cbcvebase.
CVE-2011-0285
published 2011-04-15

CVE-2011-0285: The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid…

PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.95%
96.8th percentile
The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.

Affected

12 ranges
VendorProductVersion rangeFixed in
debiankrb5< krb5 1.9.1+dfsg-1 (bookworm)krb5 1.9.1+dfsg-1 (bookworm)
mitkerberos_5
mitkerberos_5
mitkerberos_5
mitkerberos_5
mitkerberos_5
mitkerberos_5
mitkerberos_5
mitkrb5>= 0 < 1.9.1+dfsg-11.9.1+dfsg-1
mitkrb5>= 0 < 1.9.1+dfsg-11.9.1+dfsg-1
mitkrb5>= 0 < 1.9.1+dfsg-11.9.1+dfsg-1
mitkrb5>= 0 < 1.9.1+dfsg-11.9.1+dfsg-1

Detection & IOCsextracted from sources · hover to see the quote

processkadmind
pathschpw.c:process_chpw_request
  • Target service is kadmind's password-changing functionality (process_chpw_request in schpw.c); monitor for unauthenticated crafted requests to kadmind that trigger error conditions leading to free() of an invalid pointer and process crash.
  • Only krb5 versions 1.7 and higher are vulnerable; earlier releases do not contain the affected password-changing code path. Scope detection to hosts running krb5 1.7 through 1.9.
  • On systems with glibc protections, exploitation results in a crash only (no arbitrary code execution); unexpected kadmind termination should be treated as a potential exploitation attempt.
  • Exploit is unauthenticated — no valid Kerberos credentials are required to trigger the vulnerability; alert on anomalous/malformed password-change requests to kadmind from unknown sources.
  • ·Red Hat Enterprise Linux 5 ships a version of krb5 that is NOT affected; detection/patching efforts should focus on RHEL 6 and systems running krb5 1.7–1.9.
  • ·Debian fixed the issue in krb5 package version 1.9.1+dfsg-1; systems running earlier Debian krb5 packages across all current suites (bookworm, bullseye, sid, trixie, forky) were vulnerable.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.