Rapid7 Vulnerability & Exploit Database

RHSA-2001:025: Updated Kerberos 5 and pam_krb5 packages available

Back to Search

RHSA-2001:025: Updated Kerberos 5 and pam_krb5 packages available

Severity
1
CVSS
(AV:L/AC:H/Au:N/C:N/I:P/A:N)
Published
02/16/2001
Created
07/25/2018
Added
10/28/2005
Modified
07/04/2017

Description

Updated Kerberos 5 packages are now available for Red Hat Linux 6 and 7. These packages fix a vulnerability in the handling of Kerberos IV ticket files. Updated pam_krb5 packages are now available for Red Hat Linux 7.

A race condition exists in libkrb4 which would allow a malicious user to cause kerberized login services to overwrite the contents of any file on the system. The destroyed file would contain the kerberos credentials of an unsuspecting user who had attempted to log in using the kerberized login service being exploited. Additional precautions taken in Kerberos 5 1.2.2 will cause pam_krb5 to fail when it attempts to create Kerberos IV ticket files on behalf of users. An update for the pam_krb5 package is also available which corrects this.

Solution(s)

  • redhat-upgrade-krb5-configs
  • redhat-upgrade-krb5-devel
  • redhat-upgrade-krb5-libs
  • redhat-upgrade-krb5-server
  • redhat-upgrade-krb5-workstation
  • redhat-upgrade-pam_krb5

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;