CVE-2009-0846
HIGH severity · CVSS 10 · CWE-824
10CVSS HIGH
Summary
The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer.
Impact & exploitability
Attack vectorNetwork
Attack complexityLow
Privileges required—
User interaction—
Confidentiality impact—
Integrity impact—
Availability impact—
Exploit probability (EPSS)9%
AV:N/AC:L/Au:N/C:C/I:C/A:C
Affected products we track (1)
Recommendation
Apply the vendor fix promptly. Open any affected product above for its exact safe version.
Additional information
- NVD record
- http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
- http://lists.vmware.com/pipermail/security-announce/2009/000059.html
- http://marc.info/?l=bugtraq&m=124896429301168&w=2Advisory
- http://marc.info/?l=bugtraq&m=130497213107107&w=2Advisory
- http://rhn.redhat.com/errata/RHSA-2009-0409.htmlAdvisory
- http://rhn.redhat.com/errata/RHSA-2009-0410.htmlAdvisory
- http://secunia.com/advisories/34594
- http://secunia.com/advisories/34598