A security vulnerability in the Kerberos administration daemon (kadmind(1M)) may allow a remote authenticated user to be able to execute arbitrary commands on Kerberos Key Distribution Center(KDC) systems with the privilegs of the kadmind(1M) daemon (usually root). This issue may also allow the remote user to compromise the Kerberos key database or cause the kadmind(1M) daemon to crash, which is a form of Denial of Service (DoS).

This issue is referenced in the following documents:

• http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2007-005.txt
• CVE-2007-2798 at: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2798

This issue can occur in the following releases:

SPARC Platform

• SEAM 1.0.1 (for Solaris 8) without patch 110060-22
• Solaris 9 without patch 112925-07
• Solaris 10 without patch 120473-12

x86 Platform

• SEAM 1.0.1 (for Solaris 8) without patch 110061-22
• Solaris 9 without patch 116044-04
• Solaris 10 without patch 120037-22

Note 1: Solaris Enterprise Authentication Mechanism (SEAM) is an unbundled product available for Solaris 8 and 9. For more information on SEAM, please see the SEAM(5) man page.

Note 2: To determine if the SEAM unbundled product is installed on a host, the following command can be used:

    $pkginfo SUNWkr5ma
    system      SUNWkr5ma      Kerberos V5 Master KDC

Note 3: This issue only occurs if the system is configured as a Key Distribution Center (KDC).

To determine if the system is configured as a Key Distribution Center, the following command can be used:

    % ps -ef | grep kadmin
    root   321     1  0   Dec 10 ?        0:00
    /usr/krb5/lib/kadmind

If the above command shows that the daemon kadmind(1M) is running, then the machine is configured as the Key Distribution Center (KDC).

There are no reliable symptoms that would indicate this issue has been exploited to execute arbitrary code with elevated privileges on a system.

To work around the described issue, kadmind(1M) could be disabled, however this would take down all administrative functionality of the Kerberos environment. The Kerberos realm itself would remain usable while kadmind(1M) is down.

To disable kadmind(1M) on Solaris 8 and Solaris 9 systems, the following command can be used:

    # pkill kadmind

This issue is addressed in the following release:

SPARC Platform

• SEAM 1.0.1 (for Solaris 8) with patch 110060-22 or later
• Solaris 9 with patch 112925-07 or later
• Solaris 10 with patch 120473-12 or later

x86 Platform

• SEAM 1.0.1 (for Solaris 8) with patch 110061-22 or later
• Solaris 9 with patch 116044-04 or later
• Solaris 10 with patch 120037-22 or later

• Updated Contributing Factors and Resolution sections

• Updated Contributing Factors and Resolution sections

• Updated Contributing Factors and Resolution sections

• State: Resolved
• Updated Contributing Factors and Resolution sections

This solution has no attachment