Vulnerability Description
The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known whether an exploitable attack scenario exists for these issues.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Heimdal | Heimdal | <= 0.7.2 |
| Mit | Kerberos 5 | 1.4 |
Related Weaknesses (CWE)
References
- ftp://ftp.pdc.kth.se/pub/heimdal/src/heimdal-0.7.2-setuid-patch.txt
- http://fedoranews.org/cms/node/2376
- http://secunia.com/advisories/21402Vendor Advisory
- http://secunia.com/advisories/21436Vendor Advisory
- http://secunia.com/advisories/21439Vendor Advisory
- http://secunia.com/advisories/21461Vendor Advisory
- http://secunia.com/advisories/21467Vendor Advisory
- http://secunia.com/advisories/21527Vendor Advisory
- http://secunia.com/advisories/21613Vendor Advisory
- http://secunia.com/advisories/23707Vendor Advisory
- http://security.gentoo.org/glsa/glsa-200608-21.xml
- http://securitytracker.com/id?1016664
- http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2006-001-setuid.txt
- http://www.debian.org/security/2006/dsa-1146
- http://www.gentoo.org/security/en/glsa/glsa-200608-15.xml
FAQ
What is CVE-2006-3084?
CVE-2006-3084 is a vulnerability with a CVSS score of 7.2 (HIGH). The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b) Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local...
How severe is CVE-2006-3084?
CVE-2006-3084 has been rated HIGH with a CVSS base score of 7.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2006-3084?
Check the references section above for vendor advisories and patch information. Affected products include: Heimdal Heimdal, Mit Kerberos 5.