oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

CVE assignment notification (pam_krb5 CVE-2009-1384)

From: Jan Lieskovsky <jlieskov () redhat com>
Date: Wed, 27 May 2009 11:55:13 +0200
Hello Steve,

  a security flaw similar to recent pam_ssh's CVE-2009-1273
one:

    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1273

was found in the pam_krb5 module. From particular Red Hat
bugzilla entry:

    https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2009-1384

<cite>
A security flaw was found in PAM pam_krb5 module, providing user
authentication based on Kerberos principals. A remote attacker could
use this flaw to recognize, if some username/login belongs to set of
user accounts, existing on the system, and subsequently perform
dictionary based password guess attack.  
</cite>

VERSIONS INFORMATION (Red Hat pam_krb5 version numbering is used):
=====================

a, Not vulnerable - the vulnerability is not present in versions of
                    pam_krb5 prior and including pam_krb5-2.1.17
b, Vulnerable     - presence of the flaw is confirmed in versions of
                    pam_krb5 starting from pam_krb5-2.2.14 and newer


CVE:  CVE identifier of CVE-2009-1384 has been already assigned to 
====  this flaw.


Thanks && regards, Jan.
--
Jan iankko Lieskovsky / Red Hat Security Response Team
Previous By Date Next
Previous By Thread Next

Current thread: