CVE-2006-3083
First published: Wed Aug 09 2006(Updated: )
The (1) krshd and (2) v4rcp applications in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, when running on Linux and AIX, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which allows local users to gain privileges by causing setuid to fail to drop privileges using attacks such as resource exhaustion.
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Heimdal | =0.7.2 | |
| MIT Kerberos 5 | =1.4 | |
| MIT Kerberos 5 | =1.4.1 | |
| MIT Kerberos 5 | =1.4.2 | |
| MIT Kerberos 5 | =1.4.3 | |
| MIT Kerberos 5 | =1.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt
- http://www.kb.cert.org/vuls/id/580124
- http://www.redhat.com/support/errata/RHSA-2006-0612.html
- http://www.debian.org/security/2006/dsa-1146
- http://www.gentoo.org/security/en/glsa/glsa-200608-15.xml
- http://www.ubuntu.com/usn/usn-334-1
- http://www.securityfocus.com/bid/19427
- http://securitytracker.com/id?1016664
- http://secunia.com/advisories/21423
- http://secunia.com/advisories/21439
- http://secunia.com/advisories/21461
- http://secunia.com/advisories/21402
- http://secunia.com/advisories/21441
- http://secunia.com/advisories/21456
- http://secunia.com/advisories/21527
- http://www.novell.com/linux/security/advisories/2006_20_sr.html
- http://security.gentoo.org/glsa/glsa-200608-21.xml
- http://www.novell.com/linux/security/advisories/2006_22_sr.html
- http://support.avaya.com/elmodocs2/security/ASA-2006-211.htm
- http://secunia.com/advisories/22291
- http://secunia.com/advisories/21847
- http://www.pdc.kth.se/heimdal/advisory/2006-08-08/
- http://www.osvdb.org/27869
- http://www.osvdb.org/27870
- http://secunia.com/advisories/21436
- http://secunia.com/advisories/21613
- http://secunia.com/advisories/21467
- http://www.mandriva.com/security/advisories?name=MDKSA-2006:139
- http://www.vupen.com/english/advisories/2006/3225
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9515
- http://www.securityfocus.com/archive/1/443498/100/100/threaded
- http://www.securityfocus.com/archive/1/442599/100/0/threaded
Frequently Asked Questions
What is the severity of CVE-2006-3083?
CVE-2006-3083 is considered a high severity vulnerability due to its potential to allow local users to gain elevated privileges.
How do I fix CVE-2006-3083?
To fix CVE-2006-3083, upgrade to the latest versions of MIT Kerberos 5 (1.4.4 and later) or Heimdal (1.0 and later), where this issue has been addressed.
Which applications are affected by CVE-2006-3083?
CVE-2006-3083 affects the krshd and v4rcp applications in MIT Kerberos 5 versions up to 1.5 and Heimdal versions up to 0.7.2.
Can CVE-2006-3083 be exploited remotely?
CVE-2006-3083 cannot be exploited remotely as it requires local access to the system.
What are the implications of CVE-2006-3083?
The implications of CVE-2006-3083 include unauthorized privilege escalation for local users, which can lead to significant system vulnerabilities.
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/weakness
- agent/severity
- agent/remedy
- agent/author
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-historical
- vendor/heimdal
- product/heimdal
- canonical/heimdal heimdal
- vendor/mit
- product/kerberos 5
- canonical/mit kerberos 5
- agent/software-canonical-lookup-request
- collector/nvd-index
- canonical/heimdal
- version/heimdal/0.7.2
- version/mit kerberos 5/1.4
- version/mit kerberos 5/1.4.1
- version/mit kerberos 5/1.4.2
- version/mit kerberos 5/1.4.3
- version/mit kerberos 5/1.5