FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

CVE-2010-4021

This CVE name corresponds to:

Entered Topic
2010-12-09 krb5 -- client impersonation vulnerability

The following information is adapted from the Common Vulnerabilities and Exposures (CVE) project. CVE and the CVE logo are trademarks of The MITRE Corporation. CVE content is Copyright 2005, The MITRE Corporation.

CVE-2010-4021 at cve.mitre.org

Details

Type Candidate
Name CVE-2010-4021
Phase Assigned(20101020)

Description

The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a "KrbFastReq forgery issue."

References

Source Reference
BUGTRAQ 20101130 MITKRB5-SA-2010-007 Multiple checksum handling vulnerabilities [CVE-2010-1324 CVE-2010-1323 CVE-2010-4020 CVE-2010-4021]
BUGTRAQ 20110428 VMSA-2011-0007 VMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service Console
MLIST [security-announce] 20110428 VMSA-2011-0007 VMware ESXi and ESX Denial of Service and third party updates for Likewise components and ESX Service Console
CONFIRM http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt
CONFIRM http://support.apple.com/kb/HT4581
CONFIRM http://kb.vmware.com/kb/1035108
CONFIRM http://www.vmware.com/security/advisories/VMSA-2011-0007.html
APPLE APPLE-SA-2011-03-21-1
MANDRIVA MDVSA-2010:246
SUSE SUSE-SR:2010:023
SUSE SUSE-SR:2010:024
UBUNTU USN-1030-1
BID 45122
OSVDB 69607
SECTRACK 1024803
VUPEN ADV-2010-3094
VUPEN ADV-2010-3118

Copyright © 2005 The MITRE Corporation.

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.