CVE-2009-0360medium
New! CVE Severity Now Using CVSS v3
The calculated severity for CVEs has been updated to use CVSS v3 by default. CVEs that do not have a CVSS v3 score will fall back CVSS v2 for calculating severity. Severity display preferences can be toggled in the settings dropdown.
Description
Russ Allbery pam-krb5 before 3.13, when linked against MIT Kerberos, does not properly initialize the Kerberos libraries for setuid use, which allows local users to gain privileges by pointing an environment variable to a modified Kerberos configuration file, and then launching a PAM-based setuid application.
References
http://secunia.com/advisories/33914
http://secunia.com/advisories/33917
http://secunia.com/advisories/34260
http://secunia.com/advisories/34449
http://security.gentoo.org/glsa/glsa-200903-39.xml
http://securitytracker.com/id?1021711
http://sunsolve.sun.com/search/document.do?assetkey=1-66-252767-1
http://support.avaya.com/elmodocs2/security/ASA-2009-070.htm
http://www.debian.org/security/2009/dsa-1721
http://www.eyrie.org/~eagle/software/pam-krb5/security/2009-02-11.html
http://www.securityfocus.com/archive/1/500892/100/0/threaded
http://www.securityfocus.com/bid/33740
http://www.ubuntu.com/usn/USN-719-1
http://www.vupen.com/english/advisories/2009/0410
http://www.vupen.com/english/advisories/2009/0426
http://www.vupen.com/english/advisories/2009/0979
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5669
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A5732
Vulnerable Software
Configuration 1
OR
cpe:2.3:a:eyrie:pam-krb5:2.0:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:2.1:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:2.2:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:2.3:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:2.4:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:2.5:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:2.6:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.0:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.1:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.2:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.3:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.4:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.5:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.6:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.7:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.8:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.9:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.10:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:3.11:*:*:*:*:*:*:*
cpe:2.3:a:eyrie:pam-krb5:*:*:*:*:*:*:*:* versions up to 3.12 (inclusive)
Tenable Plugins
| ID | Name | Product | Family | Severity |
|---|---|---|---|---|
| 79961 | GLSA-201412-08 : Multiple packages, Multiple vulnerabilities fixed in 2010 | Nessus | Gentoo Local Security Checks | critical |
| 36218 | Ubuntu 8.04 LTS / 8.10 : libpam-krb5 vulnerabilities (USN-719-1) | Nessus | Ubuntu Local Security Checks | medium |
| 36027 | GLSA-200903-39 : pam_krb5: Privilege escalation | Nessus | Gentoo Local Security Checks | medium |
| 35663 | Debian DSA-1722-1 : libpam-heimdal - programming error | Nessus | Debian Local Security Checks | medium |
| 35662 | Debian DSA-1721-1 : libpam-krb5 - several vulnerabilities | Nessus | Debian Local Security Checks | medium |
| 35208 | Solaris 10 (x86) : 138372-06 | Nessus | Solaris Local Security Checks | medium |
| 35197 | Solaris 10 (sparc) : 138371-06 | Nessus | Solaris Local Security Checks | medium |
| 13620 | Solaris 9 (x86) : 115168-24 | Nessus | Solaris Local Security Checks | critical |
| 13520 | Solaris 9 (sparc) : 112908-38 | Nessus | Solaris Local Security Checks | critical |