ID CVE-2013-1415
Summary The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.
References
Vulnerable Configurations
  • MIT Kerberos 5 1.10.3
    cpe:2.3:a:mit:kerberos:5-1.10.3
  • MIT Kerberos 5 1.10.2
    cpe:2.3:a:mit:kerberos:5-1.10.2
  • MIT Kerberos 5 1.10.1
    cpe:2.3:a:mit:kerberos:5-1.10.1
  • MIT Kerberos 5 1.10
    cpe:2.3:a:mit:kerberos:5-1.10
  • MIT Kerberos 5 1.11
    cpe:2.3:a:mit:kerberos:5-1.11
CVSS
Base: 7.1 (as of 05-03-2013 - 14:06)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE COMPLETE
nessus via4
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_F54584BC7D2B11E29BD1206A8A720317.NASL
    description No advisory has been released yet. Fix a NULL pointer dereference in the KDC PKINIT code [CVE-2013-1415].
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 64860
    published 2013-02-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=64860
    title FreeBSD : krb5 -- NULL pointer dereference in the KDC PKINIT code [CVE-2013-1415] (f54584bc-7d2b-11e2-9bd1-206a8a720317)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_11_KRB5-130306.NASL
    description This update for Kerberos 5 fixes one security issue : The KDC plugin for PKINIT can dereference a NULL pointer when processing malformed packets, leading to a crash of the KDC process. (bnc#806715, CVE-2013-1415) Additionally, it improves compatibility with processes that handle large numbers of open files. (bnc#787272)
    last seen 2019-02-21
    modified 2014-08-20
    plugin id 65717
    published 2013-03-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65717
    title SuSE 11.2 Security Update : Kerberos 5 (SAT Patch Number 7446)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2310-1.NASL
    description It was discovered that Kerberos incorrectly handled certain crafted Draft 9 requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1016) It was discovered that Kerberos incorrectly handled certain malformed KRB5_PADATA_PK_AS_REQ AS-REQ requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1415) It was discovered that Kerberos incorrectly handled certain crafted TGS-REQ requests. A remote authenticated attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1416) It was discovered that Kerberos incorrectly handled certain crafted requests when multiple realms were configured. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1418, CVE-2013-6800) It was discovered that Kerberos incorrectly handled certain invalid tokens. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4341, CVE-2014-4342) It was discovered that Kerberos incorrectly handled certain mechanisms when used with SPNEGO. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause clients to crash, resulting in a denial of service. (CVE-2014-4343) It was discovered that Kerberos incorrectly handled certain continuation tokens during SPNEGO negotiations. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4344) Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon incorrectly handled buffers when used with the LDAP backend. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-4345). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 77147
    published 2014-08-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=77147
    title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : krb5 vulnerabilities (USN-2310-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-3116.NASL
    description This update incorporates the upstream fix for possible NULL pointer dereferences which could occur if a client sent a malformed PKINIT request to a KDC (CVE-2013-1415), or if a client sent a draft9 PKINIT request to a KDC (CVE-2012-1016). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 65589
    published 2013-03-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65589
    title Fedora 17 : krb5-1.10.2-9.fc17 (2013-3116)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2014-0034.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - actually apply that last patch - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345, #1128157) - ksu: when evaluating .k5users, don't throw away data from .k5users when we're not passed a command to run, which implicitly means we're attempting to run the target user's shell (#1026721, revised) - ksu: when evaluating .k5users, treat lines with just a principal name as if they contained the principal name followed by '*', and don't throw away data from .k5users when we're not passed a command to run, which implicitly means we're attempting to run the target user's shell (#1026721, revised) - gssapi: pull in upstream fix for a possible NULL dereference in spnego (CVE-2014-4344, #1121510) - gssapi: pull in proposed-and-accepted fix for a double free in initiators (David Woodhouse, CVE-2014-4343, #1121510) - correct a type mistake in the backported fix for (CVE-2013-1418, CVE-2013-6800) - pull in backported fix for denial of service by injection of malformed GSSAPI tokens (CVE-2014-4341, CVE-2014-4342, #1121510) - incorporate backported patch for remote crash of KDCs which serve multiple realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800, more of - pull in backport of patch to not subsequently always require that responses come from master KDCs if we get one from a master somewhere along the way while chasing referrals (RT#7650, #1113652) - ksu: if the -e flag isn't used, use the target user's shell when checking for authorization via the target user's .k5users file (#1026721) - define _GNU_SOURCE in files where we use EAI_NODATA, to make sure that it's declared (#1059730) - spnego: pull in patch from master to restore preserving the OID of the mechanism the initiator requested when we have multiple OIDs for the same mechanism, so that we reply using the same mechanism OID and the initiator doesn't get confused (#1087068, RT#7858) - add patch from Jatin Nansi to avoid attempting to clear memory at the NULL address if krb5_encrypt_helper returns an error when called from encrypt_credencpart (#1055329, pull #158) - drop patch to add additional access checks to ksu - they shouldn't be resulting in any benefit - apply patch from Nikolai Kondrashov to pass a default realm set in /etc/sysconfig/krb5kdc to the kdb_check_weak helper, so that it doesn't produce an error if there isn't one set in krb5.conf (#1009389) - packaging: don't Obsoletes: older versions of krb5-pkinit-openssl and virtual Provide: krb5-pkinit-openssl on EL6, where we don't need to bother with any of that (#1001961) - pkinit: backport tweaks to avoid trying to call the prompter callback when one isn't set (part of #965721) - pkinit: backport the ability to use a prompter callback to prompt for a password when reading private keys (the rest of #965721) - backport fix to not spin on a short read when reading the length of a response over TCP (RT#7508, #922884) - backport fix for trying all compatible keys when not being strict about acceptor names while reading AP-REQs (RT#7883, #1070244) - backport fix for not being able to verify the list of transited realms in GSS acceptors (RT#7639, #959685) - pull fix for keeping track of the message type when parsing FAST requests in the KDC (RT#7605, #951965) - incorporate upstream patch to fix a NULL pointer dereference while processing certain TGS requests (CVE-2013-1416, #950343) - incorporate upstream patch to fix a NULL pointer dereference when the client supplies an otherwise-normal-looking PKINIT request (CVE-2013-1415, #917910) - add patch to avoid dereferencing a NULL pointer in the KDC when handling a draft9 PKINIT request (#917910, CVE-2012-1016) - pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443, - don't leak the memory used to hold the previous entry when walking a keytab to figure out which kinds of keys we have (#911147)
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 79549
    published 2014-11-26
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=79549
    title OracleVM 3.3 : krb5 (OVMSA-2014-0034)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20130318_KRB5_ON_SL6_X.NASL
    description When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC's possibly-many certificates the client has in its possession, as a hint to the KDC that it should use the corresponding key to sign its response. If that specification was malformed, the KDC could attempt to dereference a NULL pointer and crash. (CVE-2013-1415) When a client attempts to use PKINIT to obtain credentials from the KDC, the client will typically format its request to conform to the specification published in RFC 4556. For interoperability reasons, clients and servers also provide support for an older, draft version of that specification. If a client formatted its request to conform to this older version of the specification, with a non-default key agreement option, it could cause the KDC to attempt to dereference a NULL pointer and crash. (CVE-2012-1016) After installing the updated packages, the krb5kdc daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-12-31
    plugin id 65606
    published 2013-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65606
    title Scientific Linux Security Update : krb5 on SL6.x i386/x86_64
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2013-0656.NASL
    description From Red Hat Security Advisory 2013:0656 : Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC's possibly-many certificates the client has in its possession, as a hint to the KDC that it should use the corresponding key to sign its response. If that specification was malformed, the KDC could attempt to dereference a NULL pointer and crash. (CVE-2013-1415) When a client attempts to use PKINIT to obtain credentials from the KDC, the client will typically format its request to conform to the specification published in RFC 4556. For interoperability reasons, clients and servers also provide support for an older, draft version of that specification. If a client formatted its request to conform to this older version of the specification, with a non-default key agreement option, it could cause the KDC to attempt to dereference a NULL pointer and crash. (CVE-2012-1016) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 68792
    published 2013-07-12
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=68792
    title Oracle Linux 6 : krb5 (ELSA-2013-0656)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2013-042.NASL
    description Multiple vulnerabilities has been discovered and corrected in krb5 : Fix a kadmind denial of service issue (NULL pointer dereference), which could only be triggered by an administrator with the create privilege (CVE-2012-1013). The MIT krb5 KDC (Key Distribution Center) daemon can free an uninitialized pointer while processing an unusual AS-REQ, corrupting the process heap and possibly causing the daemon to abnormally terminate. An attacker could use this vulnerability to execute malicious code, but exploiting frees of uninitialized pointers to execute code is believed to be difficult. It is possible that a legitimate client that is misconfigured in an unusual way could trigger this vulnerability (CVE-2012-1015). It was reported that the KDC plugin for PKINIT could dereference a NULL pointer when a malformed packet caused processing to terminate early, which led to a crash of the KDC process. An attacker would require a valid PKINIT certificate or have observed a successful PKINIT authentication to execute a successful attack. In addition, an unauthenticated attacker could execute the attack of anonymouse PKINIT was enabled (CVE-2013-1415). The updated packages have been patched to correct these issues.
    last seen 2019-02-21
    modified 2019-01-02
    plugin id 66056
    published 2013-04-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=66056
    title Mandriva Linux Security Advisory : krb5 (MDVSA-2013:042)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2013-3147.NASL
    description This update incorporates the upstream fix for possible NULL pointer dereferences which could occur if a client sent a malformed PKINIT request to a KDC (CVE-2013-1415), or if a client sent a draft9 PKINIT request to a KDC (CVE-2012-1016). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-05
    plugin id 65657
    published 2013-03-23
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65657
    title Fedora 18 : krb5-1.10.3-14.fc18 (2013-3147)
  • NASL family Solaris Local Security Checks
    NASL id SOLARIS11_KERBEROS_20130924.NASL
    description The remote Solaris system is missing necessary patches to address security updates : - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. (CVE-2002-2443) - The pkinit_server_return_padata function in plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find an agility KDF identifier in inappropriate circumstances, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted Draft 9 request. (CVE-2012-1016) - The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/ pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request. (CVE-2013-1415)
    last seen 2019-02-21
    modified 2018-11-15
    plugin id 80652
    published 2015-01-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=80652
    title Oracle Solaris Third-Party Patch Update : kerberos (cve_2002_2443_denial_of)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2013-0656.NASL
    description Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC's possibly-many certificates the client has in its possession, as a hint to the KDC that it should use the corresponding key to sign its response. If that specification was malformed, the KDC could attempt to dereference a NULL pointer and crash. (CVE-2013-1415) When a client attempts to use PKINIT to obtain credentials from the KDC, the client will typically format its request to conform to the specification published in RFC 4556. For interoperability reasons, clients and servers also provide support for an older, draft version of that specification. If a client formatted its request to conform to this older version of the specification, with a non-default key agreement option, it could cause the KDC to attempt to dereference a NULL pointer and crash. (CVE-2012-1016) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 65618
    published 2013-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65618
    title CentOS 6 : krb5 (CESA-2013:0656)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2013-0656.NASL
    description Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC's possibly-many certificates the client has in its possession, as a hint to the KDC that it should use the corresponding key to sign its response. If that specification was malformed, the KDC could attempt to dereference a NULL pointer and crash. (CVE-2013-1415) When a client attempts to use PKINIT to obtain credentials from the KDC, the client will typically format its request to conform to the specification published in RFC 4556. For interoperability reasons, clients and servers also provide support for an older, draft version of that specification. If a client formatted its request to conform to this older version of the specification, with a non-default key agreement option, it could cause the KDC to attempt to dereference a NULL pointer and crash. (CVE-2012-1016) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.
    last seen 2019-02-21
    modified 2018-11-26
    plugin id 65605
    published 2013-03-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=65605
    title RHEL 6 : krb5 (RHSA-2013:0656)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2013-224.NASL
    description krb5 was updated to fix security issues in PKINIT : - fix PKINIT NULL pointer deref in pkinit_check_kdc_pkid() (CVE-2012-1016 bnc#807556) - fix PKINIT NULL pointer deref (CVE-2013-1415 bnc#806715) Also package a missing file on 12.3 (bnc#794784).
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 74931
    published 2014-06-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=74931
    title openSUSE Security Update : krb5 (openSUSE-SU-2013:0498-1)
redhat via4
advisories
bugzilla
id 917840
title CVE-2012-1016 krb5: PKINIT null pointer deref leads to DoS
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 6 Client is installed
      oval oval:com.redhat.rhba:tst:20111656001
    • comment Red Hat Enterprise Linux 6 Server is installed
      oval oval:com.redhat.rhba:tst:20111656002
    • comment Red Hat Enterprise Linux 6 Workstation is installed
      oval oval:com.redhat.rhba:tst:20111656003
    • comment Red Hat Enterprise Linux 6 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20111656004
  • OR
    • AND
      • comment krb5-devel is earlier than 0:1.10.3-10.el6_4.1
        oval oval:com.redhat.rhsa:tst:20130656009
      • comment krb5-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863012
    • AND
      • comment krb5-libs is earlier than 0:1.10.3-10.el6_4.1
        oval oval:com.redhat.rhsa:tst:20130656013
      • comment krb5-libs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863016
    • AND
      • comment krb5-pkinit-openssl is earlier than 0:1.10.3-10.el6_4.1
        oval oval:com.redhat.rhsa:tst:20130656015
      • comment krb5-pkinit-openssl is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863008
    • AND
      • comment krb5-server is earlier than 0:1.10.3-10.el6_4.1
        oval oval:com.redhat.rhsa:tst:20130656011
      • comment krb5-server is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863010
    • AND
      • comment krb5-server-ldap is earlier than 0:1.10.3-10.el6_4.1
        oval oval:com.redhat.rhsa:tst:20130656005
      • comment krb5-server-ldap is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863006
    • AND
      • comment krb5-workstation is earlier than 0:1.10.3-10.el6_4.1
        oval oval:com.redhat.rhsa:tst:20130656007
      • comment krb5-workstation is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863014
rhsa
id RHSA-2013:0656
released 2013-03-18
severity Moderate
title RHSA-2013:0656: krb5 security update (Moderate)
rpms
  • krb5-devel-0:1.10.3-10.el6_4.1
  • krb5-libs-0:1.10.3-10.el6_4.1
  • krb5-pkinit-openssl-0:1.10.3-10.el6_4.1
  • krb5-server-0:1.10.3-10.el6_4.1
  • krb5-server-ldap-0:1.10.3-10.el6_4.1
  • krb5-workstation-0:1.10.3-10.el6_4.1
refmap via4
confirm
mandriva MDVSA-2013:157
secunia 55040
suse openSUSE-SU-2013:0523
Last major update 10-10-2013 - 23:50
Published 05-03-2013 - 00:05
Back to Top