ID CVE-2005-1174
Summary MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.
References
Vulnerable Configurations
  • MIT Kerberos 5 1.3
    cpe:2.3:a:mit:kerberos:5-1.3
  • MIT Kerberos 5 1.3.1
    cpe:2.3:a:mit:kerberos:5-1.3.1
  • MIT Kerberos 5 1.3.2
    cpe:2.3:a:mit:kerberos:5-1.3.2
  • MIT Kerberos 5 1.3.3
    cpe:2.3:a:mit:kerberos:5-1.3.3
  • MIT Kerberos 5 1.3.4
    cpe:2.3:a:mit:kerberos:5-1.3.4
  • MIT Kerberos 5 1.3.5
    cpe:2.3:a:mit:kerberos:5-1.3.5
  • MIT Kerberos 5 1.3.6
    cpe:2.3:a:mit:kerberos:5-1.3.6
  • MIT Kerberos 5 1.4
    cpe:2.3:a:mit:kerberos:5-1.4
  • MIT Kerberos 5 1.4.1
    cpe:2.3:a:mit:kerberos:5-1.4.1
CVSS
Base: 5.0 (as of 18-07-2005 - 09:50)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-773.NASL
    description This advisory adds security support for the stable amd64 distribution. It covers all security updates since the release of sarge, which were missing updated packages for the not yet official amd64 port. Future security advisories will include updates for this port as well.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 57528
    published 2012-01-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57528
    title Debian DSA-773-1 : amd64 - several vulnerabilities
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_SECUPD2005-007.NASL
    description The remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied. This security update contains fixes for the following products : - Apache 2 - AppKit - Bluetooth - CoreFoundation - CUPS - Directory Services - HItoolbox - Kerberos - loginwindow - Mail - MySQL - OpenSSL - QuartzComposerScreenSaver - ping - Safari - SecurityInterface - servermgrd - servermgr_ipfilter - SquirelMail - traceroute - WebKit - WebLog Server - X11 - zlib
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 19463
    published 2005-08-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19463
    title Mac OS X Multiple Vulnerabilities (Security Update 2005-007)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2005-567.NASL
    description Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4 contains checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages, which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 21946
    published 2006-07-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=21946
    title CentOS 4 : krb5 (CESA-2005:567)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2005-567.NASL
    description Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4 contains checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages, which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 18688
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18688
    title RHEL 4 : krb5 (RHSA-2005:567)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-224-1.NASL
    description Gael Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468) Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CVE-2005-0469) Daniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server. (CVE-2005-1175) Magnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package). (CVE-2005-1689) Please note that these packages are not officially supported by Ubuntu (they are in the 'universe' component of the archive). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 20767
    published 2006-01-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=20767
    title Ubuntu 4.10 / 5.04 : krb4, krb5 vulnerabilities (USN-224-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-757.NASL
    description Daniel Wachdorf reported two problems in the MIT krb5 distribution used for network authentication. First, the KDC program from the krb5-kdc package can corrupt the heap by trying to free memory which has already been freed on receipt of a certain TCP connection. This vulnerability can cause the KDC to crash, leading to a denial of service. [ CAN-2005-1174] Second, under certain rare circumstances this type of request can lead to a buffer overflow and remote code execution. [ CAN-2005-1175] Additionally, Magnus Hagander reported another problem in which the krb5_recvauth function can in certain circumstances free previously freed memory, potentially leading to the execution of remote code. [ CAN-2005-1689] All of these vulnerabilities are believed difficult to exploit, and no exploits have yet been discovered.
    last seen 2019-02-21
    modified 2018-08-09
    plugin id 19219
    published 2005-07-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19219
    title Debian DSA-757-1 : krb5 - buffer overflow, double-free memory
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200507-11.NASL
    description The remote host is affected by the vulnerability described in GLSA-200507-11 (MIT Kerberos 5: Multiple vulnerabilities) Daniel Wachdorf discovered that MIT Kerberos 5 could corrupt the heap by freeing unallocated memory when receiving a special TCP request (CAN-2005-1174). He also discovered that the same request could lead to a single-byte heap overflow (CAN-2005-1175). Magnus Hagander discovered that krb5_recvauth() function of MIT Kerberos 5 might try to double-free memory (CAN-2005-1689). Impact : Although exploitation is considered difficult, a remote attacker could exploit the single-byte heap overflow and the double-free vulnerability to execute arbitrary code, which could lead to the compromise of the whole Kerberos realm. A remote attacker could also use the heap corruption to cause a Denial of Service. Workaround : There are no known workarounds at this time.
    last seen 2019-02-21
    modified 2018-08-10
    plugin id 18686
    published 2005-07-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=18686
    title GLSA-200507-11 : MIT Kerberos 5: Multiple vulnerabilities
  • NASL family Mandriva Local Security Checks
    NASL id MANDRAKE_MDKSA-2005-119.NASL
    description A number of vulnerabilities have been corrected in this Kerberos update : The rcp protocol would allow a server to instruct a client to write to arbitrary files outside of the current directory. The Kerberos-aware rcp could be abused to copy files from a malicious server (CVE-2004-0175). Gael Delalleau discovered an information disclosure vulnerability in the way some telnet clients handled messages from a server. This could be abused by a malicious telnet server to collect information from the environment of any victim connecting to the server using the Kerberos- aware telnet client (CVE-2005-0488). Daniel Wachdorf disovered that in error conditions that could occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory, which could cause the KDC to crash resulting in a Denial of Service (CVE-2005-1174). Daniel Wachdorf also discovered a single-byte heap overflow in the krb5_unparse_name() function that could, if successfully exploited, lead to a crash, resulting in a DoS. To trigger this flaw, an attacker would need to have control of a Kerberos realm that shares a cross- realm key with the target (CVE-2005-1175). Finally, a double-free flaw was discovered in the krb5_recvauth() routine which could be triggered by a remote unauthenticated attacker. This issue could potentially be exploited to allow for the execution of arbitrary code on a KDC. No exploit is currently known to exist (CVE-2005-1689). The updated packages have been patched to address this issue and Mandriva urges all users to upgrade to these packages as quickly as possible.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 19201
    published 2005-07-14
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=19201
    title Mandrake Linux Security Advisory : krb5 (MDKSA-2005:119)
oval via4
  • accepted 2013-04-29T04:03:45.682-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 4
      oval oval:org.mitre.oval:def:11831
    • comment CentOS Linux 4.x
      oval oval:org.mitre.oval:def:16636
    • comment Oracle Linux 4.x
      oval oval:org.mitre.oval:def:15990
    description MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.
    family unix
    id oval:org.mitre.oval:def:10229
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.
    version 23
  • accepted 2007-03-21T16:17:18.240-04:00
    class vulnerability
    contributors
    • name Robert L. Hollis
      organization ThreatGuard, Inc.
    • name Nabil Ouchn
      organization Security-Database
    description MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.
    family unix
    id oval:org.mitre.oval:def:397
    status accepted
    submitted 2006-09-22T05:52:00.000-04:00
    title MIT Kerberos 5 Key Distribution Center Remote Denial of Service Vulnerability
    version 33
redhat via4
advisories
rhsa
id RHSA-2005:567
refmap via4
aixapar IY85474
apple
  • APPLE-SA-2005-08-15
  • APPLE-SA-2005-08-17
bid 14240
bugtraq 20050712 MITKRB5-SA-2005-002: buffer overflow, heap corruption in KDC
cert-vn VU#259798
confirm http://web.mit.edu/kerberos/advisories/2005-002-patch_1.4.1.txt
debian DSA-757
sectrack 1014460
secunia
  • 16041
  • 17899
  • 20364
sgi 20050703-01-U
sunalert 101809
suse SUSE-SR:2005:017
trustix 2005-0036
turbo TLSA-2005-78
ubuntu USN-224-1
vupen
  • ADV-2005-1066
  • ADV-2006-2074
xf kerberos-kdc-krb5-tcp-connection-dos(21327)
Last major update 17-10-2016 - 23:17
Published 18-07-2005 - 00:00
Last modified 03-10-2018 - 17:30
Back to Top