CVE-2011-0285 : The process_chpw_request function in schpw.c in the password-changing functional

The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.

Published 2011-04-15 00:55:01

Updated 2025-04-11 00:51:22

Source MITRE

View at NVD, CVE.org

Vulnerability category: Execute codeDenial of service

Products affected by CVE-2011-0285

MIT » Kerberos 5 » Version: 1.7
cpe:2.3:a:mit:kerberos_5:1.7:*:*:*:*:*:*:*
Matching versions
MIT » Kerberos 5 » Version: 1.7.1
cpe:2.3:a:mit:kerberos_5:1.7.1:*:*:*:*:*:*:*
Matching versions
MIT » Kerberos 5 » Version: 1.8
cpe:2.3:a:mit:kerberos_5:1.8:*:*:*:*:*:*:*
Matching versions
MIT » Kerberos 5 » Version: 1.8.3
cpe:2.3:a:mit:kerberos_5:1.8.3:*:*:*:*:*:*:*
Matching versions
MIT » Kerberos 5 » Version: 1.8.1
cpe:2.3:a:mit:kerberos_5:1.8.1:*:*:*:*:*:*:*
Matching versions
MIT » Kerberos 5 » Version: 1.8.2
cpe:2.3:a:mit:kerberos_5:1.8.2:*:*:*:*:*:*:*
Matching versions
MIT » Kerberos 5 » Version: 1.9
cpe:2.3:a:mit:kerberos_5:1.9:*:*:*:*:*:*:*
Matching versions

Exploit prediction scoring system (EPSS) score for CVE-2011-0285

EPSS FAQ

34.16%

Probability of exploitation activity in the next 30 days EPSS Score History

~ 97 %

Percentile, the proportion of vulnerabilities that are scored at or less

CVSS scores for CVE-2011-0285

Base Score	Base Severity	CVSS Vector	Exploitability Score	Impact Score	Score Source	First Seen
10.0	HIGH	AV:N/AC:L/Au:N/C:C/I:C/A:C	10.0	10.0	NIST
Access Vector: Network Access Complexity: Low Authentication: None Confidentiality Impact: Complete Integrity Impact: Complete Availability Impact: Complete

CWE ids for CVE-2011-0285

CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Assigned by: nvd@nist.gov (Primary)

References for CVE-2011-0285

http://www.vupen.com/english/advisories/2011/0997

Webmail | OVH- OVH
http://www.securityfocus.com/archive/1/517484/100/0/threaded

SecurityFocus
http://www.securitytracker.com/id?1025320

Kerberos kadmind Can Be Crashed By a Remote Users Conducting an NMAP Scan - SecurityTracker
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621726

#621726 - krb5-admin-server: kadmind dies after nmap -sV - Debian Bug report logs
http://www.vupen.com/english/advisories/2011/0986

Webmail | OVH- OVH
http://www.vupen.com/english/advisories/2011/0936

Webmail | OVH- OVH
http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058181.html

[SECURITY] Fedora 15 Update: krb5-1.9-7.fc15
http://secunia.com/advisories/44196

Sign in
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt

Patch;Vendor Advisory
http://osvdb.org/71789
http://secunia.com/advisories/44125

Sign in
http://securityreason.com/securityalert/8200

kadmind invalid pointer free() - CXSecurity.com
http://www.redhat.com/support/errata/RHSA-2011-0447.html

Support
http://secunia.com/advisories/44181

Sign in
http://krbdev.mit.edu/rt/Ticket/Display.html?id=6899

#6899: kadmind frees invalid pointer [MITKRB5-SA-2011-004 CVE-2011-0285]
http://www.mandriva.com/security/advisories?name=MDVSA-2011:077

mandriva.com
https://hermes.opensuse.org/messages/8086843

openSUSE.org - 503
http://www.securityfocus.com/bid/47310

MIT Kerberos kadmind Change Password Feature Remote Code Execution Vulnerability

Jump to

Vulnerability Details : CVE-2011-0285

Products affected by CVE-2011-0285

Exploit prediction scoring system (EPSS) score for CVE-2011-0285

CVSS scores for CVE-2011-0285

CWE ids for CVE-2011-0285

References for CVE-2011-0285