Environment
Novell Kerberos KDC
Situation
In the ksu application program packaged in the Novell Kerberos KDC distribution, calls to setuid() and seteuid() were not always checked for success. It is believed that the primary risk is to Linux systems, due to the behavior of their implementation of the setuid() and seteuid() system calls. A local user could potentially exploit one of these vulnerabilities to result in privilege escalation. No exploit code is known to exist at this time.
Resolution
Install version 1.0.1 of the Novell Kerberos KDC which contains a new ksu utility without the vulnerability. The new release is available at the Novell download site.
Status
Security AlertAdditional Information
CVE: CVE-2006-3083
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083
CVE: CVE-2006-3084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3083
CVE: CVE-2006-3084
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3084