MITKRB5-SA-2014-001 Buffer overrun in kadmind with LDAP backend

Benjamin Kaduk kaduk at MIT.EDU
Thu Aug 7 18:48:56 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Chris Hecker wrote:
>
> To be extra clear, this doesn't affect normal KDC client access with LDAP
> backends, only kadmin access?  In other words, if I don't expose kadmin I
> don't have to freak out?  What about password changing through a web
> interface (meaning only takes princ and password from the wild)?

That's correct, normal KDC client access is unaffected.
If you do not expose kadmin there is no vulnerability.

Password changes through a web interface should also be fine; the
vulnerability requires the use of the -keepold argument to kadmin's
cpw command.  Since the web interface is (presumably) not using that
flag, you are safe.

- -Ben
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQGgBAEBCAAGBQJT5AI4AAoJECjZpvNk63USPDYMGgMM4aQb8r36DHLmreIuL0jM
2aOsbRzvhME3VHrkqHbOZjUSzCz14oQE/9oTzi7Dtf9XAaPbUMnx6l2byK4ECkm7
TthvTwVLDnmntci+NQBpbun4KatnMi2wUpaNBQOJJ1EPuA6FsZy/Tu1gvZISQa0f
R0vbspgUBCFTZ+W1X4MwVuxI9Q74o2Fp0kIMtF7OT2GjBuBYXTpVONLOCAt4i/OI
3DsE1JiUDEnlsVao1KbnnQrkmf6qlt7F82dPHQPO8x0HKAeLtvEq7jZETLiLWQL6
s7nVH4fJ429/G0MdGZ8rey4glegp7Sy+CM9g0iexZ/gJaMMi4e/AqWfo4iCkHiH1
Q7Lpc2cP19p3KoJTAkE9z821UiM6QJblZkeCc/wADioeEPwZeBxUHPVrZt8hVrSj
Amuwpoi1AShosceqjL/o6g19bO5bRwTOqrffixwtMr41F+oktavqYNu+Yxpz/ssA
izXLFknVxqdzQHgJS1ahB5GLRCh4sKH19lOglBNhDGU+kN0=
=bsqM
-----END PGP SIGNATURE-----


More information about the Kerberos mailing list