RPC credentials of zero length can crash Kerberos and may lead to arbitrary code execution. Specifically, the gssrpc__svcauth_gssapi() function is vulnerable.

An integer conversion error in gssrpc__svcauth_unix() can lead to a crash of Kerberos or arbitrary code execution.

Finally, a stack overflow in rename_principal_2_svc() can lead to a crash of Kerberos or arbitrary code execution.

Description:

Numerous vulnerabilities have been disclosed affecting the Kerberos authentication protocol, as maintained by MIT. Most of the disclosed issues can lead to remote attackers taking control over vulnerable systems.

Exploit samples for some of the issues are already privately held by MIT.

Mitigation:

Administrators and advanced users should apply the updates to Kerberos as soon as practical.

Updates:

http://web.mit.edu/kerberos

Source:

http://web.mit.edu/kerberos/advisories

Exploits:

Privately held by MIT

CVE-ID: CVE-2007-2798 CVE-ID: CVE-2007-2442 CVE-ID: CVE-2007-2443