.edu/kerberos/www/advisories/index.html Related URL CVE-2003-0139,CVE-2003-0138,CVE-2003-0072,CVE-2003-0082,CVE-2003-0059,CVE-2003-0060,CVE-2002-0036 (CVE) Related URL 7184,7185,7113,6714,6713,6712 (SecurityFocus) Related URL (ISS)