ID CVE-2014-5355
Summary MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c.
References
Vulnerable Configurations
  • MIT Kerberos 5 5.0_1.1
    cpe:2.3:a:mit:kerberos:5-1.1
  • MIT Kerberos 5 1.2
    cpe:2.3:a:mit:kerberos:5-1.2
  • MIT Kerberos 5 1.2.1
    cpe:2.3:a:mit:kerberos:5-1.2.1
  • MIT Kerberos 5 1.2.2
    cpe:2.3:a:mit:kerberos:5-1.2.2
  • MIT Kerberos 5 1.2.3
    cpe:2.3:a:mit:kerberos:5-1.2.3
  • MIT Kerberos 5 1.2.4
    cpe:2.3:a:mit:kerberos:5-1.2.4
  • MIT Kerberos 5 1.2.5
    cpe:2.3:a:mit:kerberos:5-1.2.5
  • MIT Kerberos 5 1.2.6
    cpe:2.3:a:mit:kerberos:5-1.2.6
  • MIT Kerberos 5 1.2.7
    cpe:2.3:a:mit:kerberos:5-1.2.7
  • MIT Kerberos 5 1.2.8
    cpe:2.3:a:mit:kerberos:5-1.2.8
  • MIT Kerberos 5 1.3
    cpe:2.3:a:mit:kerberos:5-1.3
  • MIT Kerberos 5 1.3 alpha1
    cpe:2.3:a:mit:kerberos:5-1.3:alpha1
  • MIT Kerberos 5 1.3.1
    cpe:2.3:a:mit:kerberos:5-1.3.1
  • MIT Kerberos 5 1.3.2
    cpe:2.3:a:mit:kerberos:5-1.3.2
  • MIT Kerberos 5 1.3.3
    cpe:2.3:a:mit:kerberos:5-1.3.3
  • MIT Kerberos 5 1.3.4
    cpe:2.3:a:mit:kerberos:5-1.3.4
  • MIT Kerberos 5 1.3.5
    cpe:2.3:a:mit:kerberos:5-1.3.5
  • MIT Kerberos 5 1.3.6
    cpe:2.3:a:mit:kerberos:5-1.3.6
  • MIT Kerberos 5 1.4
    cpe:2.3:a:mit:kerberos:5-1.4
  • MIT Kerberos 5 1.4.1
    cpe:2.3:a:mit:kerberos:5-1.4.1
  • MIT Kerberos 5 1.4.2
    cpe:2.3:a:mit:kerberos:5-1.4.2
  • MIT Kerberos 5 1.4.3
    cpe:2.3:a:mit:kerberos:5-1.4.3
  • MIT Kerberos 5 1.4.4
    cpe:2.3:a:mit:kerberos:5-1.4.4
  • MIT Kerberos 5 1.5
    cpe:2.3:a:mit:kerberos:5-1.5
  • MIT Kerberos 5 1.5.1
    cpe:2.3:a:mit:kerberos:5-1.5.1
  • MIT Kerberos 5 1.5.2
    cpe:2.3:a:mit:kerberos:5-1.5.2
  • MIT Kerberos 5 1.5.3
    cpe:2.3:a:mit:kerberos:5-1.5.3
  • MIT Kerberos 5 1.6
    cpe:2.3:a:mit:kerberos:5-1.6
  • MIT Kerberos 5 1.6.1
    cpe:2.3:a:mit:kerberos:5-1.6.1
  • MIT Kerberos 5 1.6.2
    cpe:2.3:a:mit:kerberos:5-1.6.2
  • MIT Kerberos 5 1.7
    cpe:2.3:a:mit:kerberos:5-1.7
  • MIT Kerberos 5 1.7.1
    cpe:2.3:a:mit:kerberos:5-1.7.1
  • MIT Kerberos 5 1.8
    cpe:2.3:a:mit:kerberos:5-1.8
  • MIT Kerberos 5 1.8.1
    cpe:2.3:a:mit:kerberos:5-1.8.1
  • MIT Kerberos 5 1.8.2
    cpe:2.3:a:mit:kerberos:5-1.8.2
  • MIT Kerberos 5 1.8.3
    cpe:2.3:a:mit:kerberos:5-1.8.3
  • MIT Kerberos 5 1.8.4
    cpe:2.3:a:mit:kerberos:5-1.8.4
  • MIT Kerberos 5 1.8.5
    cpe:2.3:a:mit:kerberos:5-1.8.5
  • MIT Kerberos 5 1.8.6
    cpe:2.3:a:mit:kerberos:5-1.8.6
  • MIT Kerberos 5 1.9
    cpe:2.3:a:mit:kerberos:5-1.9
  • MIT Kerberos 5 1.9.1
    cpe:2.3:a:mit:kerberos:5-1.9.1
  • MIT Kerberos 5 1.9.2
    cpe:2.3:a:mit:kerberos:5-1.9.2
  • MIT Kerberos 5 1.9.3
    cpe:2.3:a:mit:kerberos:5-1.9.3
  • MIT Kerberos 5 1.9.4
    cpe:2.3:a:mit:kerberos:5-1.9.4
  • MIT Kerberos 5 1.10
    cpe:2.3:a:mit:kerberos:5-1.10
  • MIT Kerberos 5 1.10.1
    cpe:2.3:a:mit:kerberos:5-1.10.1
  • MIT Kerberos 5 1.10.2
    cpe:2.3:a:mit:kerberos:5-1.10.2
  • MIT Kerberos 5 1.10.3
    cpe:2.3:a:mit:kerberos:5-1.10.3
  • MIT Kerberos 5 1.10.4
    cpe:2.3:a:mit:kerberos:5-1.10.4
  • MIT Kerberos 5 1.11
    cpe:2.3:a:mit:kerberos:5-1.11
  • MIT Kerberos 5 1.11.1
    cpe:2.3:a:mit:kerberos:5-1.11.1
  • MIT Kerberos 5 1.11.2
    cpe:2.3:a:mit:kerberos:5-1.11.2
  • MIT Kerberos 5 1.11.3
    cpe:2.3:a:mit:kerberos:5-1.11.3
  • MIT Kerberos 5 1.11.4
    cpe:2.3:a:mit:kerberos:5-1.11.4
  • MIT Kerberos 5 1.11.5
    cpe:2.3:a:mit:kerberos:5-1.11.5
  • MIT Kerberos 5 1.12
    cpe:2.3:a:mit:kerberos:5-1.12
  • MIT Kerberos 5 1.12.1
    cpe:2.3:a:mit:kerberos:5-1.12.1
  • MIT Kerberos 5 1.12.2
    cpe:2.3:a:mit:kerberos:5-1.12.2
  • MIT Kerberos 5-1.13
    cpe:2.3:a:mit:kerberos:5-1.13
  • MIT Kerberos 5 1.13.1
    cpe:2.3:a:mit:kerberos:5-1.13.1
CVSS
Base: 5.0 (as of 24-11-2015 - 12:27)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK LOW NONE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2016-0039.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix (CVE-2015-8629, CVE-2015-8631) - Also fix a spec trigger issue that prevents building - Resolves: #1306973
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 90138
    published 2016-03-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90138
    title OracleVM 3.3 / 3.4 : krb5 (OVMSA-2016-0039)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2015-246.NASL
    description krb5 was updated to fix three security issues. Remote authenticated users could cause denial of service. On openSUSE 13.1 and 13.2 krb5 was updated to fix the following vulnerabilities : - bnc#910457: CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name - bnc#918595: CVE-2014-5355: krb5: denial of service in krb5_read_message On openSUSE 13.1 krb5 was updated to fix the following vulnerability : - bnc#910458: CVE-2014-5354: NULL pointer dereference when using keyless entries
    last seen 2019-02-21
    modified 2016-08-02
    plugin id 81965
    published 2015-03-20
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=81965
    title openSUSE Security Update : krb5 (openSUSE-2015-246)
  • NASL family Ubuntu Local Security Checks
    NASL id UBUNTU_USN-2810-1.NASL
    description It was discovered that the Kerberos kpasswd service incorrectly handled certain UDP packets. A remote attacker could possibly use this issue to cause resource consumption, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2002-2443) It was discovered that Kerberos incorrectly handled null bytes in certain data fields. A remote attacker could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5355) It was discovered that the Kerberos kdcpreauth modules incorrectly tracked certain client requests. A remote attacker could possibly use this issue to bypass intended preauthentication requirements. This issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-2694) It was discovered that Kerberos incorrectly handled certain SPNEGO packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-2695) It was discovered that Kerberos incorrectly handled certain IAKERB packets. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-2696, CVE-2015-2698) It was discovered that Kerberos incorrectly handled certain TGS requests. A remote attacker could possibly use this issue to cause a denial of service. (CVE-2015-2697). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-12-01
    plugin id 86872
    published 2015-11-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86872
    title Ubuntu 12.04 LTS / 14.04 LTS / 15.04 / 15.10 : krb5 vulnerabilities (USN-2810-1)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20151119_KRB5_ON_SL7_X.NASL
    description It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694) The krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. Notably, this update fixes the following bugs : - Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. - Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message : No credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context Querying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems.
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 87560
    published 2015-12-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87560
    title Scientific Linux Security Update : krb5 on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-2154.NASL
    description Updated krb5 packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694) The krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#1203889) Notably, this update fixes the following bugs : * Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. (BZ#1251586) * Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message : No credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context Querying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems. (BZ#1252454) All krb5 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 86933
    published 2015-11-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=86933
    title RHEL 7 : krb5 (RHSA-2015:2154)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-2154.NASL
    description Updated krb5 packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694) The krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#1203889) Notably, this update fixes the following bugs : * Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. (BZ#1251586) * Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message : No credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context Querying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems. (BZ#1252454) All krb5 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 87136
    published 2015-12-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87136
    title CentOS 7 : krb5 (CESA-2015:2154)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1265.NASL
    description Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2013-1418 Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured. CVE-2014-5351 Kerberos sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5353 When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. CVE-2014-5355 Kerberos expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, CVE-2016-3119 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. CVE-2016-3120 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request. For Debian 7 'Wheezy', these problems have been fixed in version 1.10.1+dfsg-5+deb7u9. We recommend that you upgrade your krb5 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-07-06
    plugin id 106536
    published 2018-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106536
    title Debian DLA-1265-1 : krb5 security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1276-1.NASL
    description krb5 was updated to fix four security issues. These security issues were fixed : - CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name (bsc#910457). - CVE-2014-5354: NULL pointer dereference when using keyless entries (bsc#910458). - CVE-2014-5355: Denial of service in krb5_read_message (bsc#918595). - CVE-2015-2694: OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass (bsc#928978). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84914
    published 2015-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84914
    title SUSE SLES12 Security Update : krb5 (SUSE-SU-2015:1276-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-624.NASL
    description A flaw was found in the OTP kdcpreauth module of MIT Kerberos. A remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 87350
    published 2015-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87350
    title Amazon Linux AMI : krb5 (ALAS-2015-624)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-2154.NASL
    description From Red Hat Security Advisory 2015:2154 : Updated krb5 packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694) The krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#1203889) Notably, this update fixes the following bugs : * Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. (BZ#1251586) * Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message : No credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context Querying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems. (BZ#1252454) All krb5 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 87026
    published 2015-11-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=87026
    title Oracle Linux 7 : krb5 (ELSA-2015-2154)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2015-1282-1.NASL
    description krb5 was updated to fix three security issues. Remote authenticated users could cause denial of service. These security issues were fixed : - CVE-2014-5353: NULL pointer dereference when using a ticket policy name as password name (bsc#910457). - CVE-2014-5354: NULL pointer dereference when using keyless entries (bsc#910458). - CVE-2014-5355: Denial of service in krb5_read_message (bsc#918595). Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2019-02-21
    modified 2018-11-29
    plugin id 84979
    published 2015-07-24
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=84979
    title SUSE SLED11 / SLES11 Security Update : krb5 (SUSE-SU-2015:1282-1)
  • NASL family Mandriva Local Security Checks
    NASL id MANDRIVA_MDVSA-2015-069.NASL
    description Multiple vulnerabilities has been discovered and corrected in krb5 : The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind (CVE-2014-5352). MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c (CVE-2014-5355). The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind (CVE-2014-9421). The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial kadmind substring, as demonstrated by a ka/x principal (CVE-2014-9422). The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field (CVE-2014-9423). The updated packages provides a solution for these security issues.
    last seen 2019-02-21
    modified 2018-07-19
    plugin id 82322
    published 2015-03-30
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82322
    title Mandriva Linux Security Advisory : krb5 (MDVSA-2015:069)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2015-0794.NASL
    description From Red Hat Security Advisory 2015:0794 : Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC. The following security issues are fixed with this release : A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352) If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. (CVE-2014-5353) It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421) It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422) Red Hat would like to thank the MIT Kerberos project for reporting CVE-2014-5352, CVE-2014-9421, and CVE-2014-9422. The MIT Kerberos project acknowledges Nico Williams for assisting with the analysis of CVE-2014-5352. All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-07-18
    plugin id 82689
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82689
    title Oracle Linux 6 : krb5 (ELSA-2015-0794)
  • NASL family OracleVM Local Security Checks
    NASL id ORACLEVM_OVMSA-2015-0054.NASL
    description The remote OracleVM system is missing necessary patches to address critical security updates : - fix for CVE-2014-5355 (#1193939) 'krb5: unauthenticated denial of service in recvauth_common and others' - fix for CVE-2014-5353 (#1174543) 'Fix LDAP misused policy name crash' - Changelog fixes to make errata subsystem happy. - fix for CVE-2014-5352 (#1179856) 'gss_process_context_token incorrectly frees context (MITKRB5-SA-2015-001)' - fix for CVE-2014-9421 (#1179857) 'kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)' - fix for CVE-2014-9422 (#1179861) 'kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)'
    last seen 2019-02-21
    modified 2018-07-24
    plugin id 82692
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82692
    title OracleVM 3.3 : krb5 (OVMSA-2015-0054)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2015-0794.NASL
    description Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC. The following security issues are fixed with this release : A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352) If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. (CVE-2014-5353) It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421) It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422) Red Hat would like to thank the MIT Kerberos project for reporting CVE-2014-5352, CVE-2014-9421, and CVE-2014-9422. The MIT Kerberos project acknowledges Nico Williams for assisting with the analysis of CVE-2014-5352. All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 82667
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82667
    title CentOS 6 : krb5 (CESA-2015:0794)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2015-518.NASL
    description A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352) If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. (CVE-2014-5353) It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421) It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)
    last seen 2019-02-21
    modified 2018-04-18
    plugin id 83269
    published 2015-05-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83269
    title Amazon Linux AMI : krb5 (ALAS-2015-518)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2015-0794.NASL
    description Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6. Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC. The following security issues are fixed with this release : A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352) If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. (CVE-2014-5353) It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421) It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422) Red Hat would like to thank the MIT Kerberos project for reporting CVE-2014-5352, CVE-2014-9421, and CVE-2014-9422. The MIT Kerberos project acknowledges Nico Williams for assisting with the analysis of CVE-2014-5352. All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.
    last seen 2019-02-21
    modified 2018-11-10
    plugin id 82656
    published 2015-04-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82656
    title RHEL 6 : krb5 (RHSA-2015:0794)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20150409_KRB5_ON_SL6_X.NASL
    description The following security issues are fixed with this release : A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352) If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. (CVE-2014-5353) It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. (CVE-2014-5355) A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421) It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)
    last seen 2019-02-21
    modified 2018-12-28
    plugin id 82694
    published 2015-04-10
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=82694
    title Scientific Linux Security Update : krb5 on SL6.x i386/x86_64
  • NASL family AIX Local Security Checks
    NASL id AIX_NAS_ADVISORY3.NASL
    description The version of the Network Authentication Service (NAS) installed on the remote AIX host is affected by the following vulnerabilities related to Kerberos 5 : - Denial of service and remote code execution vulnerabilities exist due to security context handles not being properly maintained, allowing an authenticated, remote attacker to crash the service or execute arbitrary code using crafted GSSAPI traffic. (CVE-2014-5352) - A denial of service vulnerability exists due to improper handling of zero-byte or unterminated strings. (CVE-2014-5355) - Denial of service and remote code execution vulnerabilities exist which allow an authenticated, remote attacker to crash the service or execute arbitrary code using crafted, malformed XDR data. (CVE-2014-9421) - A privilege escalation vulnerability exists that allows an authenticated, remote attacker to gain administrative access via a flaw in kadmin authorization checks. (CVE-2014-9422) - An information disclosure vulnerability allows an attacker to gain information about process heap memory from NAS packets. (CVE-2014-9423)
    last seen 2019-02-21
    modified 2018-07-17
    plugin id 83874
    published 2015-05-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=83874
    title AIX NAS Advisory : nas_advisory3.asc
redhat via4
advisories
rhsa
id RHSA-2015:0794
rpms
  • krb5-devel-0:1.10.3-37.el6_6
  • krb5-libs-0:1.10.3-37.el6_6
  • krb5-pkinit-openssl-0:1.10.3-37.el6_6
  • krb5-server-0:1.10.3-37.el6_6
  • krb5-server-ldap-0:1.10.3-37.el6_6
  • krb5-workstation-0:1.10.3-37.el6_6
  • krb5-devel-0:1.13.2-10.el7
  • krb5-libs-0:1.13.2-10.el7
  • krb5-pkinit-0:1.13.2-10.el7
  • krb5-server-0:1.13.2-10.el7
  • krb5-server-ldap-0:1.13.2-10.el7
  • krb5-workstation-0:1.13.2-10.el7
refmap via4
bid 74042
confirm
mandriva MDVSA-2015:069
mlist [debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update
suse openSUSE-SU-2015:0542
ubuntu USN-2810-1
Last major update 02-01-2017 - 21:59
Published 20-02-2015 - 06:59
Last modified 03-02-2018 - 21:29
Back to Top