RHEL 5 : pam_krb5 (RHSA-2008:0907)

Medium Nessus Plugin ID 34333

New! Vulnerability Priority Rating (VPR)

Tenable calculates a dynamic VPR for every vulnerability. VPR combines vulnerability information with threat intelligence and machine learning algorithms to predict which vulnerabilities are most likely to be exploited in attacks. Read more about what VPR is and how it's different from CVSS.

VPR Score: 5.8

Synopsis

The remote Red Hat host is missing a security update.

Description

An updated pam_krb5 package that fixes a security issue is now available for Red Hat Enterprise Linux 5.

This update has been rated as having moderate security impact by the Red Hat Security Response Team.

The pam_krb5 module allows Pluggable Authentication Modules (PAM) aware applications to use Kerberos to verify user identities by obtaining user credentials at log in time.

A flaw was found in the pam_krb5 'existing_ticket' configuration option. If a system is configured to use an existing credential cache via the 'existing_ticket' option, it may be possible for a local user to gain elevated privileges by using a different, local user's credential cache. (CVE-2008-3825)

Red Hat would like to thank Stephane Bertin for responsibly disclosing this issue.

Users of pam_krb5 should upgrade to this updated package, which contains a backported patch to resolve this issue.

Solution

Update the affected pam_krb5 package.

See Also

https://access.redhat.com/security/cve/cve-2008-3825

https://access.redhat.com/errata/RHSA-2008:0907

Plugin Details

Severity: Medium

ID: 34333

File Name: redhat-RHSA-2008-0907.nasl

Version: 1.26

Type: local

Agent: unix

Published: 2008/10/03

Updated: 2021/01/14

Dependencies: 12634

Risk Information

Risk Factor: Medium

VPR Score: 5.8

CVSS v2.0

Base Score: 4.4

Vector: CVSS2#AV:L/AC:M/Au:N/C:P/I:P/A:P

Vulnerability Information

CPE: p-cpe:/a:redhat:enterprise_linux:pam_krb5, cpe:/o:redhat:enterprise_linux:5, cpe:/o:redhat:enterprise_linux:5.2

Required KB Items: Host/local_checks_enabled, Host/RedHat/release, Host/RedHat/rpm-list, Host/cpu

Patch Publication Date: 2008/10/02

Vulnerability Publication Date: 2008/10/03

Reference Information

CVE: CVE-2008-3825

RHSA: 2008:0907

CWE: 264