The MIT Kerberos team reports:
MIT krb incorrectly accepts an unkeyed checksum with DES session keys for version 2 (RFC 4121) of the GSS-API krb5 mechanism.
An unauthenticated remote attacker can forge GSS tokens that are intended to be integrity-protected but unencrypted, if the targeted pre-existing application session uses a DES session key.
MIT krb5 KDC incorrectly accepts RFC 3961 key-derivation checksums using RC4 keys when verifying the req-checksum in a KrbFastArmoredReq.
An unauthenticated remote attacker has a 1/256 chance of swapping a client-issued KrbFastReq into a different KDC-REQ, if the armor key is RC4. The consequences are believed to be minor.
Disclaimer: The data contained on this page is derived from the VuXML document, please refer to the the original document for copyright information. The author of portaudit makes no claim of authorship or ownership of any of the information contained herein.
If you have found a vulnerability in a FreeBSD port not listed in the database, please contact the FreeBSD Security Team. Refer to "FreeBSD Security Information" for more information.