[Bug 1009422] Re: (CVE-2012-1013) krb5 : kadmind denial of service
Steve Beattie
sbeattie at ubuntu.com
Tue Jul 24 05:04:03 UTC 2012
This is a low priority issue due to the required privileges needed to
exploit it.
** Changed in: krb5 (Ubuntu)
Importance: Undecided => Low
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1009422
Title:
(CVE-2012-1013) krb5 : kadmind denial of service
Status in “krb5” package in Ubuntu:
Confirmed
Status in “krb5” package in Fedora:
Unknown
Bug description:
https://secunia.com/advisories/49346/
Description
A weakness has been reported in Kerberos, which can be exploited by malicious users to cause a DoS (Denial of Service).
The vulnerability is caused due to a NULL pointer dereference error in
the "check_1_6_dummy()" function in src/lib/kadm5/srv/svr_principal.c.
This can be exploited to cause a crash via a create-principal request
containing no password but the KRB5_KDB_DISALLOW_ALL_TIX flag.
Successful exploitation requires an administrator account with
"create" privileges.
The weakness is reported in versions prior to 1.10.2.
Solution
Update to version 1.10.2.
Provided and/or discovered by
Reported by the vendor.
Original Advisory
http://web.mit.edu/kerberos/krb5-1.10/
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1009422/+subscriptions
More information about the foundations-bugs
mailing list