Volerion logoVolerion
Volerion logoVolerion

CryptoLib Command Injection Vulnerability in Kerberos Login Function

Vulnerability

A command injection vulnerability has been identified in CryptoLib versions prior to 1.4.2. The issue arises in the 'initialize_kerberos_keytab_file_login()' function, where user-controlled input is directly interpolated into a shell command and executed via 'system()' without any sanitization or validation. This vulnerability allows for arbitrary command execution by manipulating the 'username' or 'keytab_file_path' parameters.

Impact

Exploitation of this vulnerability allows for arbitrary command execution on the system where CryptoLib is running.

Reproduction

The vulnerability can be reproduced by calling the 'Crypto_Config_Cam()' function with malicious input that includes command execution payloads in the 'username' or 'keytab_file_path' parameters. This will trigger the vulnerability by executing the injected commands when 'initialize_kerberos_keytab_file_login()' is called.

Remediation

Users can upgrade to CryptoLib version 1.4.2 or later, where this vulnerability has been patched.

Added: Sep 23, 2025, 7:18 PM
Updated: Sep 23, 2025, 7:18 PM

Vulnerability Rating

Custom Algorithm
spread
0.0
impact
7.5
exploitability
4.6
remediation
7.7
relevance
0.5
threat
6.4
urgency
2.9
incentive
1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.