Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   


Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker

Category:   Application (Security)  >   Kerberos Vendors:   MIT
MIT Kerberos Buffer Overflow in kadmind with LDAP Backend Lets Remote Authenticated Users Execute Arbitrary Code
SecurityTracker Alert ID:  1030705
SecurityTracker URL:
CVE Reference:   CVE-2014-4345   (Links to External Site)
Date:  Aug 11 2014
Impact:   Execution of arbitrary code via network, Root access via network
Fix Available:  Yes  Vendor Confirmed:  Yes  
Version(s): 5-1.6 to 5-1.12.2
Description:   A vulnerability was reported in MIT Kerberos. A remote authenticated user can execute arbitrary code on the target system.

On systems where kadmind uses LDAP for the KDC database, a remote authenticated user can send specially crafted data to trigger an off-by-one buffer overflow in kadmind and potentially execute arbitrary code on the target system.

The krb5_encode_krbsecretkey() function is affected.

Tomas Kuthan and Greg Hudson reported this vulnerability.

Impact:   A remote authenticated user can execute arbitrary code on the target system.
Solution:   The vendor has issued a fix (krb5-1.11.6, krb5-1.12.2).

A patch is also available.

The vendor's advisory is available at:

Vendor URL: (Links to External Site)
Cause:   Boundary error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
Sep 17 2014 (Red Hat Issues Fix) MIT Kerberos Buffer Overflow in kadmind with LDAP Backend Lets Remote Authenticated Users Execute Arbitrary Code   (
Red Hat has issued a fix for Red Hat Enterprise Linux 5.
Oct 14 2014 (Red Hat Issues Fix) MIT Kerberos Buffer Overflow in kadmind with LDAP Backend Lets Remote Authenticated Users Execute Arbitrary Code   (
Red Hat has issued a fix for Red Hat Enterprise Linux 6.

 Source Message Contents

Date:  Mon, 11 Aug 2014 20:13:37 +0000

Hash: SHA256


MIT krb5 Security Advisory 2014-001
Original release: 2014-08-07
Last update: 2014-08-07

Topic: Buffer overrun in kadmind with LDAP backend


CVSSv2 Base Score:      8.5

Access Vector:          Network
Access Complexity:      Medium
Authentication:         Single
Confidentiality Impact: Complete
Integrity Impact:       Complete
Availability Impact:    Complete

CVSSv2 Temporal Score:  6.7

Exploitability:         Proof-of-Concept
Remediation Level:      Official Fix
Report Confidence:      Confirmed


In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause it to perform an
out-of-bounds write (buffer overflow).  This is not a protocol
vulnerability.  Using LDAP for the KDC database is a non-default
configuration for the KDC.


Historically, it has been possible to convert an out-of-bounds write
into remote code execution in some cases, though the necessary exploits
must be tailored to the individual application and are usually quite
complicated.  Depending on the allocated length of the array, an
out-of-bounds write may also cause a segmentation fault and/or
application crash.


* The kadmind daemon from MIT krb5 releases 1.6 to 1.12.2, when
  configured to use the LDAP backend for the KDB, is vulnerable.
  Releases of MIT krb5 prior to 1.6 did not provide the ability to use
  LDAP for the KDB backend.


* Workaround: disable or restrict access to kadmind until a patched
  version can be installed.  This will prevent principal creation,
  password changes, keytab updates, and other administrative operations.

* The krb5-1.12.2 and krb5-1.11.6 releases will contain a fix for this

diff --git a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
index ce851ea..df5934c 100644
- --- a/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
+++ b/src/plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c
@@ -456,7 +456,8 @@ krb5_encode_krbsecretkey(krb5_key_data *key_data_in, int n_key_data,
             last = i + 1;

- -            currkvno = key_data[i].key_data_kvno;
+            if (i < n_key_data - 1)
+                currkvno = key_data[i + 1].key_data_kvno;
     ret[num_versions] = NULL;

  This patch is also available at

  A PGP-signed patch is available at


This announcement is posted at:

This announcement and related security advisories may be found on the
MIT Kerberos security advisory page at:

The main MIT Kerberos web page is at:


CVE: CVE-2014-4345


This off-by-one error was reported by Tomas Kuthan as github pull
request #181 and recognized as a vulnerability by Greg Hudson.


The MIT Kerberos Team security contact address is
<>.  When sending sensitive information,
please PGP-encrypt it using the following key:

pub   2048R/C436A9C6 2014-01-07 [expires: 2015-02-01]
      Key fingerprint = 1849 02FF 0CA8 A385 F28D  2E7E 2AF0 C1EA C436 A9C6
uid     MIT Kerberos Team Security Contact <>


The 'cpw -keepold' functionality allows for the existing keys to be
retained at password-change (or keytab-change) time, instead of being
discarded as usual.  An array must be allocated to store all the old
keys, as well as the new keys and a NULL terminator.  In normal
operation, all the keys for a single kvno will share an array slot.  An
off-by-one error while copying key information to the new array results
in keys sharing a common kvno being written to different array buckets,
with the first key of a kvno betting a single bucket, and the remaining
keys getting the next bucket.  After sufficient iterations, the extra
writes extend past the end of the (NULL-terminated) array.  The NULL
terminator is always written after the end of the loop, so no
out-of-bounds data is read, it is only written.


2014-08-07      original release

Copyright (C) 2014 Massachusetts Institute of Technology
Version: GnuPG v2



Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

Copyright 2015, LLC