Vulnerability Name:
CVE-2002-0036 (CCN-11190)
Assigned:
2003-01-28
Published:
2003-01-28
Updated:
2020-01-21
Summary:
Integer signedness error in MIT Kerberos V5 ASN.1 decoder before krb5 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value.
CVSS v3 Severity:
5.3 Medium
(CCN CVSS v3.1 Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
)
Exploitability Metrics:
Attack Vector (AV):
Network
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope:
Scope (S):
Unchanged
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Low
CVSS v2 Severity:
5.0 Medium
(CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Authentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Partial
5.0 Medium
(CCN CVSS v2 Vector:
AV:N/AC:L/Au:N/C:N/I:N/A:P
)
Exploitability Metrics:
Access Vector (AV):
Network
Access Complexity (AC):
Low
Athentication (Au):
None
Impact Metrics:
Confidentiality (C):
None
Integrity (I):
None
Availibility (A):
Partial
Vulnerability Type:
CWE-Other
Vulnerability Consequences:
Gain Access
References:
Source: MITRE
Type: CNA
CVE-2002-0036
Source: CONECTIVA
Type: UNKNOWN
CLA-2003:639
Source: CCN
Type: Conectiva Linux Security Announcement CLSA-2003:639
krb5
Source: CCN
Type: RHSA-2003-051
Updated kerberos packages fix various vulnerabilities
Source: CCN
Type: RHSA-2003-052
krb5 security update
Source: CCN
Type: RHSA-2003-168
Updated kerberos packages fix various vulnerabilities
Source: CCN
Type: MIT Kerberos Web site
Kerberos: The Network Authentication Protocol
Source: CCN
Type: MIT krb5 Security Advisory 2003-001
Multiple vulnerabilities in old releases of MIT Kerberos
Source: CONFIRM
Type: Patch, Vendor Advisory
http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt
Source: CCN
Type: CIAC Information Bulletin N-037
Multiple Vulnerabilities in Old Releases of MIT Kerberos
Source: CCN
Type: US-CERT VU#587579
MIT Kerberos V5 ASN.1 decoder fails to perform bounds checking on data element length fields
Source: CERT-VN
Type: Patch, Third Party Advisory, US Government Resource
VU#587579
Source: MANDRAKE
Type: UNKNOWN
MDKSA-2003:043
Source: OSVDB
Type: UNKNOWN
4896
Source: CCN
Type: OSVDB ID: 4896
MIT Kerberos 5 ASN.1 Decoder Heap Corruption DoS
Source: REDHAT
Type: UNKNOWN
RHSA-2003:051
Source: REDHAT
Type: UNKNOWN
RHSA-2003:052
Source: REDHAT
Type: UNKNOWN
RHSA-2003:168
Source: BID
Type: UNKNOWN
6713
Source: CCN
Type: BID-6713
MIT Kerberos ASN.1 Decoder Heap Corruption Vulnerability
Source: XF
Type: UNKNOWN
kerberos-kdc-neglength-dos(11190)
Source: XF
Type: UNKNOWN
kerberos-kdc-neglength-bo(11190)
Vulnerable Configuration:
Configuration 1
:
cpe:/a:mit:kerberos_5:1.2.1:*:*:*:*:*:*:*
OR
cpe:/a:mit:kerberos_5:1.2.2:*:*:*:*:*:*:*
OR
cpe:/a:mit:kerberos_5:1.2.3:*:*:*:*:*:*:*
OR
cpe:/a:mit:kerberos_5:1.2.4:*:*:*:*:*:*:*
Configuration CCN 1
:
cpe:/a:mit:kerberos_5:1.2.2:*:*:*:*:*:*:*
OR
cpe:/a:mit:kerberos_5:1.2.1:*:*:*:*:*:*:*
OR
cpe:/a:mit:kerberos_5:1.2.3:*:*:*:*:*:*:*
OR
cpe:/a:mit:kerberos_5:1.2.4:*:*:*:*:*:*:*
AND
cpe:/o:redhat:linux:6.2:*:*:*:*:*:*:*
OR
cpe:/o:redhat:linux:7:*:*:*:*:*:*:*
OR
cpe:/o:redhat:linux:7.1:*:*:*:*:*:*:*
OR
cpe:/o:redhat:linux:7.2:*:*:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux:8.2:*:*:*:*:*:*:*
OR
cpe:/o:conectiva:linux:8.0:*:*:*:*:*:*:*
OR
cpe:/o:redhat:linux:7.3:*:*:*:*:*:*:*
OR
cpe:/o:redhat:linux:8.0:*:*:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux:9.0:*:*:*:*:*:*:*
OR
cpe:/a:mandrakesoft:mandrake_multi_network_firewall:8.2:*:*:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1:*:*:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux:9.1:*:*:*:*:*:*:*
OR
cpe:/o:redhat:enterprise_linux:2.1:*:as:*:*:*:*:*
OR
cpe:/o:redhat:enterprise_linux:2.1:*:es:*:*:*:*:*
OR
cpe:/o:redhat:enterprise_linux:2.1:*:ws:*:*:*:*:*
OR
cpe:/o:redhat:linux_advanced_workstation:2.1::itanium:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux:8.2::ppc:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux:9.1::ppc:*:*:*:*:*
OR
cpe:/o:mandrakesoft:mandrake_linux_corporate_server:2.1::x86_64:*:*:*:*:*
Denotes that component is vulnerable
BACK
mit
kerberos 5 1.2.1
mit
kerberos 5 1.2.2
mit
kerberos 5 1.2.3
mit
kerberos 5 1.2.4
mit
kerberos 5-1.2.2
mit
kerberos 5-1.2.1
mit
kerberos 5-1.2.3
mit
kerberos 5-1.2.4
redhat
linux 6.2
redhat
linux 7
redhat
linux 7.1
redhat
linux 7.2
mandrakesoft
mandrake linux 8.2
conectiva
linux 8.0
redhat
linux 7.3
redhat
linux 8.0
mandrakesoft
mandrake linux 9.0
mandrakesoft
mandrake multi network firewall 8.2
mandrakesoft
mandrake linux corporate server 2.1
mandrakesoft
mandrake linux 9.1
redhat
enterprise linux 2.1
redhat
enterprise linux 2.1
redhat
enterprise linux 2.1
redhat
linux advanced workstation 2.1
mandrakesoft
mandrake linux 8.2
mandrakesoft
mandrake linux 9.1
mandrakesoft
mandrake linux corporate server 2.1
Denotes that component is vulnerable