ID CVE-2016-3120
Summary The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.
References
Vulnerable Configurations
  • MIT Kerberos 5-1.13
    cpe:2.3:a:mit:kerberos:5-1.13
  • MIT Kerberos 5 1.13.1
    cpe:2.3:a:mit:kerberos:5-1.13.1
  • MIT Kerberos 5 1.13.2
    cpe:2.3:a:mit:kerberos:5-1.13.2
  • MIT Kerberos 5 1.13.3
    cpe:2.3:a:mit:kerberos:5-1.13.3
  • cpe:2.3:a:mit:kerberos:5-1.13.4
    cpe:2.3:a:mit:kerberos:5-1.13.4
  • MIT Kerberos 5-1.13.5
    cpe:2.3:a:mit:kerberos:5-1.13.5
  • MIT Kerberos 5-1.13.6
    cpe:2.3:a:mit:kerberos:5-1.13.6
  • cpe:2.3:a:mit:kerberos:5-1.14
    cpe:2.3:a:mit:kerberos:5-1.14
  • cpe:2.3:a:mit:kerberos:5-1.14.1
    cpe:2.3:a:mit:kerberos:5-1.14.1
  • MIT Kerberos 5-1.14.2
    cpe:2.3:a:mit:kerberos:5-1.14.2
CVSS
Base: 4.0 (as of 01-08-2016 - 13:45)
Impact:
Exploitability:
CWE CWE-476
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE_INSTANCE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
nessus via4
  • NASL family CentOS Local Security Checks
    NASL id CENTOS_RHSA-2016-2591.NASL
    description An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es) : * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-09-01
    modified 2018-07-13
    plugin id 95337
    published 2016-11-28
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95337
    title CentOS 7 : krb5 (CESA-2016:2591)
  • NASL family Oracle Linux Local Security Checks
    NASL id ORACLELINUX_ELSA-2016-2591.NASL
    description From Red Hat Security Advisory 2016:2591 : An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es) : * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-09-01
    modified 2018-07-25
    plugin id 94712
    published 2016-11-11
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94712
    title Oracle Linux 7 : krb5 (ELSA-2016-2591)
  • NASL family Scientific Linux Local Security Checks
    NASL id SL_20161103_KRB5_ON_SL7_X.NASL
    description The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). Security Fix(es) : - A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) - A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes :
    last seen 2018-09-02
    modified 2016-12-19
    plugin id 95842
    published 2016-12-15
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=95842
    title Scientific Linux Security Update : krb5 on SL7.x x86_64
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-0674A3C372.NASL
    description Fix low-impact CVE-2016-3120 where S4U2Self may cause KDC crash when anon is restricted Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-10-19
    plugin id 92668
    published 2016-08-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92668
    title Fedora 24 : krb5 (2016-0674a3c372)
  • NASL family Red Hat Local Security Checks
    NASL id REDHAT-RHSA-2016-2591.NASL
    description An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es) : * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section.
    last seen 2018-09-01
    modified 2018-07-27
    plugin id 94554
    published 2016-11-04
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=94554
    title RHEL 7 : krb5 (RHSA-2016:2591)
  • NASL family FreeBSD Local Security Checks
    NASL id FREEBSD_PKG_62D452294FA011E69D13206A8A720317.NASL
    description Major changes in krb5 1.14.3 and krb5 1.13.6 : Fix a rare KDC denial of service vulnerability when anonymous client principals are restricted to obtaining TGTs only [CVE-2016-3120] .
    last seen 2018-09-01
    modified 2016-10-20
    plugin id 92503
    published 2016-07-22
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=92503
    title FreeBSD : krb5 -- KDC denial of service vulnerability (62d45229-4fa0-11e6-9d13-206a8a720317)
  • NASL family SuSE Local Security Checks
    NASL id OPENSUSE-2016-1065.NASL
    description This update for krb5 fixes the following issues : - CVE-2016-3120: KDC NULL pointer Dereference Denial Of Service Vulnerability (bsc#991088) This update was imported from the SUSE:SLE-12:Update update project.
    last seen 2018-09-01
    modified 2016-10-18
    plugin id 93393
    published 2016-09-09
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93393
    title openSUSE Security Update : krb5 (openSUSE-2016-1065)
  • NASL family Huawei Local Security Checks
    NASL id EULEROS_SA-2016-1076.NASL
    description According to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) - A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true.(CVE-2016-3120) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2018-08-10
    plugin id 99836
    published 2017-05-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=99836
    title EulerOS 2.0 SP1 : krb5 (EulerOS-SA-2016-1076)
  • NASL family Amazon Linux Local Security Checks
    NASL id ALA_ALAS-2017-793.NASL
    description A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120)
    last seen 2018-09-02
    modified 2018-04-19
    plugin id 97023
    published 2017-02-07
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=97023
    title Amazon Linux AMI : krb5 (ALAS-2017-793)
  • NASL family PhotonOS Local Security Checks
    NASL id PHOTONOS_PHSA-2017-0021.NASL
    description An update of [zlib,bindutils,ruby,krb5,sudo] packages for PhotonOS has been released.
    last seen 2018-09-01
    modified 2018-08-17
    plugin id 111870
    published 2018-08-17
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=111870
    title Photon OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021
  • NASL family Debian Local Security Checks
    NASL id DEBIAN_DLA-1265.NASL
    description Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2013-1418 Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured. CVE-2014-5351 Kerberos sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5353 When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. CVE-2014-5355 Kerberos expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, CVE-2016-3119 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. CVE-2016-3120 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request. For Debian 7 'Wheezy', these problems have been fixed in version 1.10.1+dfsg-5+deb7u9. We recommend that you upgrade your krb5 packages. NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2018-07-06
    plugin id 106536
    published 2018-02-01
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=106536
    title Debian DLA-1265-1 : krb5 security update
  • NASL family SuSE Local Security Checks
    NASL id SUSE_SU-2016-2136-1.NASL
    description This update for krb5 fixes the following issues : - CVE-2016-3120: KDC NULL pointer Dereference Denial Of Service Vulnerability (bsc#991088) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-07
    modified 2018-09-06
    plugin id 93303
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93303
    title SUSE SLED12 / SLES12 Security Update : krb5 (SUSE-SU-2016:2136-1)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-F405B25923.NASL
    description Bump version to 1.14.3 for the convenience of those needing the SNI fix. ---- Require krb5 to set the 'Host:' header when speaking KKDCPP. This fixes use of TLS with SNI. ---- Fix low-impact CVE-2016-3120 where S4U2Self may cause KDC crash when anon is restricted Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-01
    modified 2016-10-19
    plugin id 93266
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93266
    title Fedora 23 : krb5 (2016-f405b25923)
  • NASL family Fedora Local Security Checks
    NASL id FEDORA_2016-4A36663643.NASL
    description Misc samba and sssd-related bugfixes. ---- Bump version to 1.14.3 for the convenience of those needing the SNI fix. ---- Require krb5 to set the 'Host:' header when speaking KKDCPP. This fixes use of TLS with SNI. ---- Fix low-impact CVE-2016-3120 where S4U2Self may cause KDC crash when anon is restricted Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen 2018-09-02
    modified 2016-10-19
    plugin id 93262
    published 2016-09-02
    reporter Tenable
    source https://www.tenable.com/plugins/index.php?view=single&id=93262
    title Fedora 23 : krb5 (2016-4a36663643)
redhat via4
advisories
bugzilla
id 1364993
title MS-KKDCP with TLS SNI requires HTTP Host header
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhsa:tst:20140675001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhsa:tst:20140675002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhsa:tst:20140675003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhsa:tst:20140675004
  • OR
    • AND
      • comment krb5 is earlier than 0:1.14.1-26.el7
        oval oval:com.redhat.rhsa:tst:20162591019
      • comment krb5 is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863006
    • AND
      • comment krb5-devel is earlier than 0:1.14.1-26.el7
        oval oval:com.redhat.rhsa:tst:20162591005
      • comment krb5-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863014
    • AND
      • comment krb5-libs is earlier than 0:1.14.1-26.el7
        oval oval:com.redhat.rhsa:tst:20162591015
      • comment krb5-libs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863018
    • AND
      • comment krb5-pkinit is earlier than 0:1.14.1-26.el7
        oval oval:com.redhat.rhsa:tst:20162591017
      • comment krb5-pkinit is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20150439008
    • AND
      • comment krb5-server is earlier than 0:1.14.1-26.el7
        oval oval:com.redhat.rhsa:tst:20162591009
      • comment krb5-server is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863012
    • AND
      • comment krb5-server-ldap is earlier than 0:1.14.1-26.el7
        oval oval:com.redhat.rhsa:tst:20162591013
      • comment krb5-server-ldap is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863008
    • AND
      • comment krb5-workstation is earlier than 0:1.14.1-26.el7
        oval oval:com.redhat.rhsa:tst:20162591011
      • comment krb5-workstation is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863016
    • AND
      • comment libkadm5 is earlier than 0:1.14.1-26.el7
        oval oval:com.redhat.rhsa:tst:20162591007
      • comment libkadm5 is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162591008
rhsa
id RHSA-2016:2591
released 2016-11-03
severity Low
title RHSA-2016:2591: krb5 security, bug fix, and enhancement update (Low)
rpms
  • krb5-0:1.14.1-26.el7
  • krb5-devel-0:1.14.1-26.el7
  • krb5-libs-0:1.14.1-26.el7
  • krb5-pkinit-0:1.14.1-26.el7
  • krb5-server-0:1.14.1-26.el7
  • krb5-server-ldap-0:1.14.1-26.el7
  • krb5-workstation-0:1.14.1-26.el7
  • libkadm5-0:1.14.1-26.el7
refmap via4
bid 92132
confirm
fedora FEDORA-2016-0674a3c372
mlist [debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update
sectrack 1036442
suse openSUSE-SU-2016:2268
Last major update 28-11-2016 - 15:06
Published 31-07-2016 - 22:59
Last modified 03-02-2018 - 21:29
Back to Top