The Kerberos Administration daemon (kadmind), which is used in connection with Kerberos authentication, contains a buffer overflow vulnerability in many implementations, mostly affecting Linux/Unix. Since kadmind is the daemon that handles the password changes and other modification requests to the Kerberos database, it is a vital element of many, but not all, security systems based on Kerberos. A Symantec report says that this threat is due to "insufficient bounds checking" and that an exploitation of this vulnerability could allow the attacker to run arbitrary code on the system. CERT Advisory CA-2002-29, "Buffer Overflow in Kerberos Administration Daemon," indicates that this problem is found in both the MIT and the KTH versions of Kerberos. Specifically, there is a buffer overflow in the kadm_ser_wrap_in function in the Kerberos v4 administration server. Applicability This vulnerability has been confirmed as existing in MIT Kerberos version 4 and version 5 through krb5-1.2.6, KTH eBones prior to version 1.2.1, and KTH Heimdal prior to version 0.5.1. Although this appears to be just a Kerberos 4 problem, many implementations of Kerberos 5 have been installed in a manner to support the earlier version and are thus also affected because of the Kerberos 4 component. Symantec reports that some versions of Conectiva, Red Hat, Gentoo, Mandrake, SuSE, and Debian Linux shipped with vulnerable versions of Kerberos, as did NetBSD, OpenBSD, and IBM's pSeries Parallel System Support Programs, as well as multiple versions of FreeBSD Unix. Some of these operating systems that did include a vulnerable version of Kerberos may not have had it installed by default and therefore may not be vulnerable. The list of specific versions affected or potentially vulnerable is long and may grow, so you might want to check the Symantec report to get a handle on the scope of the problem. Microsoft uses a proprietary version of Kerberos in Windows, and it is not vulnerable to this exploit, so no action is required for Windows systems. Openwall reports that it does not provide Kerberos support, so Openwall GNU/Linux is not vulnerable. Sun's Enterprise Authentication Mechanism (Kerberos 5) doesn't support Kerberos v4 protocols and is therefore not affected. See SEAM for more information. Wind River BSD is not vulnerable. Apple Computer reports that the vulnerability applies to OS X 10.0, but kadmind was removed from version 10.1 and later versions, so it does not affect them. Risk level -- serious Exploiting this vulnerability would give a remote attacker root privileges and complete control over the Kerberos authentication scheme for the affected systems. The Debian Security Advisories on Kerberos 4 and 5 confirm that exploit code is in circulation for this vulnerability, so it is a serious security hole and not just a theoretical problem.