Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2009-0360

Overview

Vulnerability Score 6.2 6.2
CVE Id CVE-2009-0360
Last Modified 07 Mar 2011 10:18:21
Published 13 Feb 2009 12:30:00
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector LOCAL
Access Complexity HIGH
Authentication NONE

CVE-2009-0360

Summary

Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.

Vulnerable Systems

Application

  • Eyrie Pam-krb5 2.0

  • Eyrie Pam-krb5 2.1

  • Eyrie Pam-krb5 2.2

  • Eyrie Pam-krb5 2.3

  • Eyrie Pam-krb5 2.4

  • Eyrie Pam-krb5 2.5

  • Eyrie Pam-krb5 2.6

  • Eyrie Pam-krb5 3.0

  • Eyrie Pam-krb5 3.1

  • Eyrie Pam-krb5 3.10

  • Eyrie Pam-krb5 3.11

  • Eyrie Pam-krb5 3.12

  • Eyrie Pam-krb5 3.2

  • Eyrie Pam-krb5 3.3

  • Eyrie Pam-krb5 3.4

  • Eyrie Pam-krb5 3.5

  • Eyrie Pam-krb5 3.6

  • Eyrie Pam-krb5 3.7

  • Eyrie Pam-krb5 3.8

  • Eyrie Pam-krb5 3.9


References

VUPEN - ADV-2009-0979

VUPEN - ADV-2009-0426

VUPEN - ADV-2009-0410

UBUNTU - USN-719-1

BID - 33740

BUGTRAQ - 20090211 pam-krb5 security advisory (3.12 and earlier)

MISC - http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html

DEBIAN - DSA-1721

CONFIRM - http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm

SUNALERT - 252767

SECTRACK - 1021711

GENTOO - GLSA-200903-39

SECUNIA - 34449

SECUNIA - 34260

SECUNIA - 33917

SECUNIA - 33914


Last Updated: 27 May 2016 10:50:12