CVE-2010-1322

Name of the Vulnerable Software and Affected Versions mit-krb5 versions prior to 1.9.2-r1 MIT Kerberos 5 versions 1.8.x before 1.8.4

Description The issue affects the Key Distribution Center (KDC) in MIT Kerberos 5, where the merge authdata function in kdc authdata.c does not properly manage an index into an authorization-data list. This can be exploited remotely, potentially leading to a denial of service (daemon crash), or possibly obtaining sensitive information, spoofing authorization, or executing arbitrary code. The exploitation can be triggered by a TGS request that causes an uninitialized pointer dereference.

Recommendations For mit-krb5 versions prior to 1.9.2-r1, update to version 1.9.2-r1 or later. For MIT Kerberos 5 versions 1.8.x before 1.8.4, update to version 1.8.4 or later. As a temporary workaround, consider restricting access to the KDC to minimize the risk of exploitation.