04 January 2010, 15:15
DoS vulnerability patched in MIT Kerberos
An update for the MIT's Kerberos 5 implementation fixes a null-pointer dereference vulnerability that allows attackers to remotely crash the Key Distribution Center (KDC). According to an advisory by the MIT, sending a specially crafted client request to the KDC is all that is required to exploit the vulnerability.
The prep_reprocess_req() function, which is responsible for the bug, was only introduced in the current version krb5-1.7 of MIT Kerberos; previous versions are, therefore, not vulnerable. The imminent update krb5-1.7.1 will fix the flaw. A patch is already available.
See also:
(djwm)
Print Version | Send by email
| Permalink: http://h-online.com/-895155
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
