ID CVE-2011-0282
Summary The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.6.x through 1.9, when an LDAP backend is used, allows remote attackers to cause a denial of service (NULL pointer dereference or buffer over-read, and daemon crash) via a crafted principal name.
References
Vulnerable Configurations
  • MIT Kerberos 5 1.6
    cpe:2.3:a:mit:kerberos:5-1.6
  • MIT Kerberos 5 1.6.1
    cpe:2.3:a:mit:kerberos:5-1.6.1
  • MIT Kerberos 5 1.6.2
    cpe:2.3:a:mit:kerberos:5-1.6.2
  • cpe:2.3:a:mit:kerberos:5-1.6.3
    cpe:2.3:a:mit:kerberos:5-1.6.3
  • MIT Kerberos 5 1.7
    cpe:2.3:a:mit:kerberos:5-1.7
  • MIT Kerberos 5 1.7.1
    cpe:2.3:a:mit:kerberos:5-1.7.1
  • MIT Kerberos 5 1.8
    cpe:2.3:a:mit:kerberos:5-1.8
  • MIT Kerberos 5 1.8.1
    cpe:2.3:a:mit:kerberos:5-1.8.1
  • MIT Kerberos 5 1.8.2
    cpe:2.3:a:mit:kerberos:5-1.8.2
  • MIT Kerberos 5 1.8.3
    cpe:2.3:a:mit:kerberos:5-1.8.3
  • MIT Kerberos 5 1.9
    cpe:2.3:a:mit:kerberos:5-1.9
CVSS
Base: 5.0 (as of 10-02-2011 - 18:05)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Gentoo Local Security Checks
    NASL id GENTOO_GLSA-201201-13.NASL
    description The remote host is affected by the vulnerability described in GLSA-201201-13 (MIT Kerberos 5: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to execute arbitrary code with the privileges of the administration daemon or the Key Distribution Center (KDC) daemon, cause a Denial of Service condition, or possibly obtain sensitive information. Furthermore, a remote attacker may be able to spoof Kerberos authorization, modify KDC responses, forge user data messages, forge tokens, forge signatures, impersonate a client, modify user-visible prompt text, or have other unspecified impact. Workaround : There is no known workaround at this time.
    last seen 2019-02-21
    modified 2018-07-11
    plugin id 57655
    published 2012-01-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=57655
    title GLSA-201201-13 : MIT Kerberos 5: Multiple vulnerabilities
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-1210.NASL
    description This update incorporates fixes from upstream advisories MITKRB5-SA-2011-001 (standalone kpropd exits if a per-client child exits with an error) and MITKRB5-SA-2011-002 (uninitialized pointer crash in the KDC, hang or crash in the KDC with the LDAP backend). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 52017
    published 2011-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=52017
    title Fedora 13 : krb5-1.7.1-17.fc13 (2011-1210)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_4AB413EA66CE11E0BF05D445F3AA24F0.NASL
    description An advisory published by the MIT Kerberos team says : The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks from unauthenticated remote attackers. CVE-2011-0281 and CVE-2011-0282 occur only in KDCs using LDAP back ends, but CVE-2011-0283 occurs in all krb5-1.9 KDCs. Exploit code is not known to exist, but the vulnerabilities are easy to trigger manually. The trigger for CVE-2011-0281 has already been disclosed publicly, but that fact might not be obvious to casual readers of the message in which it was disclosed. The triggers for CVE-2011-0282 and CVE-2011-0283 have not yet been disclosed publicly, but they are also trivial. CVE-2011-0281: An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to become completely unresponsive until restarted. CVE-2011-0282: An unauthenticated remote attacker can cause a KDC configured with an LDAP back end to crash with a NULL pointer dereference. CVE-2011-0283: An unauthenticated remote attacker can cause a krb5-1.9 KDC with any back end to crash with a NULL pointer dereference.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53440
    published 2011-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53440
    title FreeBSD : krb5 -- MITKRB5-SA-2011-002, KDC vulnerable to hang when using LDAP back end (4ab413ea-66ce-11e0-bf05-d445f3aa24f0)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2011-0015.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix for (CVE-2011-4862) - incorporate a fix to teach the file labeling bits about when replay caches are expunged (#712453) - rebuild - ftp: handle larger command inputs (#665833) - don't bail halfway through an unlock operation when the result will be discarded and the end-result not cleaned up (Martin Osvald, #586032) - add a versioned dependency between krb5-server-ldap and krb5-libs (internal tooling) - don't discard the error code from an error message received in response to a change-password request (#658871, RT#6893) - ftpd: add patch from Jatin Nansi to correctly match restrict lines in /etc/ftpusers (#644215, RT#6889) - ftp: add modified patch from Rogan Kyuseok Lee to report the number of bytes transferred correctly when transferring large files on 32-bit systems (#648404) - backport fix for RT#6514: memory leak freeing rcache type none (#678205) - add upstream patch to fix hang or crash in the KDC when using the LDAP kdb backend (CVE-2011-0281, CVE-2011-0282, #671097) - incorporate upstream patch for checksum acceptance issues from MITKRB5-SA-2010-007 (CVE-2010-1323, #652308) - backport a fix to the previous change (#539423) - backport the k5login_directory and k5login_authoritative settings (#539423) - krshd: don't limit user names to 16 chars when utmp can handle names at least a bit longer than that (#611713) - fix a logic bug in computing key expiration times (RT#6762, #627038) - correct the post-rotate scriptlet in the kadmind logrotate config (more of #462658) - ftpd: backport changes to modify behavior to match telnetd,rshd,rlogind and accept GSSAPI auth to any service for which we have a matching key (#538075) - pull in fix for RT#5551 to treat the referral realm when seen in a ticket as though it were the local realm (#498554, also very likely #450122) - add aes256-cts:normal and aes128-cts:normal to the list of keysalts in the default kdc.conf (part of #565941) - add a note to kdc.conf(5) pointing to the admin guide for the list of recognized key and salt types (the rest of #565941) - add logrotate configuration files for krb5kdc and kadmind (#462658) - libgssapi: backport patch from svn to stop returning context-expired errors when the ticket which was used to set up the context expires (#605367, upstream #6739) - enable building the -server-ldap subpackage (#514362) - stop caring about the endianness of stash files (#514741), which will be replaced by proper keytab files in later releases - don't crash in krb5_get_init_creds_password if the passed-in options struct is NULL and the clients keys have expired (#555875) - ksu: perform PAM account and session management before dropping privileges to those of the target user (#540769 and #596887, respectively) - add candidate patch to correct libgssapi null pointer dereference which could be triggered by malformed client requests (CVE-2010-1321, #583704) - fix a null pointer dereference and crash introduced in our PAM patch that would happen if ftpd was given the name of a user who wasnt known to the local system, limited to being triggerable by gssapi-authenticated clients by the default xinetd config (Olivier Fourdan, #569472) - add upstream patch to fix a few use-after-free bugs, including one in kadmind (CVE-2010-0629, #578186) - merge patch to correct KDC integer overflows which could be triggered by malformed RC4 and AES ciphertexts (CVE-2009-4212, #546348) - pull changes to libkrb5 to properly handle and chase off-path referrals back from 1.7 (#546538) - add an auth stack to ksus PAM configuration so that it can successfully pam_setcred - also set PAM_RUSER in ksu for completeness (#479071+#477033) - fix various typos, except for bits pertaining to licensing (#499190) - kdb5_util: when renaming a database, if the new names associated lock files don't exist, go ahead and create them (#442879) - ksu: perform PAM account and session management for the target user authentication is still performed as before (#477033) - fix typo in ksus reporting of errors getting credentials (#462890) - kadmind.init: stop setting up a keytab, as kadminds been able to use the database directly for a while now (#473151) - pull up patch to set PAM_RHOST (James Leddy, #479071)
    last seen 2019-02-21
    modified 2018-11-05
    plugin id 79475
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79475
    title OracleVM 2.2 : krb5 (OVMSA-2011-0015)
  • NASL family Misc.
    NASL id VMWARE_VMSA-2011-0012_REMOTE.NASL
    description The remote VMware ESX / ESXi host is missing a security-related patch. It is, therefore, affected by multiple vulnerabilities in several third-party components and libraries : - Kernel - krb5 - glibc - mtp2sas - mptsas - mptspi
    last seen 2019-02-21
    modified 2018-08-16
    plugin id 89680
    published 2016-03-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=89680
    title VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0012) (remote check)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-025.NASL
    description Multiple vulnerabilities were discovered and corrected in krb5 : The MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial-of-service attack triggered by invalid network input. If a kpropd worker process receives invalid input that causes it to exit with an abnormal status, it can cause the termination of the listening process that spawned it, preventing the slave KDC it was running on From receiving database updates from the master KDC (CVE-2010-4022). The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks from unauthenticated remote attackers (CVE-2011-0281, CVE-2011-0282). The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 51932
    published 2011-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51932
    title Mandriva Linux Security Advisory : krb5 (MDVSA-2011:025)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-0199.NASL
    description From Red Hat Security Advisory 2011:0199 : Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed principal names that were not null terminated, when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to crash the KDC via a specially crafted request. (CVE-2011-0282) A denial of service flaw was found in the way the MIT Kerberos KDC processed certain principal names when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to cause the KDC to hang via a specially crafted request. (CVE-2011-0281) Red Hat would like to thank the MIT Kerberos Team for reporting these issues. Upstream acknowledges Kevin Longfellow of Oracle Corporation as the original reporter of the CVE-2011-0281 issue. All krb5 users should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68195
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68195
    title Oracle Linux 5 : krb5 (ELSA-2011-0199)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-1062-1.NASL
    description Keiichi Mori discovered that the MIT krb5 KDC database propagation daemon (kpropd) is vulnerable to a denial of service attack due to improper logic when a worker child process exited because of invalid network input. This could only occur when kpropd is running in standalone mode; kpropd was not affected when running in incremental propagation mode ('iprop') or as an inetd server. This issue only affects Ubuntu 9.10, Ubuntu 10.04 LTS, and Ubuntu 10.10. (CVE-2010-4022) Kevin Longfellow and others discovered that the MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks when using an LDAP back end due to improper handling of network input. (CVE-2011-0281, CVE-2011-0282). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 51985
    published 2011-02-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51985
    title Ubuntu 8.04 LTS / 9.10 / 10.04 LTS / 10.10 : krb5 vulnerabilities (USN-1062-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2011-024.NASL
    description Multiple vulnerabilities were discovered and corrected in krb5 : The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable to denial of service attacks from unauthenticated remote attackers (CVE-2011-0281, CVE-2011-0282). Packages for 2009.0 are provided as of the Extended Maintenance Program. Please visit this link to learn more: http://store.mandriva.com/product_info.php?cPath=149 products_id=490 The updated packages have been patched to correct this issue.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 51931
    published 2011-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51931
    title Mandriva Linux Security Advisory : krb5 (MDVSA-2011:024)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KRB5-110120.NASL
    description Multiple KDC DoS vulnerabilities if used with LDAP backends have been fixed in krb5. CVE-2011-0281 / CVE-2011-0282 have been assigned.
    last seen 2019-02-21
    modified 2013-10-25
    plugin id 51934
    published 2011-02-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51934
    title SuSE 11.1 Security Update : krb5 (SAT Patch Number 3839)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_3_KRB5-110209.NASL
    description Multiple KDC DoS vulnerabilities if used with LDAP backends have been fixed in krb5. CVE-2011-0281 and CVE-2011-0282 have been assigned. Additionally a DoS vulnerability in kpropd has been fixed. CVE-2010-4022 has been assigned to this issue.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 75560
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=75560
    title openSUSE Security Update : krb5 (openSUSE-SU-2011:0111-1)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2011-0199.NASL
    description Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed principal names that were not null terminated, when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to crash the KDC via a specially crafted request. (CVE-2011-0282) A denial of service flaw was found in the way the MIT Kerberos KDC processed certain principal names when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to cause the KDC to hang via a specially crafted request. (CVE-2011-0281) Red Hat would like to thank the MIT Kerberos Team for reporting these issues. Upstream acknowledges Kevin Longfellow of Oracle Corporation as the original reporter of the CVE-2011-0281 issue. All krb5 users should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 53418
    published 2011-04-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=53418
    title CentOS 5 : krb5 (CESA-2011:0199)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20110208_KRB5_ON_SL5_X.NASL
    description A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed principal names that were not null terminated, when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to crash the KDC via a specially crafted request. (CVE-2011-0282) A denial of service flaw was found in the way the MIT Kerberos KDC processed certain principal names when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to cause the KDC to hang via a specially crafted request. (CVE-2011-0281) After installing the updated packages, the krb5kdc daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 60952
    published 2012-08-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=60952
    title Scientific Linux Security Update : krb5 on SL5.x i386/x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2011-0200.NASL
    description Updated krb5 packages that fix three security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed principal names that were not null terminated, when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to crash the KDC via a specially crafted request. (CVE-2011-0282) A denial of service flaw was found in the way the MIT Kerberos KDC processed certain principal names when the KDC was configured to use an LDAP back end. A remote attacker could use this flaw to cause the KDC to hang via a specially crafted request. (CVE-2011-0281) A denial of service flaw was found in the way the MIT Kerberos V5 slave KDC update server (kpropd) processed certain update requests for KDC database propagation. A remote attacker could use this flaw to terminate the kpropd daemon via a specially crafted update request. (CVE-2010-4022) Red Hat would like to thank the MIT Kerberos Team for reporting the CVE-2011-0282 and CVE-2011-0281 issues. Upstream acknowledges Kevin Longfellow of Oracle Corporation as the original reporter of the CVE-2011-0281 issue. All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 51918
    published 2011-02-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=51918
    title RHEL 6 : krb5 (RHSA-2011:0200)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2011-1225.NASL
    description This update incorporates fixes from upstream advisories MITKRB5-SA-2011-001 (standalone kpropd exits if a per-client child exits with an error) and MITKRB5-SA-2011-002 (uninitialized pointer crash in the KDC, hang or crash in the KDC with the LDAP backend). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-12
    plugin id 52019
    published 2011-02-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=52019
    title Fedora 14 : krb5-1.8.2-8.fc14 (2011-1225)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2011-0200.NASL
    description