DSA-2518-1 krb5 -- denial of service and remote code executionID: oval:org.secpod.oval:def:600856 | Date: (C)2012-08-02 (M)2022-10-10 |
Class: PATCH | Family: unix |
Emmanuel Bouillon from NCI Agency discovered multiple vulnerabilities in MIT Kerberos, a daemon implementing the network authentication protocol. CVE-2012-1014 By sending specially crafted AS-REQ to a KDC , an attacker could make it free an uninitialized pointer, corrupting the heap. This can lead to process crash or even arbitrary code execution. This CVE only affects testing and unstable distributions. CVE-2012-1015 By sending specially crafted AS-REQ to a KDC, an attacker could make it dereference an uninitialized pointer, leading to process crash or even arbitrary code execution In both cases, arbitrary code execution is believed to be difficult to achieve, but might not be impossible.