ID CVE-2016-3119
Summary The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.
References
Vulnerable Configurations
  • openSUSE Leap 42.1
    cpe:2.3:o:opensuse:leap:42.1
  • OpenSUSE 13.2
    cpe:2.3:o:opensuse:opensuse:13.2
  • MIT Kerberos 5 5.0_1.1
    cpe:2.3:a:mit:kerberos:5-1.1
  • MIT Kerberos 5 1.2
    cpe:2.3:a:mit:kerberos:5-1.2
  • MIT Kerberos 5 1.2.1
    cpe:2.3:a:mit:kerberos:5-1.2.1
  • MIT Kerberos 5 1.2.2
    cpe:2.3:a:mit:kerberos:5-1.2.2
  • MIT Kerberos 5 1.2.3
    cpe:2.3:a:mit:kerberos:5-1.2.3
  • MIT Kerberos 5 1.2.4
    cpe:2.3:a:mit:kerberos:5-1.2.4
  • MIT Kerberos 5 1.2.5
    cpe:2.3:a:mit:kerberos:5-1.2.5
  • MIT Kerberos 5 1.2.6
    cpe:2.3:a:mit:kerberos:5-1.2.6
  • MIT Kerberos 5 1.2.7
    cpe:2.3:a:mit:kerberos:5-1.2.7
  • MIT Kerberos 5 1.2.8
    cpe:2.3:a:mit:kerberos:5-1.2.8
  • MIT Kerberos 5 1.3
    cpe:2.3:a:mit:kerberos:5-1.3
  • MIT Kerberos 5 1.3 alpha1
    cpe:2.3:a:mit:kerberos:5-1.3:alpha1
  • MIT Kerberos 5 1.3.1
    cpe:2.3:a:mit:kerberos:5-1.3.1
  • MIT Kerberos 5 1.3.2
    cpe:2.3:a:mit:kerberos:5-1.3.2
  • MIT Kerberos 5 1.3.3
    cpe:2.3:a:mit:kerberos:5-1.3.3
  • MIT Kerberos 5 1.3.4
    cpe:2.3:a:mit:kerberos:5-1.3.4
  • MIT Kerberos 5 1.3.5
    cpe:2.3:a:mit:kerberos:5-1.3.5
  • MIT Kerberos 5 1.3.6
    cpe:2.3:a:mit:kerberos:5-1.3.6
  • MIT Kerberos 5 1.4
    cpe:2.3:a:mit:kerberos:5-1.4
  • MIT Kerberos 5 1.4.1
    cpe:2.3:a:mit:kerberos:5-1.4.1
  • MIT Kerberos 5 1.4.2
    cpe:2.3:a:mit:kerberos:5-1.4.2
  • MIT Kerberos 5 1.4.3
    cpe:2.3:a:mit:kerberos:5-1.4.3
  • MIT Kerberos 5 1.4.4
    cpe:2.3:a:mit:kerberos:5-1.4.4
  • MIT Kerberos 5 1.5
    cpe:2.3:a:mit:kerberos:5-1.5
  • MIT Kerberos 5 1.5.1
    cpe:2.3:a:mit:kerberos:5-1.5.1
  • MIT Kerberos 5 1.5.2
    cpe:2.3:a:mit:kerberos:5-1.5.2
  • MIT Kerberos 5 1.5.3
    cpe:2.3:a:mit:kerberos:5-1.5.3
  • MIT Kerberos 5 1.6
    cpe:2.3:a:mit:kerberos:5-1.6
  • MIT Kerberos 5 1.6.1
    cpe:2.3:a:mit:kerberos:5-1.6.1
  • MIT Kerberos 5 1.6.2
    cpe:2.3:a:mit:kerberos:5-1.6.2
  • MIT Kerberos 5 1.7
    cpe:2.3:a:mit:kerberos:5-1.7
  • MIT Kerberos 5 1.7.1
    cpe:2.3:a:mit:kerberos:5-1.7.1
  • MIT Kerberos 5 1.8
    cpe:2.3:a:mit:kerberos:5-1.8
  • MIT Kerberos 5 1.8.1
    cpe:2.3:a:mit:kerberos:5-1.8.1
  • MIT Kerberos 5 1.8.2
    cpe:2.3:a:mit:kerberos:5-1.8.2
  • MIT Kerberos 5 1.8.3
    cpe:2.3:a:mit:kerberos:5-1.8.3
  • MIT Kerberos 5 1.8.4
    cpe:2.3:a:mit:kerberos:5-1.8.4
  • MIT Kerberos 5 1.8.5
    cpe:2.3:a:mit:kerberos:5-1.8.5
  • MIT Kerberos 5 1.8.6
    cpe:2.3:a:mit:kerberos:5-1.8.6
  • MIT Kerberos 5 1.9
    cpe:2.3:a:mit:kerberos:5-1.9
  • MIT Kerberos 5 1.9.1
    cpe:2.3:a:mit:kerberos:5-1.9.1
  • MIT Kerberos 5 1.9.2
    cpe:2.3:a:mit:kerberos:5-1.9.2
  • MIT Kerberos 5 1.9.3
    cpe:2.3:a:mit:kerberos:5-1.9.3
  • MIT Kerberos 5 1.9.4
    cpe:2.3:a:mit:kerberos:5-1.9.4
  • MIT Kerberos 5 1.10
    cpe:2.3:a:mit:kerberos:5-1.10
  • MIT Kerberos 5 1.10.1
    cpe:2.3:a:mit:kerberos:5-1.10.1
  • MIT Kerberos 5 1.10.2
    cpe:2.3:a:mit:kerberos:5-1.10.2
  • MIT Kerberos 5 1.10.3
    cpe:2.3:a:mit:kerberos:5-1.10.3
  • MIT Kerberos 5 1.10.4
    cpe:2.3:a:mit:kerberos:5-1.10.4
  • MIT Kerberos 5 1.11
    cpe:2.3:a:mit:kerberos:5-1.11
  • MIT Kerberos 5 1.11.1
    cpe:2.3:a:mit:kerberos:5-1.11.1
  • MIT Kerberos 5 1.11.2
    cpe:2.3:a:mit:kerberos:5-1.11.2
  • MIT Kerberos 5 1.11.3
    cpe:2.3:a:mit:kerberos:5-1.11.3
  • MIT Kerberos 5 1.11.4
    cpe:2.3:a:mit:kerberos:5-1.11.4
  • MIT Kerberos 5 1.11.5
    cpe:2.3:a:mit:kerberos:5-1.11.5
  • MIT Kerberos 5 1.12
    cpe:2.3:a:mit:kerberos:5-1.12
  • MIT Kerberos 5 1.12.1
    cpe:2.3:a:mit:kerberos:5-1.12.1
  • MIT Kerberos 5 1.12.2
    cpe:2.3:a:mit:kerberos:5-1.12.2
  • MIT Kerberos 5 1.12.3
    cpe:2.3:a:mit:kerberos:5-1.12.3
  • MIT Kerberos 5-1.13
    cpe:2.3:a:mit:kerberos:5-1.13
  • MIT Kerberos 5 1.13.1
    cpe:2.3:a:mit:kerberos:5-1.13.1
  • MIT Kerberos 5 1.13.2
    cpe:2.3:a:mit:kerberos:5-1.13.2
  • MIT Kerberos 5 1.13.3
    cpe:2.3:a:mit:kerberos:5-1.13.3
  • cpe:2.3:a:mit:kerberos:5-1.13.4
    cpe:2.3:a:mit:kerberos:5-1.13.4
  • MIT Kerberos 5-1.14 Alpha 1
    cpe:2.3:a:mit:kerberos:5-1.14:alpha1
  • MIT Kerberos 5-1.14 Beta 1
    cpe:2.3:a:mit:kerberos:5-1.14:beta1
  • MIT Kerberos 5 1.14 Beta2
    cpe:2.3:a:mit:kerberos:5-1.14:beta2
  • cpe:2.3:a:mit:kerberos:5-1.14.0
    cpe:2.3:a:mit:kerberos:5-1.14.0
  • cpe:2.3:a:mit:kerberos:5-1.14.1
    cpe:2.3:a:mit:kerberos:5-1.14.1
  • MIT Kerberos 5 krb5_1.0
    cpe:2.3:a:mit:kerberos:5_1.0
  • MIT Kerberos 5 1.0.6
    cpe:2.3:a:mit:kerberos:5_1.0.6
  • MIT Kerberos 5 1.1
    cpe:2.3:a:mit:kerberos:5_1.1
  • MIT Kerberos 5 1.1.1
    cpe:2.3:a:mit:kerberos:5_1.1.1
  • MIT Kerberos 5 5.0_1.2 Beta1
    cpe:2.3:a:mit:kerberos:5_1.2:beta1
  • MIT Kerberos 5 5.0_1.2 Beta2
    cpe:2.3:a:mit:kerberos:5_1.2:beta2
  • MIT Kerberos 5 5.0_1.3.3
    cpe:2.3:a:mit:kerberos:5_1.3.3
CVSS
Base: 3.5 (as of 21-12-2016 - 14:31)
Impact:
Exploitability:
Access
VectorComplexityAuthentication
NETWORK MEDIUM SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2591.NASL
    description From Red Hat Security Advisory 2016:2591 : An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es) : * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-09-01
    modified 2018-07-25
    plugin id 94712
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94712
    title Oracle Linux 7 : krb5 (ELSA-2016-2591)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-424.NASL
    description This update for krb5 fixes the following security issue : - CVE-2016-3119: An authenticated attacker with permission to modify a principal entry could have caused kadmind to dereference a NULL pointer by supplying an empty DB argument to the modify_principal command, if kadmind is configured to use the LDAP KDB module. (bsc#971942)
    last seen 2018-09-01
    modified 2016-10-13
    plugin id 90341
    published 2016-04-05
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90341
    title openSUSE Security Update : krb5 (openSUSE-2016-424)
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2591.NASL
    description An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es) : * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-11-11
    modified 2018-11-10
    plugin id 95337
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95337
    title CentOS 7 : krb5 (CESA-2016:2591)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_KRB5_ON_SL7_X.NASL
    description The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). Security Fix(es) : - A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) - A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes :
    last seen 2018-09-02
    modified 2016-12-19
    plugin id 95842
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95842
    title Scientific Linux Security Update : krb5 on SL7.x x86_64
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2591.NASL
    description An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es) : * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-11-13
    modified 2018-11-10
    plugin id 94554
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94554
    title RHEL 7 : krb5 (RHSA-2016:2591)
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1265.NASL
    description Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2013-1418 Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured. CVE-2014-5351 Kerberos sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5353 When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. CVE-2014-5355 Kerberos expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, CVE-2016-3119 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. CVE-2016-3120 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request. For Debian 7 'Wheezy', these problems have been fixed in version 1.10.1+dfsg-5+deb7u9. We recommend that you upgrade your krb5 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-07-06
    plugin id 106536
    published 2018-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106536
    title Debian DLA-1265-1 : krb5 security update
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2018-1376.NASL
    description According to the version of the krb5 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerability : - A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-22
    modified 2018-11-21
    plugin id 119067
    published 2018-11-21
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=119067
    title EulerOS Virtualization 2.5.1 : krb5 (EulerOS-SA-2018-1376)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-474.NASL
    description This update for krb5 fixes the following security issue : - CVE-2016-3119: An authenticated attacker with permission to modify a principal entry could have caused kadmind to dereference a NULL pointer by supplying an empty DB argument to the modify_principal command, if kadmind is configured to use the LDAP KDB module. (bsc#971942) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2018-09-02
    modified 2016-10-13
    plugin id 90564
    published 2016-04-18
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90564
    title openSUSE Security Update : krb5 (openSUSE-2016-474)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-0994-1.NASL
    description This update for krb5 fixes the following security issue : - CVE-2016-3119: An authenticated attacker with permission to modify a principal entry could have caused kadmind to dereference a NULL pointer by supplying an empty DB argument to the modify_principal command, if kadmind is configured to use the LDAP KDB module. (bsc#971942) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-30
    modified 2018-11-29
    plugin id 90506
    published 2016-04-13
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90506
    title SUSE SLED12 / SLES12 Security Update : krb5 (SUSE-SU-2016:0994-1)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-793.NASL
    description A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120)
    last seen 2018-09-02
    modified 2018-04-19
    plugin id 97023
    published 2017-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97023
    title Amazon Linux AMI : krb5 (ALAS-2017-793)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1076.NASL
    description According to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) - A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true.(CVE-2016-3120) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-15
    modified 2018-11-14
    plugin id 99836
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99836
    title EulerOS 2.0 SP1 : krb5 (EulerOS-SA-2016-1076)
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-1088-1.NASL
    description This update for krb5 fixes the following security issue : - CVE-2016-3119: An authenticated attacker with permission to modify a principal entry could have caused kadmind to dereference a NULL pointer by supplying an empty DB argument to the modify_principal command, if kadmind is configured to use the LDAP KDB module. (bsc#971942) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-11-30
    modified 2018-11-29
    plugin id 90586
    published 2016-04-19
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=90586
    title SUSE SLES11 Security Update : krb5 (SUSE-SU-2016:1088-1)
redhat via4
advisories
rhsa
id RHSA-2016:2591
rpms
  • krb5-devel-0:1.14.1-26.el7
  • krb5-libs-0:1.14.1-26.el7
  • krb5-pkinit-0:1.14.1-26.el7
  • krb5-server-0:1.14.1-26.el7
  • krb5-server-ldap-0:1.14.1-26.el7
  • krb5-workstation-0:1.14.1-26.el7
  • libkadm5-0:1.14.1-26.el7
refmap via4
bid 85392
confirm https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99
mlist [debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update
sectrack 1035399
suse
  • openSUSE-SU-2016:0947
  • openSUSE-SU-2016:1072
Last major update 22-12-2016 - 10:52
Published 25-03-2016 - 21:59
Last modified 30-10-2018 - 12:27
Back to Top