2002-10-21: Security advisory regarding kadmind

All versions of the kadmind daemon are vulnerable to a remote root exploit, if compiled with support for the Kerberos 4 kadmin protocol. Heimdal 0.5.1 should fix this problem.

If you are running a version older than 0.5.1 AND have Kerberos 4 support enabled in kadmind you should disable kadmind until you have time to upgrade.

To tell if kadmind is vulnerable you can run:

# /usr/heimdal/libexec/kadmind --version
kadmind (Heimdal 0.5.1, KTH-KRB 1.2)
Copyright (c) 1999-2002 Kungliga Tekniska Högskolan
Send bug-reports to heimdal-bugs@pdc.kth.se

Non-vulnerable include Heimdal 0.5.1, and binaries that DO NOT show a Kerberos 4 version string (KTH-KRB 1.2 in the example).

The kadmind service should run on your master kdc, and can be run either from inetd, or as a standalone daemon.

See also CAN-2002-1225 (and possibly CAN-2002-1226).

Valid XHTML 1.0!