CERT-In:Indian Computer Emergency Response Team

HOME > VULNERABILITY NOTES

VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-120
Apache mod_auth_kerb "der_get_oid()" Off-By-One Vulnerability

Original Issue Date: November 25, 2006

Severity Rating: High

System Affected

mod_auth_kerb versions 5.x

Overview

A vulnerability has been reported in mod_auth_kerb which could be exploited by remote attackers to execute arbitrary commands on the affected system or cause denial of service attack.

Description

A vulnerability has been reported in apache module “mod_auth_kerb” due to an off-by-one buffer overflow error in the "der_get_oid()" [spnegokrb5/der_get.c] function. This could be exploited by remote attackers to crash or execute arbitrary commands on the vulnerable web server.

Solution

Upgrade to version 5.3 :
http://sourceforge.net/projects/modauthkerb/

Vendor Information

Kerberos Module for Apache
http://modauthkerb.sourceforge.net/

References

FrSIRT- ADV-2006-4633 http://www.frsirt.com/english/advisories/2006/4633

Secunia
http://secunia.com/advisories/23023/

Security Focus
http://www.securityfocus.com/bid/21214

CVE Name
CVE-2006-5989

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Home || Feedback || FAQ || Disclaimer

CERT-In Vulnerability Note CIVN-2006-120 Apache mod_auth_kerb "der_get_oid()" Off-By-One Vulnerability

CERT-In Vulnerability Note CIVN-2006-120
Apache mod_auth_kerb "der_get_oid()" Off-By-One Vulnerability