Family: Mandrake Local Security Checks --> Category: infos
MDKSA-2004:088: krb5 Vulnerability Scan
Vulnerability Scan Summary
Check for the version of the krb5 package
Detailed Explanation for this Vulnerability Test
The remote host is missing the patch for the advisory MDKSA-2004:088 (krb5).
A double-free vulnerability exists in the MIT Kerberos 5's KDC program that
could potentially allow a remote attacker to execute arbitrary code on the KDC
host. As well, multiple double-free vulnerabilities exist in the krb5 library
code, which makes client programs and application servers vulnerable. The MIT
Kerberos 5 development team believes that exploitation of these bugs would be
difficult and no known vulnerabilities are believed to exist. The vulnerability
in krb524d was discovered by Marc Horowitz
the other double-free
vulnerabilities were discovered by Will Fiveash and Nico Williams at Sun.
Will Fiveash and Nico Williams also found another vulnerability in the ASN.1
decoder library. This makes krb5 vulnerable to a DoS (Denial of Service) attack
causing an infinite loop in the decoder. The KDC is vulnerable to this attack.
The MIT Kerberos 5 team has provided patches which have been applied to the
updated software to fix these issues. Mandrakesoft encourages all users to
Solution : http://wwwnew.mandriva.com/security/advisories?name=MDKSA-2004:088
Threat Level: High
Click HERE for more information and discussions on this network vulnerability scan.