=====================================================================
                                    CERT-Renater

                         Note d'Information No. 2008/VULN094
_____________________________________________________________________

DATE                      : 21/03/2008

HARDWARE PLATFORM(S)      : /

OPERATING SYSTEM(S)       : Systems running MIT Kerberos.

======================================================================

         National Cyber Alert System

   Technical Cyber Security Alert TA08-079B


MIT Kerberos Updates for Multiple Vulnerabilities

    Original release date: March 19, 2008
    Last revised: --
    Source: US-CERT

Systems Affected

      * MIT Kerberos

Overview

    The  MIT  Kerberos  implementation  contains  several
    vulnerabilities.
    Exploitation   of   these   vulnerabilities   could  allow  a
    remote, unauthenticated attacker to execute arbitrary code,
    compromise the key database or cause a denial of service on a
    vulnerable system.

I. Description

    The  MIT  Kerberos  Development  Team  has  released MIT krb5
    Security Advisory  2008-002  to address vulnerabilities in multiple
    versions of MIT  Kerberos.  More  information  about  these
    vulnerabilities can be found in VU#895609 and VU#374121.

II. Impact

    Potential  consequences include arbitrary code execution, key
    database compromise, and denial of service.

III. Solution

Install updates from your vendor

    Check  with your vendors for patches or updates. For information
    about a  vendor,  please  see  the systems affected section in
    vulnerability notes  VU#895609  and  VU#374121  or  contact  your
    vendor  directly.
    Administrators  who  compile  MIT Kerberos from source should refer
    to MIT Security Advisory 2008-002 for more information.

IV. References

  * US-CERT Vulnerability Note VU#895609 -
    <http://www.kb.cert.org/vuls/id/895609>

  * US-CERT Vulnerability Note VU#374121 -
    <http://www.kb.cert.org/vuls/id/374121>

  * MIT krb5 Security Advisory 2008-002 -
    <http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2008-002.txt2>

  _________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA08-079B.html>
  _________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@cert.org> with "TA08-079B Feedback VU#895609" in the
   subject.
  _________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
  _________________________________________________________________

   Produced 2008 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
  ____________________________________________________________________

    Revision History

    March 19, 2008: Initial release

======================================================================

           =========================================================
           Les serveurs de référence du CERT-Renater
           http://www.urec.fr/securite
           http://www.cru.fr/securite
           http://www.renater.fr
           =========================================================
           + CERT-RENATER          | tel : 01-53-94-20-44          +
           + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
           + 75013 Paris           | email: certsvp@renater.fr     +
           =========================================================