CVE-2007-3999
published 2007-09-06CVE-2007-3999: The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos…
PriorityP349critical10CVSS 2.0
AVNACLAuNCCICAC
EPSS
10.91%
95.3th percentile
The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack.
Affected
17 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.6.dfsg.1-7 (bookworm) | krb5 1.6.dfsg.1-7 (bookworm) |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | krb5 | >= 0 < 1.6.dfsg.1-7 | 1.6.dfsg.1-7 |
| mit | krb5 | >= 0 < 1.6.dfsg.1-7 | 1.6.dfsg.1-7 |
| mit | krb5 | >= 0 < 1.6.dfsg.1-7 | 1.6.dfsg.1-7 |
| mit | krb5 | >= 0 < 1.6.dfsg.1-7 | 1.6.dfsg.1-7 |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerable function is `svcauth_gss_validate` in `lib/rpc/svc_auth_gss.c` (librpcsecgss). A stack-based buffer overflow is triggered via a long string in an RPC message targeting the RPCSEC_GSS RPC library used by kadmind. ↗
- →The attack vector is unauthenticated — no valid Kerberos credentials are required. Monitor for anomalously large RPCSEC_GSS RPC packets arriving at kadmind (default port 749/tcp) from unauthenticated sources. ↗
- ·The vulnerability affects not only kadmind but also third-party applications that link against librpcsecgss/krb5. Any such application accepting RPC connections should be treated as potentially exposed. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0HIGH
vendor_redhat10.0CRITICAL
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
krb5 incomplete fix for CVE-2007-3999
vendor_redhat·2007-09-05·CVSS 10.0
CVE-2007-4743 [CRITICAL] krb5 incomplete fix for CVE-2007-3999
krb5 incomplete fix for CVE-2007-3999
The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack.
Red Hat
krb5 RPC library buffer overflow
vendor_redhat·2007-09-04·CVSS 10.0
CVE-2007-3999 [CRITICAL] krb5 RPC library buffer overflow
krb5 RPC library buffer overflow
Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.
Ubuntu
Kerberos vulnerability
vendor_ubuntu·2007-09-04
CVE-2007-3999 Kerberos vulnerability
Title: Kerberos vulnerability
Summary: Kerberos vulnerability
It was discovered that the libraries handling RPCSEC_GSS did not correctly
validate the size of certain packet structures. An unauthenticated remote
user could send a specially crafted request and execute arbitrary code
with root privileges.
Instructions: In general, a standard system upgrade is sufficient to effect the
necessary changes.
Debian
CVE-2007-4743: krb5 - The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC lib...
vendor_debian·2007·CVSS 10.0
CVE-2007-4743 [CRITICAL] CVE-2007-4743: krb5 - The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC lib...
The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack.
Scope: local
bookworm: resolved (fixed in 1.6.dfsg.1-7)
bullseye: resolved (fixed in 1.6.dfsg.1-7)
forky: resolved (fixed in 1.6.dfsg.1-7)
sid: resolved (fixed in 1.6.dfsg.1-7)
trixie: resolved (fixed in 1.6.dfsg.1-7)
Debian
CVE-2007-3999: krb5 - Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_...
vendor_debian·2007·CVSS 10.0
CVE-2007-3999 [CRITICAL] CVE-2007-3999: krb5 - Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_...
Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.
Scope: local
bookworm: resolved (fixed in 1.6.dfsg.1-7)
bullseye: resolved (fixed in 1.6.dfsg.1-7)
forky: resolved (fixed in 1.6.dfsg.1-7)
sid: resolved (fixed in 1.6.dfsg.1-7)
trixie: resolved (fixed in 1.6.dfsg.1-7)
GHSA
GHSA-62qg-wq9p-p6p2: Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss
ghsa_unreviewed·2022-05-01
CVE-2007-3999 [HIGH] CWE-119 GHSA-62qg-wq9p-p6p2: Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss
Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.
GHSA
GHSA-2pm5-h4rp-cjq3: The original patch for CVE-2007-3999 in svc_auth_gss
ghsa_unreviewed·2022-05-01·CVSS 10.0
CVE-2007-4743 [CRITICAL] CWE-119 GHSA-2pm5-h4rp-cjq3: The original patch for CVE-2007-3999 in svc_auth_gss
The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack.
OSV
CVE-2007-4743: The original patch for CVE-2007-3999 in svc_auth_gss
osv·2007-09-06·CVSS 10.0
CVE-2007-4743 [CRITICAL] CVE-2007-4743: The original patch for CVE-2007-3999 in svc_auth_gss
The original patch for CVE-2007-3999 in svc_auth_gss.c in the RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and other applications that use krb5, does not correctly check the buffer length in some environments and architectures, which might allow remote attackers to conduct a buffer overflow attack.
OSV
CVE-2007-3999: Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss
osv·2007-09-05·CVSS 10.0
CVE-2007-3999 [CRITICAL] CVE-2007-3999: Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss
Stack-based buffer overflow in the svcauth_gss_validate function in lib/rpc/svc_auth_gss.c in the RPCSEC_GSS RPC library (librpcsecgss) in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as used by the Kerberos administration daemon (kadmind) and some third-party applications that use krb5, allows remote attackers to cause a denial of service (daemon crash) and probably execute arbitrary code via a long string in an RPC message.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2007-3999 krb5 RPC library buffer overflow [F8]
bugzilla·2007-11-01·CVSS 10.0
CVE-2007-3999 [CRITICAL] CVE-2007-3999 krb5 RPC library buffer overflow [F8]
CVE-2007-3999 krb5 RPC library buffer overflow [F8]
F8 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
What prevents you from doing an update? Do you need help? Otherwise please
prepare an update as soon as possible.
---
Fix included upstream in 1.1.0.
Bugzilla
CVE-2007-3999 krb5 RPC library buffer overflow [Fdevel]
bugzilla·2007-11-01·CVSS 10.0
CVE-2007-3999 [CRITICAL] CVE-2007-3999 krb5 RPC library buffer overflow [Fdevel]
CVE-2007-3999 krb5 RPC library buffer overflow [Fdevel]
Fdevel tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
What prevents you from doing an update? Do you need help? Otherwise please
prepare an update as soon as possible.
---
Fixed in nfs-utils-lib-1.1.1-2.fc9
---
Final Freeze is in effect now. Security fixes almost certainly warrant a freeze
break, so in case you build a fix for this, mail release engineering as
described here: [2]
[1] https://www.redhat.com/archives/fedora-devel-announce/2008-April/msg00007.html
[2] http://fedoraproject.org/wiki/ReleaseEngineering/FinalFreezePolicy
Thanks!
---
(In reply to comment #2)
> Fixed in nfs-utils-lib-1.1.1-2.fc9
Was that fixed upstream in
Bugzilla
CVE-2007-3999 krb5 RPC library buffer overflow [F8]
bugzilla·2007-11-01·CVSS 10.0
CVE-2007-3999 [CRITICAL] CVE-2007-3999 krb5 RPC library buffer overflow [F8]
CVE-2007-3999 krb5 RPC library buffer overflow [F8]
F8 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
What prevents you from doing an update? Do you need help? Otherwise please
prepare an update as soon as possible.
---
Fixed in libtirpc-0.1.7-15.fc8
---
libtirpc-0.1.7-15.fc8 has been pushed to the Fedora 8 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-3999 krb5 RPC library buffer overflow [Fdevel]
bugzilla·2007-11-01·CVSS 10.0
CVE-2007-3999 [CRITICAL] CVE-2007-3999 krb5 RPC library buffer overflow [Fdevel]
CVE-2007-3999 krb5 RPC library buffer overflow [Fdevel]
Fdevel tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
What prevents you from doing an update? Do you need help? Otherwise please
prepare an update as soon as possible.
---
Fixed in libtirpc-0.1.7-15.fc9.
---
libtirpc-0.1.7-15.fc8 has been pushed to the Fedora 8 testing repository. If problems still persist, please make note of it in this bug report.
If you want to test the update, you can install it with
su -c 'yum --enablerepo=updates-testing update libtirpc'. You can provide feedback for this update here: http://admin.fedoraproject.org/F8/FEDORA-2008-1017
Bugzilla
CVE-2007-3999 krb5 RPC library buffer overflow [FC6]
bugzilla·2007-09-18·CVSS 10.0
CVE-2007-3999 [CRITICAL] CVE-2007-3999 krb5 RPC library buffer overflow [FC6]
CVE-2007-3999 krb5 RPC library buffer overflow [FC6]
FC6 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This needs to be addressed immediately!
---
What prevents you from doing an update? Do you need help? Otherwise please
prepare an update as soon as possible.
---
Fedora apologizes that these issues have not been resolved yet. We're
sorry it's taken so long for your bug to be properly triaged and acted
on. We appreciate the time you took to report this issue and want to
make sure no important bugs slip through the cracks.
If you're currently running a version of Fedora Core between 1 and 6,
please note that Fedora no longer maintains these releases. We strongly
encourage you to upgrade to
Bugzilla
CVE-2007-3999 krb5 RPC library buffer overflow [F7]
bugzilla·2007-09-18·CVSS 10.0
CVE-2007-3999 [CRITICAL] CVE-2007-3999 krb5 RPC library buffer overflow [F7]
CVE-2007-3999 krb5 RPC library buffer overflow [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
This needs to be addressed immediately!
---
What prevents you from doing an update? Do you need help? Otherwise please
prepare an update as soon as possible.
---
This message is a reminder that Fedora 7 is nearing the end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 7. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '7'.
Package Maintainer: If you wish for this bug to remain open because you
Bugzilla
CVE-2007-4743 krb5 incomplete fix for CVE-2007-3999
bugzilla·2007-09-06·CVSS 10.0
CVE-2007-4743 [CRITICAL] CVE-2007-4743 krb5 incomplete fix for CVE-2007-3999
CVE-2007-4743 krb5 incomplete fix for CVE-2007-3999
Text taken from MITRE:
The original patch for CVE-2007-3999 in svc_auth_gss.c in the
RPCSEC_GSS RPC library in MIT Kerberos 5 (krb5) 1.4 through 1.6.2, as
used by the Kerberos administration daemon (kadmind) and other
applications that use krb5, does not correctly check the buffer length
in some environments and architectures, which might allow remote
attackers to conduct a buffer overflow attack.
Discussion:
This was addressed via:
Red Hat Enterprise Linux version 5 (RHSA-2007:0892)
Bugzilla
CVE-2007-3999 krb5 RPC library buffer overflow
bugzilla·2007-08-06·CVSS 10.0
CVE-2007-3999 [CRITICAL] CVE-2007-3999 krb5 RPC library buffer overflow
CVE-2007-3999 krb5 RPC library buffer overflow
MIT notified us of kadmind RPC lib buffer overflow, uninitialized pointer. Will
be public on 04 September 2007, at 14:00 US/Eastern time.
This issue has not been triaged as it may well affect recent RHEL distributions
with a different severity (flaw type is likely caught by fortify_source)
Discussion:
Created attachment 160738
proposed patch from MIT
---
Update from MIT Kerberos team:
We have discovered that the server-side code in nfs-utils is also
vulnerable to CVE-2007-3999. If you are distributing nfs-utils or
some derivative, you may care about this. According to Kevin Coffman
of the University of Michigan, nfs-utils is probably not vulnerable
because it does not actually execute any server-side RPC code. We are
working to confirm
http://article.gmane.org/gmane.comp.encryption.kerberos.announce/86http://docs.info.apple.com/article.html?artnum=307041http://lists.apple.com/archives/security-announce/2007/Nov/msg00002.htmlhttp://secunia.com/advisories/26699http://secunia.com/advisories/26987http://secunia.com/advisories/27643http://www.debian.org/security/2007/dsa-1387http://www.novell.com/linux/security/advisories/2007_19_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0892.htmlhttp://www.securityfocus.com/archive/1/478748/100/0/threadedhttp://www.securityfocus.com/archive/1/478794/100/0/threadedhttp://www.securityfocus.com/bid/26444http://www.ubuntu.com/usn/usn-511-2http://www.us-cert.gov/cas/techalerts/TA07-319A.htmlhttp://www.vupen.com/english/advisories/2007/3868https://issues.rpath.com/browse/RPL-1696https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10239http://article.gmane.org/gmane.comp.encryption.kerberos.announce/86http://docs.info.apple.com/article.html?artnum=307041http://lists.apple.com/archives/security-announce/2007/Nov/msg00002.htmlhttp://secunia.com/advisories/26699http://secunia.com/advisories/26987http://secunia.com/advisories/27643http://www.debian.org/security/2007/dsa-1387http://www.novell.com/linux/security/advisories/2007_19_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0892.htmlhttp://www.securityfocus.com/archive/1/478748/100/0/threadedhttp://www.securityfocus.com/archive/1/478794/100/0/threadedhttp://www.securityfocus.com/bid/26444http://www.ubuntu.com/usn/usn-511-2http://www.us-cert.gov/cas/techalerts/TA07-319A.htmlhttp://www.vupen.com/english/advisories/2007/3868https://issues.rpath.com/browse/RPL-1696https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10239
2007-09-06
Published