SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Generic)  >   nfs-utils Vendors:   nfs.sourceforge.net
(Red Hat Issues Fix for nfs-utils) Kerberos kadmind Stack Overflow and Uninitialized Pointer Lets Remote Users Execute Arbitrary Code
SecurityTracker Alert ID:  1018760
SecurityTracker URL:  http://securitytracker.com/id/1018760
CVE Reference:   CVE-2007-3999, CVE-2007-4000, CVE-2007-4743   (Links to External Site)
Date:  Oct 2 2007
Impact:   Execution of arbitrary code via network, Root access via network, User access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  

Description:   Two vulnerabilities were reported in Kerberos. A remote user can execute arbitrary code on the target system. nfs-utils is affected.

A remote user can send specially crafted data to trigger a stack overflow in the krb5 Kerberos administration daemon (kadmind) in RPCSEC_GSS authentication RPC library [CVE-2007-3999]. Arbitrary code can be executed on the target system, typically with root privileges.

Third-party applications that use the RPC library may be affected.

Tenable Network Security reported this vulnerability via TippingPoint.

A remote authenticated user with 'modify policy' privileges can exploit an uninitialized pointer in kadmind to write arbitrary data to memory [CVE-2007-4000]. Arbitrary code can be executed on the target system, typically with root privileges.

Garrett Wollman of MIT CSAIL reported this vulnerability.
Impact:   A remote user can execute arbitrary code on the target system with root privileges.
Solution:   Red Hat has released a fix for nfs-utils, which is affected by this Kerberos vulnerability.

The Red Hat advisory is available at:

https://rhn.redhat.com/errata/RHSA-2007-0951.html
Cause:   Boundary error
Underlying OS:   Linux (Red Hat Enterprise)

Message History:   This archive entry is a follow-up to the message listed below.
Sep 4 2007 Kerberos kadmind Stack Overflow and Uninitialized Pointer Lets Remote Users Execute Arbitrary Code


 Source Message Contents
Date:  Tue, 2 Oct 2007 16:58:27 -0400
Subject:  [RHSA-2007:0951-01] Important: nfs-utils-lib security update


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
                   Red Hat Security Advisory

Synopsis:          Important: nfs-utils-lib security update
Advisory ID:       RHSA-2007:0951-01
Advisory URL:      https://rhn.redhat.com/errata/RHSA-2007-0951.html
Issue date:        2007-10-02
Updated on:        2007-10-02
Product:           Red Hat Enterprise Linux
CVE Names:         CVE-2007-3999 CVE-2007-4135 
- ---------------------------------------------------------------------

1. Summary:

An updated nfs-utils-lib package to correct two security flaws is now
available for Red Hat Enterprise Linux 5.

This update has been rated as having important security impact by the Red
Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64
RHEL Desktop Workstation (v. 5 client) - i386, x86_64
Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64

3. Problem description:

The nfs-utils-lib package contains support libraries that are needed by the
commands and daemons of the nfs-utils package.

The updated nfs-utils package fixes the following vulnerabilities:

Tenable Network Security discovered a stack buffer overflow flaw in the RPC
library used by nfs-utils-lib. A remote unauthenticated attacker who can
access an application linked against nfs-utils-lib could trigger this flaw
and cause the application to crash. On Red Hat Enterprise Linux 5 it is not
possible to exploit this flaw to run arbitrary code as the overflow is
blocked by FORTIFY_SOURCE. (CVE-2007-3999)

Tony Ernst from SGI has discovered a flaw in the way nfsidmap maps NFSv4
unknown uids.  If an unknown user ID is encountered on an NFSv4 mounted
filesystem, the files will default to being owned by 'root' rather than
'nobody'. (CVE-2007-4135)

Users of nfs-utils-lib are advised to upgrade to this updated package,
which contains backported patches to resolve these issues.

4. Solution:

Before applying this update, make sure that all previously-released
errata relevant to your system have been applied.  

This update is available via Red Hat Network.  Details on how to use 
the Red Hat Network to apply this update are available at
http://kbase.redhat.com/faq/FAQ_58_10188

5. Bug IDs fixed (http://bugzilla.redhat.com/):

250973 - CVE-2007-3999 krb5 RPC library buffer overflow
254040 - CVE-2007-4135 nfs-utils-lib NFSv4 user id mapping flaw

6. RPMs required:

Red Hat Enterprise Linux Desktop (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nfs-utils-lib-1.0.8-7.2.z2.src.rpm
80a7bf1fdfb74b567f0b98882b5de084  nfs-utils-lib-1.0.8-7.2.z2.src.rpm

i386:
4a7766d840a3b84ba568a283a3acf1d3  nfs-utils-lib-1.0.8-7.2.z2.i386.rpm
77bb5a12d96fc450ad8f04fbc1abcdde  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.i386.rpm

x86_64:
4a7766d840a3b84ba568a283a3acf1d3  nfs-utils-lib-1.0.8-7.2.z2.i386.rpm
0319d4618fd0cfc2ae148f91cb37eb2e  nfs-utils-lib-1.0.8-7.2.z2.x86_64.rpm
77bb5a12d96fc450ad8f04fbc1abcdde  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.i386.rpm
69c11a02a653647939fc32be7c3c2dd2  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.x86_64.rpm

RHEL Desktop Workstation (v. 5 client):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Client/en/os/SRPMS/nfs-utils-lib-1.0.8-7.2.z2.src.rpm
80a7bf1fdfb74b567f0b98882b5de084  nfs-utils-lib-1.0.8-7.2.z2.src.rpm

i386:
77bb5a12d96fc450ad8f04fbc1abcdde  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.i386.rpm
c890d8f2e7e6b5fa0bb0878936f343ad  nfs-utils-lib-devel-1.0.8-7.2.z2.i386.rpm

x86_64:
77bb5a12d96fc450ad8f04fbc1abcdde  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.i386.rpm
69c11a02a653647939fc32be7c3c2dd2  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.x86_64.rpm
c890d8f2e7e6b5fa0bb0878936f343ad  nfs-utils-lib-devel-1.0.8-7.2.z2.i386.rpm
33fe924d3a325d426858b6aad70f1fe6  nfs-utils-lib-devel-1.0.8-7.2.z2.x86_64.rpm

Red Hat Enterprise Linux (v. 5 server):

SRPMS:
ftp://ftp.redhat.com/pub/redhat/linux/enterprise/5Server/en/os/SRPMS/nfs-utils-lib-1.0.8-7.2.z2.src.rpm
80a7bf1fdfb74b567f0b98882b5de084  nfs-utils-lib-1.0.8-7.2.z2.src.rpm

i386:
4a7766d840a3b84ba568a283a3acf1d3  nfs-utils-lib-1.0.8-7.2.z2.i386.rpm
77bb5a12d96fc450ad8f04fbc1abcdde  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.i386.rpm
c890d8f2e7e6b5fa0bb0878936f343ad  nfs-utils-lib-devel-1.0.8-7.2.z2.i386.rpm

ia64:
b49bcc58f42fe1a3c1fb01aa86f40749  nfs-utils-lib-1.0.8-7.2.z2.ia64.rpm
ac743b06cbf45483ec3c22ccc7e12f86  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.ia64.rpm
981f9c4878a63f59d23c1b56e88a4488  nfs-utils-lib-devel-1.0.8-7.2.z2.ia64.rpm

ppc:
f9b8f236a9cd1e0af83e75c6328034ef  nfs-utils-lib-1.0.8-7.2.z2.ppc.rpm
15f30c10412135fe3c72c3810fbff021  nfs-utils-lib-1.0.8-7.2.z2.ppc64.rpm
9912592260df40ce8844a90103269689  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.ppc.rpm
6a81a1c21d61f183a9a3d32a5a434471  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.ppc64.rpm
e9010a2a7b9051ef213535caf3720c82  nfs-utils-lib-devel-1.0.8-7.2.z2.ppc.rpm
6d0ff75429edca9126c9eb3c03a61060  nfs-utils-lib-devel-1.0.8-7.2.z2.ppc64.rpm

s390x:
45ec57215f2edd048a6fbf06bcc0fefe  nfs-utils-lib-1.0.8-7.2.z2.s390.rpm
ba87ae35fc6b3fefd91bf158d0c77d5d  nfs-utils-lib-1.0.8-7.2.z2.s390x.rpm
777e9f6e54acf0ef3eae43e53593713e  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.s390.rpm
1a9be8a4081877d406845b4f510715a3  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.s390x.rpm
f0cc242918a225377f7b05302a82d5a7  nfs-utils-lib-devel-1.0.8-7.2.z2.s390.rpm
dea17a87ca13c7859fdac6607cd489d1  nfs-utils-lib-devel-1.0.8-7.2.z2.s390x.rpm

x86_64:
4a7766d840a3b84ba568a283a3acf1d3  nfs-utils-lib-1.0.8-7.2.z2.i386.rpm
0319d4618fd0cfc2ae148f91cb37eb2e  nfs-utils-lib-1.0.8-7.2.z2.x86_64.rpm
77bb5a12d96fc450ad8f04fbc1abcdde  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.i386.rpm
69c11a02a653647939fc32be7c3c2dd2  nfs-utils-lib-debuginfo-1.0.8-7.2.z2.x86_64.rpm
c890d8f2e7e6b5fa0bb0878936f343ad  nfs-utils-lib-devel-1.0.8-7.2.z2.i386.rpm
33fe924d3a325d426858b6aad70f1fe6  nfs-utils-lib-devel-1.0.8-7.2.z2.x86_64.rpm

These packages are GPG signed by Red Hat for security.  Our key and 
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-3999
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-4135
http://www.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is <secalert@redhat.com>.  More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2007 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.4 (GNU/Linux)

iD8DBQFHArCkXlSAg2UNWIIRAiCbAKCk1Oz03SEgSYH+1w//h0J/u6kHdACfV63H
1VbIkdLN8ULLB67sRYKkMQw=
=s53k
-----END PGP SIGNATURE-----



-- 
Enterprise-watch-list mailing list
Enterprise-watch-list@redhat.com
https://www.redhat.com/mailman/listinfo/enterprise-watch-list


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2012, SecurityGlobal.net LLC