Multiple Vendor kadmind Remote Buffer Overflow Vulnerability



Date Discovered

October 21, 2002


A vulnerability has been discovered in the kadmind daemon. It has been reported that kadmind is vulnerable to a remotely exploitable buffer overflow. This issue is due to insufficient bounds checking. Exploiting this issue could potentially allow an attacker to execute arbitrary code with the privileges of the kadmind process. This issue is reported to exist in the Kerberos 4 administration protocol. Kerberos 5 includes support for the Kerberos 4 administration daemon. Various Kerberos implementations are reported to be affected by this vulnerability. There are reports that this vulnerability is being actively exploited in the wild.

Technologies Affected

  • FreeBSD FreeBSD 4.0.0
  • FreeBSD FreeBSD 4.1.0
  • FreeBSD FreeBSD 4.2.0
  • FreeBSD FreeBSD 4.3.0
  • FreeBSD FreeBSD 4.4.0
  • FreeBSD FreeBSD 4.5.0
  • FreeBSD FreeBSD 4.6.0
  • FreeBSD FreeBSD 4.7.0 -RELEASE
  • FreeBSD FreeBSD 4.7.0
  • IBM PSSP 3.1.1
  • IBM PSSP 3.2.0
  • IBM PSSP 3.4.0
  • IBM PSSP 3.5.0
  • KTH Heimdal 0.21.0
  • KTH Heimdal 0.3.0 e
  • KTH Heimdal 0.4.0 a
  • KTH Heimdal 0.4.0 b
  • KTH Heimdal 0.4.0 c
  • KTH Heimdal 0.4.0 d
  • KTH Heimdal 0.4.0 e
  • KTH Heimdal 0.4.0 e
  • KTH Heimdal 0.5.0
  • KTH eBones 1.2.0
  • MIT Kerberos 4 1.0.0
  • MIT Kerberos 4 1.1.0
  • MIT Kerberos 4 4.0.0
  • MIT Kerberos 5 1.0.0
  • MIT Kerberos 5 1.0.6
  • MIT Kerberos 5 1.1.0
  • MIT Kerberos 5 1.1.1
  • MIT Kerberos 5 1.2.0
  • MIT Kerberos 5 1.2.1
  • MIT Kerberos 5 1.2.2
  • MIT Kerberos 5 1.2.3
  • MIT Kerberos 5 1.2.4
  • MIT Kerberos 5 1.2.5
  • MIT Kerberos 5 1.2.6
  • NetBSD NetBSD 1.5.0
  • NetBSD NetBSD 1.5.1
  • NetBSD NetBSD 1.5.2
  • NetBSD NetBSD 1.5.3
  • NetBSD NetBSD 1.6.0
  • OpenBSD OpenBSD 3.0
  • OpenBSD OpenBSD 3.1
  • OpenBSD OpenBSD 3.2


Block external access at the network boundary, unless external parties require service.
If possible restrict remote connectivity to trusted hosts and internal networks only. Block access to TCP/UDP on port 751 for the Kerberos 4 administration daemon and TCP/UDP on port 749 for Kerberos 5 administration if Kerberos 4 administration is supported.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Exploitation attempts may be indicated by intrusion detection systems. Audit IDS logs regularly.

Run all software as a nonprivileged user with minimal access rights.
When possible, run server process as low privileged users to limit the consequence of exploitation.

Disable any unneccessary default services.
Disable all services not explicitly required by the system. Disable the Kerberos 4 administration protocol if it is not needed.

CERT has released an advisory which contains information about various vendors and implementations that are reported to be affected by this vulnerability. CERT has released a followup advisory which retracts information about the applicability of Debian Security Advisory DSA-178 and associated fixes. SuSE Security Advisory SuSE-SA:2002:034 also does not address this issue. Debian has released Debian Security Advisory DSA 183-1 which does address this issue for affected MIT Kerberos 5 packages that ship with Debian GNU/Linux 3.0 alias woody. Information on obtaining fixes may be found in the referenced advisory. NetBSD has released an advisory. NetBSD-current, NetBSD 1.6 and NetBSD 1.5 branches dated 2002-10-22 and later have fixes for this vulnerability. Users are advised to upgrade the crypto/dist/heimdal/kadmin directory in CVS. Further information is available in the referenced advisory. FreeBSD have addressed this issue as of October 23rd, 2002 for the base Kerberos 4 (kadmind) and Kerberos 5 (k5admind v4 compatibility) daemons. The heimdal and krb5 ports were corrected as of October 24th, 2002. A vendor advisory is reported to be forthcoming. MIT has released an advisory. Detailed patch information is available in the referenced advisory. Apple has announced that the Kerberos Administration Daemon was included in Mac OS X 10.0, but was removed in Mac OS X versions 10.1 and later. SuSE Linux versions 7.2 and ship with Heimdal Kerberos. However, Kerberos 4 support is not enabled. Gentoo Linux has released an advisory and made fixes available. To update systems, Gentoo Linux users are advised to perform the following update procedures: emerge rsync emerge kth-krb emerge heimdal emerge clean Sorcerer Linux has released an advisory and made fixes available. To update systems, Socerer Linux users are advise to perform the following update procedures: augur synch augur update Debian has released Debian Security Advisory DSA 184-1 which addresses the issue for affected MIT Kerberos 4 packages. Debian has released Debian Security Advisory DSA 185-1 which addresses the issue for affected Heimdal Kerberos packages. Information about obtaining fixes are available in the referenced advisory. Conectiva Linux has released an advisory. Further information can be obtained from referenced advisory. RedHat has released a security advisory which addressed the issue for affected MIT Kerberos 5 packages. FreeBSD has released an advisory. Users are advised to update their ports tree and reinstall the heimdal or krb5 ports or to download and install a patch. Further, detailed information is available in the referenced advisory. IBM has made APARs available to resolve this issue. HP has released advisory HPSBTL0211-077 for HP Secure OS advising users to apply the fixes listed in Red Hat advisory RHSA-2002:242-06. Fixes have been released which address this issue:



Discovery of vulnerability credited to Johan Danielsson and Love Hornquist-Astrand. Discovery is also credited to Tom Yu and Sam Hartman of MIT.

© 1995- Symantec Corporation

Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from


The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.

Symantec, Symantec products, Symantec Security Response, and are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.