All releases prior to 0.6.2 have a possible buffer overrun problem in
the Kerberos 4 kadmin compatibility module. It would probably be
possible to implement a remote exploit for this, depending on
architechture.
0.6.2 fixes this problem, as well as making Kerberos 4 kadmin default
off.
We suggest that you turn off Kerberos 4 kadmin, with the
--no-kerberos4 option to kadmind. If you have a good reason
to still use the Kerberos 4 kadmin protocol, you should still do this
before an upgrade to 0.6.2.
To check for a vulnerable kadmind you have to check for version and
also whether it was built with Kerberos 4 support at all:
$ /usr/heimdal/libexec/kadmind --version
kadmind (Heimdal 0.6.1)
Copyright 1999-2004 Kungliga Tekniska Hgskolan
Send bug-reports to heimdal-bugs@pdc.kth.se
$ /usr/heimdal/libexec/kadmind --help
Usage: kadmind [-dhv] [--config-file=file] [-c file] [--key-file=file] [-k file]
[--keytab=keytab] [--realm=realm] [-r realm] [--check-library=library]
[--check-function=function] [--debug] [--no-kerberos4] [--ports=port]
[-p port] [--help] [--version]
-c file, --config-file=file location of config file
-k file, --key-file=file location of master key file
--keytab=keytab what keytab to use
-r realm, --realm=realm realm to use
--check-library=library library to load password check function from
--check-function=function password check function to load
-d, --debug enable debugging
--no-kerberos4 don't respond to kerberos 4 requests
-p port, --ports=port ports to listen to
Binaries without Kerberos 4 support will not show the
--no-kerberos4 option.