Remote Code Execution Vulnerability in MIT Kerberos 5
CVE-2017-15088

9.8CRITICAL

Key Information:

Vendor

Mit

Status
Krb5 1.5
Vendor
CVE Published:
23 November 2017

What is CVE-2017-15088?

A vulnerability in the handling of Distinguished Name (DN) fields within the MIT Kerberos 5 implementation allows remote attackers to exploit this flaw. When untrusted X.509 data is processed, it may lead to arbitrary code execution or cause a denial of service through buffer overflow and application crashes. This issue is particularly relevant in scenarios beyond the standard MIT Kerberos distribution, especially when utilizing KDC certauth plugin code specific to certain environments, such as those developed for Red Hat.

Affected Version(s)

krb5 1.5 krb5 1.5

References

https://bugzilla.redhat.com/show_bug.cgi?id=1504045
x_refsource_CONFIRM
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698
x_refsource_CONFIRM
https://github.com/krb5/krb5/commit/fbb687db1088ddd894d97...
x_refsource_CONFIRM

CVSS V3.1

Score:
9.8
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.