#VU8900 Double free error in Kerberos - CVE-2017-11462
Published: October 19, 2017 / Updated: March 20, 2018
Vulnerability identifier: #VU8900
Vulnerability risk: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2017-11462
CWE-ID: CWE-415
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Kerberos
Kerberos
Software vendor:
MIT
MIT
Description
The vulnerability allows a remote attacker to cause DoS condition or execute arbitrary code on the target system.
The weakness exists due to double free during the automatic deletion of security contexts on error by the GSS-API. A remote attacker can delete an existing security context on a second or subsequent call to gss_init_sec_context() or gss_accept_sec_context(), trigger memory corruption and cause denial of service or execute arbitrary code.
The weakness exists due to double free during the automatic deletion of security contexts on error by the GSS-API. A remote attacker can delete an existing security context on a second or subsequent call to gss_init_sec_context() or gss_accept_sec_context(), trigger memory corruption and cause denial of service or execute arbitrary code.
Remediation
Update to version 1.14.6 or 1.15.2.