Note: This is an archival copy of Security Sun Alert 201319 as previously published on
Latest version of this security advisory is available from as Sun Alert 1000994.1.
Article ID : 1000994.1
Article Type : Sun Alerts (SURE)
Last reviewed : 2007-10-21
Audience : PUBLIC
Copyright Notice: Copyright © 2010, Oracle Corporation and/or its affiliates.

Security Vulnerability in RPCSEC_GSS (rpcsec_gss(3NSL)) Affects Kerberos Administration Daemon (kadmind(1M))


Release Phase

Solaris 9 Operating System
Solaris 10 Operating System
Solaris 8 Operating System

Bug Id

Date of Workaround Release

Date of Resolved Release


A stack overflow vulnerability in the RPCSEC_GSS (see rpcsec_gss(3NSL)) security flavor used to access the Generic Security Services Application Programming Interface (GSS-API) affects the Kerberos administration daemon (kadmind(1M)). This vulnerability may allow an unauthorized remote user the ability to execute arbitrary commands on Kerberos Key Distribution Center(KDC) systems with the privileges of the kadmind(1M) daemon (usually root). This may also allow the remote user to compromise the Kerberos key database or cause the kadmind(1M) daemon to crash, which is a type of Denial of Service (DoS).

Note: Third-party applications which utilize RPCSEC_GSS may also be affected.

This issue is also referenced in the following documents:

MITKRB5-SA-2007-006 at:

CVE-2007-3999 at:

Note: Solaris is not affected by CVE-2007-4000 mentioned in MITKRB5-SA-2007-006.

Contributing Factors

This issue can occur in the following releases:

SPARC Platform

  • Solaris 8 without patch 126928-02
  • Solaris 9 without patch 113318-32
  • Solaris 10 without patch 126661-02

x86 Platform

  • Solaris 8 without patch 126929-02
  • Solaris 9 without patch 117468-18
  • Solaris 10 without patch 126662-02

Note: This issue only occurs if the system is configured as a Key Distribution Center (KDC).

To determine if the system is configured as a Key Distribution Center, the following command can be used:

    % pgrep -l kadmind
    938 kadmind

If the above command shows a process id, the daemon kadmind(1M) is running and the machine is configured as the Key Distribution Center (KDC).


There are no predictable symptoms that would indicate the described vulnerability has been exploited.


There is no workaround.  Please see the Resolution section below.


This issue is addressed in the following releases:

SPARC Platform

  • Solaris 8 with patch 126928-02 or later
  • Solaris 9 with patch 113318-32 or later
  • Solaris 10 with patch 126661-02 or later

x86 Platform

  • Solaris 8 with patch 126929-02 or later
  • Solaris 9 with patch 117468-18 or later
  • Solaris 10 with patch 126662-02 or later

Modification History
Date: 10-OCT-2007
  • Updated Relief/Workaround section

Date: 16-OCT-2007
  • Updated Contributing Factors, Relief/Workaround, and Resolution sections

Date: 22-OCT-2007
  • State: Resolved
  • Updated Contributing Factors and Resolution sections



This solution has no attachment