ID CVE-2009-0844
Summary The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.
References
Vulnerable Configurations
  • MIT Kerberos 5
    cpe:2.3:a:mit:kerberos:5
  • MIT Kerberos 5 1.5
    cpe:2.3:a:mit:kerberos:5-1.5
  • MIT Kerberos 5 1.5.1
    cpe:2.3:a:mit:kerberos:5-1.5.1
  • MIT Kerberos 5 1.5.2
    cpe:2.3:a:mit:kerberos:5-1.5.2
  • MIT Kerberos 5 1.5.3
    cpe:2.3:a:mit:kerberos:5-1.5.3
  • MIT Kerberos 5 1.6
    cpe:2.3:a:mit:kerberos:5-1.6
  • MIT Kerberos 5 1.6.1
    cpe:2.3:a:mit:kerberos:5-1.6.1
  • MIT Kerberos 5 1.6.2
    cpe:2.3:a:mit:kerberos:5-1.6.2
  • cpe:2.3:a:mit:kerberos:5-1.6.3
    cpe:2.3:a:mit:kerberos:5-1.6.3
CVSS
Base: 5.8 (as of 09-04-2009 - 08:15)
Impact:
Exploitability:
CWE CWE-119
CAPEC
  • Buffer Overflow via Environment Variables
    This attack pattern involves causing a buffer overflow through manipulation of environment variables. Once the attacker finds that they can modify an environment variable, they may try to overflow associated buffers. This attack leverages implicit trust often placed in environment variables.
  • Overflow Buffers
    Buffer Overflow attacks target improper or missing bounds checking on buffer operations, typically triggered by input injected by an attacker. As a consequence, an attacker is able to write past the boundaries of allocated buffer regions in memory, causing a program crash or potentially redirection of execution as per the attackers' choice.
  • Client-side Injection-induced Buffer Overflow
    This type of attack exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service.
  • Filter Failure through Buffer Overflow
    In this attack, the idea is to cause an active filter to fail by causing an oversized transaction. An attacker may try to feed overly long input strings to the program in an attempt to overwhelm the filter (by causing a buffer overflow) and hoping that the filter does not fail securely (i.e. the user input is let into the system unfiltered).
  • MIME Conversion
    An attacker exploits a weakness in the MIME conversion routine to cause a buffer overflow and gain control over the mail server machine. The MIME system is designed to allow various different information formats to be interpreted and sent via e-mail. Attack points exist when data are converted to MIME compatible format and back.
  • Overflow Binary Resource File
    An attack of this type exploits a buffer overflow vulnerability in the handling of binary resources. Binary resources may include music files like MP3, image files like JPEG files, and any other binary file. These attacks may pass unnoticed to the client machine through normal usage of files, such as a browser loading a seemingly innocent JPEG file. This can allow the attacker access to the execution stack and execute arbitrary code in the target process. This attack pattern is a variant of standard buffer overflow attacks using an unexpected vector (binary files) to wrap its attack and open up a new attack vector. The attacker is required to either directly serve the binary content to the victim, or place it in a locale like a MP3 sharing application, for the victim to download. The attacker then is notified upon the download or otherwise locates the vulnerability opened up by the buffer overflow.
  • Buffer Overflow via Symbolic Links
    This type of attack leverages the use of symbolic links to cause buffer overflows. An attacker can try to create or manipulate a symbolic link file such that its contents result in out of bounds data. When the target software processes the symbolic link file, it could potentially overflow internal buffers with insufficient bounds checking.
  • Overflow Variables and Tags
    This type of attack leverages the use of tags or variables from a formatted configuration data to cause buffer overflow. The attacker crafts a malicious HTML page or configuration file that includes oversized strings, thus causing an overflow.
  • Buffer Overflow via Parameter Expansion
    In this attack, the target software is given input that the attacker knows will be modified and expanded in size during processing. This attack relies on the target software failing to anticipate that the expanded data may exceed some internal limit, thereby creating a buffer overflow.
  • Buffer Overflow in an API Call
    This attack targets libraries or shared code modules which are vulnerable to buffer overflow attacks. An attacker who has access to an API may try to embed malicious code in the API function call and exploit a buffer overflow vulnerability in the function's implementation. All clients that make use of the code library thus become vulnerable by association. This has a very broad effect on security across a system, usually affecting more than one software process.
  • Buffer Overflow in Local Command-Line Utilities
    This attack targets command-line utilities available in a number of shells. An attacker can leverage a vulnerability found in a command-line utility to escalate privilege to root.
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
PARTIAL NONE PARTIAL
nessus via4
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20090407_KRB5_ON_SL4_X.NASL
    description An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) Multiple input validation flaws were found in the MIT Kerberos GSS-API library's implementation of the SPNEGO mechanism. A remote attacker could use these flaws to crash any network service utilizing the MIT Kerberos GSS-API library to authenticate users or, possibly, leak portions of the service's memory. (CVE-2009-0844, CVE-2009-0845)
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 60564
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60564
    title Scientific Linux Security Update : krb5 on SL4.x, SL5.x i386/x86_64
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2009-0008.NASL
    description a. Service Console package krb5 update Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. An input validation flaw in the asn1_decode_generaltime function in MIT Kerberos 5 before 1.6.4 allows remote attackers to cause a denial of service or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service. NOTE: ESX by default is unaffected by this issue, the daemons kadmind and krb5kdc are not installed in ESX. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2009-0846 to this issue. In addition the ESX 4.0 Service Console krb5 package was also updated for CVE-2009-0845, and CVE-2009-0844 and RHBA-2009-0135. MIT Kerberos versions 5 1.5 through 1.6.3 might allow remote attackers to cause a denial of service by using invalid ContextFlags data in the reqFlags field in a negTokenInit token. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0845 to this issue. MIT Kerberos 5 before version 1.6.4 might allow remote attackers to cause a denial of service or possibly execute arbitrary code by using vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. The Common Vulnerabilities and Exposures Project (cve.mitre.org) has assigned the name CVE-2009-0846 to this issue. For ESX 4.0, 3.5, 3.0.3 the Service Console package pam_krb5 has also been upgraded. For details on the non-security issues that this upgrade addresses, refer to the respective KB article listed in section 4 below.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 40393
    published 2009-07-27
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40393
    title VMSA-2009-0008 : ESX Service Console update for krb5
  • NASL family Misc.
    NASL id VMWARE_VMSA-2009-0008_REMOTE.NASL
    description The remote VMware ESX host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities : - An out-of-bounds read error exists in the MIT Kerberos SPNEGO implementation in the get_input_token() function. A remote attacker can exploit this, via a crafted length value, to cause a denial of service or to obtain access to sensitive information. (CVE-2009-0844) - A NULL pointer dereference flaw exists in MIT Kerberos in the spnego_gss_accept_sec_context() function when SPNEGO is used. A remote attacker can exploit this, via invalid ContextFlags data in the 'reqFlags' field within a 'negTokenInit' token, to cause a denial of service. (CVE-2009-0845) - A flaw exists in the MIT Kerberos ASN.1 GeneralizedTime decoder in the asn1_decode_generaltime() function. A remote attacker can exploit this, via vectors involving invalid DER encoding, to free an uninitialized pointer, resulting in a denial of service or the execution of arbitrary code. (CVE-2009-0846)
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 89114
    published 2016-03-03
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89114
    title VMware ESX Multiple Vulnerabilities (VMSA-2009-0008) (remote check)
  • NASL family VMware ESX Local Security Checks
    NASL id VMWARE_VMSA-2010-0016.NASL
    description a. Service Console OS update for COS kernel This patch updates the service console kernel to fix multiple security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2010-0415, CVE-2010-0307, CVE-2010-0291, CVE-2010-0622, CVE-2010-1087, CVE-2010-1437, and CVE-2010-1088 to these issues. b. Likewise package updates Updates to the likewisekrb5, likewiseopenldap, likewiseopen, and pamkrb5 packages address several security issues. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2009-0844, CVE-2009-0845, CVE-2009-0846, CVE-2009-4212, and CVE-2010-1321 to these issues.
    last seen 2019-02-21
    modified 2018-08-06
    plugin id 50611
    published 2010-11-16
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=50611
    title VMSA-2010-0016 : VMware ESXi and ESX third-party updates for Service Console and Likewise components
  • NASL family MacOS X Local Security Checks
    NASL id MACOSX_10_5_7.NASL
    description The remote host is running a version of Mac OS X 10.5.x that is prior to 10.5.7. Mac OS X 10.5.7 contains security fixes for the following products : - Apache - ATS - BIND - CFNetwork - CoreGraphics - Cscope - CUPS - Disk Images - enscript - Flash Player plug-in - Help Viewer - iChat - International Components for Unicode - IPSec - Kerberos - Kernel - Launch Services - libxml - Net-SNMP - Network Time - Networking - OpenSSL - PHP - QuickDraw Manager - ruby - Safari - Spotlight - system_cmds - telnet - Terminal - WebKit - X11
    last seen 2019-02-21
    modified 2018-07-14
    plugin id 38744
    published 2009-05-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38744
    title Mac OS X 10.5.x < 10.5.7 Multiple Vulnerabilities
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2009-0003.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : CVE-2009-0844 The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read. CVE-2009-0845 The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token. CVE-2009-0846 The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer. - update to revised patch for (CVE-2009-0844, CVE-2009-0845) - add fix for potential buffer read overrun in the SPNEGO GSSAPI mechanism (#490635, CVE-2009-0844) - add fix for NULL pointer dereference when handling certain error cases in the SPNEGO GSSAPI mechanism (#490635, CVE-2009-0845) - add fix for attempt to free uninitialized pointer in the ASN.1 decoder (#490635, CVE-2009-0846) - add fix for bug in length validation in the ASN.1 decoder (CVE-2009-0847) - add backport of svn patch to fix a bug in how the gssapi library handles certain error cases in gss_accept_sec_context (CVE-2009-0845, - add a backported patch which adds a check on credentials obtained from a foreign realm to make sure that they're of an acceptable type, and if not, retry to the request to get one of the right type (Sadique Puthen, - backport fix from 1.6.3 to register file-based ccaches created with the krb5_cc_new_unique function with the global list, so that we don't crash when we go to close the ccache (#468729)
    last seen 2019-02-21
    modified 2017-02-14
    plugin id 79452
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79452
    title OracleVM 2.1 : krb5 (OVMSA-2009-0003)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0409.NASL
    description Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 36113
    published 2009-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36113
    title RHEL 4 : krb5 (RHSA-2009:0409)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-6140.NASL
    description Clients sending negotiation requests with invalid flags could crash the kerberos server. (CVE-2009-0845) GSS-API clients could crash when reading from an invalid address space. (CVE-2009-0844) Invalid length checks could crash applications using the kerberos ASN.1 parser. (CVE-2009-0847) Under certain circumstances the ASN.1 parser could free an uninitialized pointer which could crash a kerberos server or even lead to execution of arbitrary code. (CVE-2009-0846)
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 41542
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41542
    title SuSE 10 Security Update : Kerberos (ZYPP Patch Number 6140)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2009-098.NASL
    description Multiple vulnerabilities has been found and corrected in krb5 : The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read (CVE-2009-0844). The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token (CVE-2009-0845). The asn1_decode_generaltime function in lib/krb5/asn.1/asn1_decode.c in the ASN.1 GeneralizedTime decoder in MIT Kerberos 5 (aka krb5) before 1.6.4 allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via vectors involving an invalid DER encoding that triggers a free of an uninitialized pointer (CVE-2009-0846). The asn1buf_imbed function in the ASN.1 decoder in MIT Kerberos 5 (aka krb5) 1.6.3, when PK-INIT is used, allows remote attackers to cause a denial of service (application crash) via a crafted length value that triggers an erroneous malloc call, related to incorrect calculations with pointer arithmetic (CVE-2009-0847). The updated packages have been patched to correct these issues. Update : Packages for 2008.0 are provided for Corporate Desktop 2008.0 customers
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 38191
    published 2009-04-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=38191
    title Mandriva Linux Security Advisory : krb5 (MDVSA-2009:098-1)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DSA-1766.NASL
    description Several vulnerabilities have been found in the MIT reference implementation of Kerberos V5, a system for authenticating users and services on a network. The Common Vulnerabilities and Exposures project identified the following problems : - CVE-2009-0844 The Apple Product Security team discovered that the SPNEGO GSS-API mechanism suffers of a missing bounds check when reading a network input buffer which results in an invalid read crashing the application or possibly leaking information. - CVE-2009-0845 Under certain conditions the SPNEGO GSS-API mechanism references a NULL pointer which crashes the application using the library. - CVE-2009-0847 An incorrect length check inside the ASN.1 decoder of the MIT krb5 implementation allows an unauthenticated remote attacker to crash of the kinit or KDC program. - CVE-2009-0846 Under certain conditions the the ASN.1 decoder of the MIT krb5 implementation frees an uninitialized pointer which could lead to denial of service and possibly arbitrary code execution.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 36120
    published 2009-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36120
    title Debian DSA-1766-1 : krb5 - several vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0408.NASL
    description From Red Hat Security Advisory 2009:0408 : Updated krb5 packages that fix various security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). The Generic Security Service Application Program Interface (GSS-API) definition provides security services to callers (protocols) in a generic fashion. The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is used by GSS-API peers to choose from a common set of security mechanisms. An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) Multiple input validation flaws were found in the MIT Kerberos GSS-API library's implementation of the SPNEGO mechanism. A remote attacker could use these flaws to crash any network service utilizing the MIT Kerberos GSS-API library to authenticate users or, possibly, leak portions of the service's memory. (CVE-2009-0844, CVE-2009-0845) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 67836
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67836
    title Oracle Linux 5 : krb5 (ELSA-2009-0408)
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-200904-09.NASL
    description The remote host is affected by the vulnerability described in GLSA-200904-09 (MIT Kerberos 5: Multiple vulnerabilities) Multiple vulnerabilities have been reported in MIT Kerberos 5: A free() call on an uninitialized pointer in the ASN.1 decoder when decoding an invalid encoding (CVE-2009-0846). A buffer overread in the SPNEGO GSS-API application, reported by Apple Product Security (CVE-2009-0844). A NULL pointer dereference in the SPNEGO GSS-API application, reported by Richard Evans (CVE-2009-0845). An incorrect length check inside an ASN.1 decoder leading to spurious malloc() failures (CVE-2009-0847). Impact : A remote unauthenticated attacker could exploit the first vulnerability to cause a Denial of Service or, in unlikely circumstances, execute arbitrary code on the host running krb5kdc or kadmind with root privileges and compromise the Kerberos key database. Exploitation of the other vulnerabilities might lead to a Denial of Service in kadmind, krb5kdc, or other daemons performing authorization against Kerberos that utilize GSS-API or an information disclosure. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2016-11-11
    plugin id 36137
    published 2009-04-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36137
    title GLSA-200904-09 : MIT Kerberos 5: Multiple vulnerabilities
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0409.NASL
    description From Red Hat Security Advisory 2009:0409 : Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 67837
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67837
    title Oracle Linux 4 : krb5 (ELSA-2009-0409)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KRB5-090406.NASL
    description Clients sending negotiation requests with invalid flags could crash the kerberos server. (CVE-2009-0845) GSS-API clients could crash when reading from an invalid address space. (CVE-2009-0844) Invalid length checks could crash applications using the kerberos ASN.1 parser. (CVE-2009-0847) Under certain circumstances the ASN.1 parser could free an uninitialized pointer which could crash a kerberos server or even lead to execution of arbitrary code. (CVE-2009-0846)
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 41415
    published 2009-09-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=41415
    title SuSE 11 Security Update : Kerberos (SAT Patch Number 738)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0408.NASL
    description Updated krb5 packages that fix various security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). The Generic Security Service Application Program Interface (GSS-API) definition provides security services to callers (protocols) in a generic fashion. The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is used by GSS-API peers to choose from a common set of security mechanisms. An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) Multiple input validation flaws were found in the MIT Kerberos GSS-API library's implementation of the SPNEGO mechanism. A remote attacker could use these flaws to crash any network service utilizing the MIT Kerberos GSS-API library to authenticate users or, possibly, leak portions of the service's memory. (CVE-2009-0844, CVE-2009-0845) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43739
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43739
    title CentOS 5 : krb5 (CESA-2009:0408)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0408.NASL
    description Updated krb5 packages that fix various security issues are now available for Red Hat Enterprise Linux 5. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). The Generic Security Service Application Program Interface (GSS-API) definition provides security services to callers (protocols) in a generic fashion. The Simple and Protected GSS-API Negotiation (SPNEGO) mechanism is used by GSS-API peers to choose from a common set of security mechanisms. An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) Multiple input validation flaws were found in the MIT Kerberos GSS-API library's implementation of the SPNEGO mechanism. A remote attacker could use these flaws to crash any network service utilizing the MIT Kerberos GSS-API library to authenticate users or, possibly, leak portions of the service's memory. (CVE-2009-0844, CVE-2009-0845) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 36112
    published 2009-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36112
    title RHEL 5 : krb5 (RHSA-2009:0408)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-755-1.NASL
    description Multiple flaws were discovered in the Kerberos GSS-API and ASN.1 routines that did not correctly handle certain requests. An unauthenticated remote attacker could send specially crafted traffic to crash services using the Kerberos library, leading to a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-28
    plugin id 37819
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=37819
    title Ubuntu 6.06 LTS / 7.10 / 8.04 LTS / 8.10 : krb5 vulnerabilities (USN-755-1)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_1_KRB5-090406.NASL
    description Clients sending negotiation requests with invalid flags could crash the kerberos server (CVE-2009-0845). GSS-API clients could crash when reading from an invalid address space (CVE-2009-0844). Invalid length checks could crash applications using the kerberos ASN.1 parser (CVE-2009-0847). Under certain circumstances the ASN.1 parser could free an uninitialized pointer which could crash a kerberos server or even lead to execution of arbitrary code (CVE-2009-0846).
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 40253
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40253
    title openSUSE Security Update : krb5 (krb5-740)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2009-0410.NASL
    description Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-27
    plugin id 36114
    published 2009-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36114
    title RHEL 2.1 / 3 : krb5 (RHSA-2009:0410)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-2852.NASL
    description This update incorporates patches to fix potential read overflow and NULL pointer dereferences in the implementation of the SPNEGO GSSAPI mechanism (CVE-2009-0844, CVE-2009-0845), attempts to free an uninitialized pointer during protocol parsing (CVE-2009-0846), and a bug in length validation during protocol parsing (CVE-2009-0847). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 36660
    published 2009-04-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36660
    title Fedora 10 : krb5-1.6.3-18.fc10 (2009-2852)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2009-2834.NASL
    description This update incorporates patches to fix potential read overflow and NULL pointer dereferences in the implementation of the SPNEGO GSSAPI mechanism (CVE-2009-0844, CVE-2009-0845), attempts to free an uninitialized pointer during protocol parsing (CVE-2009-0846), and a bug in length validation during protocol parsing (CVE-2009-0847). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2016-12-08
    plugin id 36108
    published 2009-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36108
    title Fedora 9 : krb5-1.6.3-16.fc9 (2009-2834)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0409.NASL
    description Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 43740
    published 2010-01-06
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=43740
    title CentOS 4 : krb5 (CESA-2009:0409)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_KRB5-6139.NASL
    description Clients sending negotiation requests with invalid flags could crash the kerberos server (CVE-2009-0845). GSS-API clients could crash when reading from an invalid address space (CVE-2009-0844). Invalid length checks could crash applications using the kerberos ASN.1 parser (CVE-2009-0847). Under certain circumstances the ASN.1 parser could free an uninitialized pointer which could crash a kerberos server or even lead to execution of arbitrary code (CVE-2009-0846).
    last seen 2019-02-21
    modified 2016-12-22
    plugin id 36122
    published 2009-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36122
    title openSUSE 10 Security Update : krb5 (krb5-6139)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2009-0410.NASL
    description Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 36107
    published 2009-04-08
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=36107
    title CentOS 3 : krb5 (CESA-2009:0410)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2009-0410.NASL
    description From Red Hat Security Advisory 2009:0410 : Updated krb5 packages that fix a security issue are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). An input validation flaw was found in the ASN.1 (Abstract Syntax Notation One) decoder used by MIT Kerberos. A remote attacker could use this flaw to crash a network service using the MIT Kerberos library, such as kadmind or krb5kdc, by causing it to dereference or free an uninitialized pointer or, possibly, execute arbitrary code with the privileges of the user running the service. (CVE-2009-0846) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. All running services using the MIT Kerberos libraries must be restarted for the update to take effect.
    last seen 2019-02-21
    modified 2016-12-07
    plugin id 67838
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=67838
    title Oracle Linux 3 : krb5 (ELSA-2009-0410)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_0_KRB5-090406.NASL
    description Clients sending negotiation requests with invalid flags could crash the kerberos server (CVE-2009-0845). GSS-API clients could crash when reading from an invalid address space (CVE-2009-0844). Invalid length checks could crash applications using the kerberos ASN.1 parser (CVE-2009-0847). Under certain circumstances the ASN.1 parser could free an uninitialized pointer which could crash a kerberos server or even lead to execution of arbitrary code (CVE-2009-0846).
    last seen 2019-02-21
    modified 2016-12-21
    plugin id 40017
    published 2009-07-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=40017
    title openSUSE Security Update : krb5 (krb5-740)
oval via4
  • accepted 2014-01-20T04:01:26.077-05:00
    class vulnerability
    contributors
    • name Michael Wood
      organization Hewlett-Packard
    • name J. Daniel Brown
      organization DTCC
    • name Chris Coffin
      organization The MITRE Corporation
    definition_extensions
    • comment VMWare ESX Server 3.0.3 is installed
      oval oval:org.mitre.oval:def:6026
    • comment VMware ESX Server 4.0 is installed
      oval oval:org.mitre.oval:def:6293
    • comment VMware ESX Server 3.5.0 is installed
      oval oval:org.mitre.oval:def:5887
    • comment VMWare ESX Server 3.0.2 is installed
      oval oval:org.mitre.oval:def:5613
    description The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.
    family unix
    id oval:org.mitre.oval:def:6339
    status accepted
    submitted 2009-09-23T15:39:02.000-04:00
    title MIT Kerberos SPNEGO and ASN.1 Multiple Remote Denial Of Service Vulnerabilities
    version 8
  • accepted 2013-04-29T04:19:39.503-04:00
    class vulnerability
    contributors
    • name Aharon Chernin
      organization SCAP.com, LLC
    • name Dragos Prisaca
      organization G2, Inc.
    definition_extensions
    • comment The operating system installed on the system is Red Hat Enterprise Linux 5
      oval oval:org.mitre.oval:def:11414
    • comment The operating system installed on the system is CentOS Linux 5.x
      oval oval:org.mitre.oval:def:15802
    • comment Oracle Linux 5.x
      oval oval:org.mitre.oval:def:15459
    description The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.
    family unix
    id oval:org.mitre.oval:def:9474
    status accepted
    submitted 2010-07-09T03:56:16-04:00
    title The get_input_token function in the SPNEGO implementation in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote attackers to cause a denial of service (daemon crash) and possibly obtain sensitive information via a crafted length value that triggers a buffer over-read.
    version 18
redhat via4
advisories
rhsa
id RHSA-2009:0408
rpms
  • krb5-devel-0:1.6.1-31.el5_3.3
  • krb5-libs-0:1.6.1-31.el5_3.3
  • krb5-server-0:1.6.1-31.el5_3.3
  • krb5-workstation-0:1.6.1-31.el5_3.3
refmap via4
apple APPLE-SA-2009-05-12
bid 34408
bugtraq
  • 20090407 MITKRB5-SA-2009-001: multiple vulnerabilities in SPNEGO, ASN.1 decoder [CVE-2009-0844 CVE-2009-0845 CVE-2009-0847]
  • 20090407 rPSA-2009-0058-1 krb5 krb5-server krb5-services krb5-test krb5-workstation
cert TA09-133A
cert-vn VU#662091
confirm
fedora
  • FEDORA-2009-2834
  • FEDORA-2009-2852
gentoo GLSA-200904-09
mandriva MDVSA-2009:098
misc
sectrack 1021867
secunia
  • 34594
  • 34617
  • 34622
  • 34628
  • 34630
  • 34637
  • 34640
  • 34734
  • 35074
sunalert 256728
ubuntu USN-755-1
vupen
  • ADV-2009-0960
  • ADV-2009-0976
  • ADV-2009-1057
  • ADV-2009-1106
  • ADV-2009-1297
  • ADV-2009-2248
Last major update 21-08-2010 - 01:31
Published 08-04-2009 - 20:30
Last modified 10-10-2018 - 15:31
Back to Top