Kerberos FTP Server Lets Remote Authenticated Users Read and Write Files With Elevated Privileges
|
|
SecurityTracker Alert ID: 1025744 |
|
SecurityTracker URL: http://securitytracker.com/id/1025744
|
|
CVE Reference:
CVE-2011-1526
(Links to External Site)
|
Date: Jul 5 2011
|
Impact:
Disclosure of system information, Disclosure of user information, Modification of user information
|
Fix Available: Yes Vendor Confirmed: Yes Exploit Included: Yes
|
Version(s): krb5-appl-1.0.1 and prior versions
|
Description:
A vulnerability was reported in Kerberos in the FTP daemon. A remote authenticated user can read and write files on the target system with elevated privileges.
A remote authenticated user can read and write files on the target system with the privileges of the group ID that started the FTP daemon. This is often root or wheel group privileges.
Tim Zingelman reported this vulnerability.
|
Impact:
A remote authenticated user can read and write files on the target system with the privileges of the group ID that started the FTP daemon.
|
Solution:
The vendor has issued a patch, available at:
http://web.mit.edu/kerberos/advisories/2011-005-patch.txt
The patch will be included in an upcoming release of krb5-appl.
The vendor's advisory is available at:
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-005.txt
|
Vendor URL: web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-005.txt (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
Linux (Any), UNIX (Any)
|
|
Message History:
This archive entry has one or more follow-up message(s) listed below.
|
Source Message Contents
|
Date: Tue, 05 Jul 2011 18:44:53 +0000
Subject: Kerberos
|
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-005.txt
CVE-2011-1526
|
|
