All releases prior to 0.6.2 have a possible buffer overrun problem in the Kerberos 4 kadmin compatibility module. It would probably be possible to implement a remote exploit for this, depending on architechture.
0.6.2 fixes this problem, as well as making Kerberos 4 kadmin default off.
We suggest that you turn off Kerberos 4 kadmin, with the --no-kerberos4 option to kadmind. If you have a good reason to still use the Kerberos 4 kadmin protocol, you should still do this before an upgrade to 0.6.2.
To check for a vulnerable kadmind you have to check for version and also whether it was built with Kerberos 4 support at all:
$ /usr/heimdal/libexec/kadmind --version kadmind (Heimdal 0.6.1) Copyright 1999-2004 Kungliga Tekniska Hgskolan Send bug-reports to heimdal-bugs@pdc.kth.se $ /usr/heimdal/libexec/kadmind --help Usage: kadmind [-dhv] [--config-file=file] [-c file] [--key-file=file] [-k file] [--keytab=keytab] [--realm=realm] [-r realm] [--check-library=library] [--check-function=function] [--debug] [--no-kerberos4] [--ports=port] [-p port] [--help] [--version] -c file, --config-file=file location of config file -k file, --key-file=file location of master key file --keytab=keytab what keytab to use -r realm, --realm=realm realm to use --check-library=library library to load password check function from --check-function=function password check function to load -d, --debug enable debugging --no-kerberos4 don't respond to kerberos 4 requests -p port, --ports=port ports to listen to
Binaries without Kerberos 4 support will not show the --no-kerberos4 option.
See also CAN-2004-0434.