| Vigil@nce team describes computer vulnerabilities impacting your systems, and offers solutions to correct them. |
|
 |
|
|
|
vulnerability announce CVE-2009-4212
MIT krb5: integer overflow of AES and RC4
Synthesis of the vulnerability
| An attacker can send a malicious query to MIT krb5, in order to stop the KDC, and possibly to execute code. |
Severity: 3/4.
Creation date: 13/01/2010.
|
Description of the vulnerability
The KDC (Key Distribution Center) of MIT Kerberos supports ciphertexts encrypted with:
- the AES algorithm (RFC 3962)
- the RC4 algorithm (RFC 4757)
When the KDC decrypts an AES/RC4 ciphertext, it does not check if its size is superior to the minimal size. An attacker can thus send a short query, which generates an integer overflow, and corrupts the memory.
An non authenticated attacker can therefore send a malicious query to MIT krb5, in order to stop the KDC, and possibly to execute code. |
Complete Vigil@nce bulletin
Characteristics
Title: MIT krb5: integer overflow of AES and RC4.
Keywords: 3962 4757 AES Center Distribution KDC Kerberos Key MIT RC4 RFC integer krb5 overflow.
Identifiers: 275530, 6908114, BID-37749, CVE-2009-4212, DSA-1969-1, FEDORA-2010-0503, FEDORA-2010-0515, MDVSA-2010:006, MITKRB5-SA-2009-004, RHSA-2010:0029-01, SUSE-SA:2010:006, VIGILANCE-VUL-9337, VMSA-2010-0009, VMSA-2010-0009.1.
|
Information sources
Solutions for this vulnerability
Computer vulnerabilities tracking service
The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.
The Vigil@nce vulnerability database contains several thousand vulnerabilities.
This bulletin is published by the Vigil@nce team, which tracks computer vulnerabilities impacting systems and applications.
Technology watch team on vulnerabilities
|
