CVE-2009-4212 — Integer Overflow or Wraparound in Kerberos

CWE-189 CWE-190 — Integer Overflow or Wraparound CWE-119 — Improper Restriction of Operations within the Bounds of a Memory Buffer8 documents8 sources

Severity

10.0CRITICALNVD

EPSS

16.5%

top 5.09%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

MIT Krb5 MIT Kerberos MIT Kerberos 5

Timeline

PublishedJan 13

Latest updateMay 2

Description

Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1.3 through 1.6.3, and 1.7 before 1.7.1, allow remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code by providing ciphertext with a length that is too short to be valid.

CVSS vector

AV:N/AC:L/C:C/I:C/A:CExploitability: 10.0 | Impact: 10.0

Affected Packages3 packages

▶Debianmit/krb5< 1.8+dfsg~alpha1-1+3

▶NVDmit/kerberos5-1.6.3

▶NVDmit/kerberos_520 versions+19

Patches

Patch: web.mit.edu ↗Patch: bugzilla.redhat.com ↗Patch: web.mit.edu ↗

🔴Vulnerability Details

GHSA

GHSA-39cv-j24w-8wvf: Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1↗2022-05-02

▶

CVEList

CVE-2009-4212: Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1↗2010-01-13

▶

OSV

CVE-2009-4212: Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality in the crypto library in MIT Kerberos 5 (aka krb5) 1↗2010-01-13

▶

📋Vendor Advisories

Ubuntu

Kerberos vulnerability↗2010-01-12

▶

Red Hat

krb: KDC integer overflows in AES and RC4 decryption routines (MITKRB5-SA-2009-004)↗2010-01-12

▶

Debian

CVE-2009-4212: krb5 - Multiple integer underflows in the (1) AES and (2) RC4 decryption functionality ...↗2009

▶

💬Community

Bugzilla

CVE-2009-4212 krb: KDC integer overflows in AES and RC4 decryption routines (MITKRB5-SA-2009-004)↗2009-12-07

▶