Bug 962531 (CVE-2002-2443)
Summary: | CVE-2002-2443 krb5: UDP ping-pong flaw in kpasswd | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Vincent Danen <vdanen> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | dpal, jplans, jrusnack, nalin, nathaniel, pkis, vdanen |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2013-10-01 07:07:23 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 962534, 969266, 969267, 969268, 969269 | ||
Bug Blocks: | 962536 |
Description
Vincent Danen
2013-05-13 19:17:25 UTC
Created krb5 tracking bugs for this issue Affects: fedora-all [bug 962534] krb5-1.10.3-17.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report. krb5-1.10.2-12.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report. krb5-1.11.2-6.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report. To work-around this issue, you could use an iptables rule similar to this: -A INPUT -i eth0 -s [IP] -p udp -m state --state NEW -m udp --dport 464 -j REJECT where [IP] is the IP of the host that kpasswd is running on (the above added to /etc/sysconfig/iptables). That should prevent incoming packets to kpasswd that appear to come from the host itself (but still allow the localhost to connect). Alternatively, if you are using something like IPA, you wouldn't be using kpasswd anyways, so you can firewall that port off completely. Likewise, you could firewall it and only allow access from trusted hosts and reject all others. This issue has been addressed in following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 5 Via RHSA-2013:0942 https://rhn.redhat.com/errata/RHSA-2013-0942.html |