cnvd - cnvd-2015-03468

cnvd-2015-03468

Vulnerability from cnvd

Title: MIT Kerberos kdcpreauth模块预认证安全绕过漏洞

Description:

MIT Kerberos 5是一套网络认证协议，它采用客户端/服务器结构，并且客户端和服务器端均可对对方进行身份认证。kdcpreauth是其中的一个接口模块。

MIT Kerberos 5 的kdcpreauth模块的plugins/preauth/otp/main.c和plugins/preauth/pkinit/pkinit_srv.c文件中存在安全漏洞，由于程序在完成对客户端请求的验证时设置TKT_FLG_PRE_AUTH位，允许远程攻击者提交零字节的数据或任意域名绕过预认证要求。

Severity: 中

Patch Name: MIT Kerberos kdcpreauth模块预认证安全绕过漏洞的补丁

Patch Description:

MIT Kerberos 5是一套网络认证协议，它采用客户端/服务器结构，并且客户端和服务器端均可对对方进行身份认证。kdcpreauth是其中的一个接口模块。

Formal description:

用户可参考如下供应商提供的安全公告获得补丁信息： https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160

Reference: http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160

Impacted products

Name
['MIT Kerberos 5 1.12.x', 'MIT Kerberos 5 < 1.13.2']

Show details on source website

JSON

To clipboard

{
  "bids": {
    "bid": {
      "bidNumber": "74824"
    }
  },
  "cves": {
    "cve": {
      "cveNumber": "CVE-2015-2694"
    }
  },
  "description": "MIT Kerberos 5\u662f\u4e00\u5957\u7f51\u7edc\u8ba4\u8bc1\u534f\u8bae\uff0c\u5b83\u91c7\u7528\u5ba2\u6237\u7aef/\u670d\u52a1\u5668\u7ed3\u6784\uff0c\u5e76\u4e14\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u7aef\u5747\u53ef\u5bf9\u5bf9\u65b9\u8fdb\u884c\u8eab\u4efd\u8ba4\u8bc1\u3002kdcpreauth\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u63a5\u53e3\u6a21\u5757\u3002 \r\n\r\nMIT Kerberos 5 \u7684kdcpreauth\u6a21\u5757\u7684plugins/preauth/otp/main.c\u548cplugins/preauth/pkinit/pkinit_srv.c\u6587\u4ef6\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u7531\u4e8e\u7a0b\u5e8f\u5728\u5b8c\u6210\u5bf9\u5ba2\u6237\u7aef\u8bf7\u6c42\u7684\u9a8c\u8bc1\u65f6\u8bbe\u7f6eTKT_FLG_PRE_AUTH\u4f4d\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u63d0\u4ea4\u96f6\u5b57\u8282\u7684\u6570\u636e\u6216\u4efb\u610f\u57df\u540d\u7ed5\u8fc7\u9884\u8ba4\u8bc1\u8981\u6c42\u3002",
  "discovererName": "MIT",
  "formalWay": "\u7528\u6237\u53ef\u53c2\u8003\u5982\u4e0b\u4f9b\u5e94\u5546\u63d0\u4f9b\u7684\u5b89\u5168\u516c\u544a\u83b7\u5f97\u8865\u4e01\u4fe1\u606f\uff1a\r\nhttps://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604\r\nhttp://krbdev.mit.edu/rt/Ticket/Display.html?id=8160",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2015-03468",
  "openTime": "2015-05-29",
  "patchDescription": "MIT Kerberos 5\u662f\u4e00\u5957\u7f51\u7edc\u8ba4\u8bc1\u534f\u8bae\uff0c\u5b83\u91c7\u7528\u5ba2\u6237\u7aef/\u670d\u52a1\u5668\u7ed3\u6784\uff0c\u5e76\u4e14\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u5668\u7aef\u5747\u53ef\u5bf9\u5bf9\u65b9\u8fdb\u884c\u8eab\u4efd\u8ba4\u8bc1\u3002kdcpreauth\u662f\u5176\u4e2d\u7684\u4e00\u4e2a\u63a5\u53e3\u6a21\u5757\u3002 \r\n\r\nMIT Kerberos 5 \u7684kdcpreauth\u6a21\u5757\u7684plugins/preauth/otp/main.c\u548cplugins/preauth/pkinit/pkinit_srv.c\u6587\u4ef6\u4e2d\u5b58\u5728\u5b89\u5168\u6f0f\u6d1e\uff0c\u7531\u4e8e\u7a0b\u5e8f\u5728\u5b8c\u6210\u5bf9\u5ba2\u6237\u7aef\u8bf7\u6c42\u7684\u9a8c\u8bc1\u65f6\u8bbe\u7f6eTKT_FLG_PRE_AUTH\u4f4d\uff0c\u5141\u8bb8\u8fdc\u7a0b\u653b\u51fb\u8005\u63d0\u4ea4\u96f6\u5b57\u8282\u7684\u6570\u636e\u6216\u4efb\u610f\u57df\u540d\u7ed5\u8fc7\u9884\u8ba4\u8bc1\u8981\u6c42\u3002\u76ee\u524d\uff0c\u4f9b\u5e94\u5546\u53d1\u5e03\u4e86\u5b89\u5168\u516c\u544a\u53ca\u76f8\u5173\u8865\u4e01\u4fe1\u606f\uff0c\u4fee\u590d\u4e86\u6b64\u6f0f\u6d1e\u3002",
  "patchName": "MIT Kerberos kdcpreauth\u6a21\u5757\u9884\u8ba4\u8bc1\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e\u7684\u8865\u4e01",
  "products": {
    "product": [
      "MIT Kerberos 5 1.12.x",
      "MIT Kerberos 5  \u003c 1.13.2"
    ]
  },
  "referenceLink": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160",
  "serverity": "\u4e2d",
  "submitTime": "2015-05-26",
  "title": "MIT Kerberos kdcpreauth\u6a21\u5757\u9884\u8ba4\u8bc1\u5b89\u5168\u7ed5\u8fc7\u6f0f\u6d1e"
}

CVE-2015-2694 (GCVE-0-2015-2694)

Vulnerability from cvelistv5

Published

2015-05-25 19:00

Modified

2024-08-06 05:24

Severity ?

CWE

Summary

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.

References

▼	URL	Tags
	https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604	x_refsource_CONFIRM
	http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html	x_refsource_CONFIRM
	http://www.securityfocus.com/bid/74824	vdb-entry, x_refsource_BID
	http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160	x_refsource_CONFIRM
	http://www.ubuntu.com/usn/USN-2810-1	vendor-advisory, x_refsource_UBUNTU

Impacted products

	Vendor	Product	Version
	n/a	n/a	Version: n/a

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-06T05:24:38.376Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
          },
          {
            "name": "74824",
            "tags": [
              "vdb-entry",
              "x_refsource_BID",
              "x_transferred"
            ],
            "url": "http://www.securityfocus.com/bid/74824"
          },
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160"
          },
          {
            "name": "USN-2810-1",
            "tags": [
              "vendor-advisory",
              "x_refsource_UBUNTU",
              "x_transferred"
            ],
            "url": "http://www.ubuntu.com/usn/USN-2810-1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "n/a",
          "vendor": "n/a",
          "versions": [
            {
              "status": "affected",
              "version": "n/a"
            }
          ]
        }
      ],
      "datePublic": "2015-03-24T00:00:00",
      "descriptions": [
        {
          "lang": "en",
          "value": "The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client\u0027s request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "description": "n/a",
              "lang": "en",
              "type": "text"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2016-12-05T22:57:01",
        "orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
        "shortName": "mitre"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
        },
        {
          "name": "74824",
          "tags": [
            "vdb-entry",
            "x_refsource_BID"
          ],
          "url": "http://www.securityfocus.com/bid/74824"
        },
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160"
        },
        {
          "name": "USN-2810-1",
          "tags": [
            "vendor-advisory",
            "x_refsource_UBUNTU"
          ],
          "url": "http://www.ubuntu.com/usn/USN-2810-1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "cve@mitre.org",
          "ID": "CVE-2015-2694",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "n/a",
                      "version": {
                        "version_data": [
                          {
                            "version_value": "n/a"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "n/a"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client\u0027s request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "n/a"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604",
              "refsource": "CONFIRM",
              "url": "https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604"
            },
            {
              "name": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html",
              "refsource": "CONFIRM",
              "url": "http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html"
            },
            {
              "name": "74824",
              "refsource": "BID",
              "url": "http://www.securityfocus.com/bid/74824"
            },
            {
              "name": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160",
              "refsource": "CONFIRM",
              "url": "http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160"
            },
            {
              "name": "USN-2810-1",
              "refsource": "UBUNTU",
              "url": "http://www.ubuntu.com/usn/USN-2810-1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
    "assignerShortName": "mitre",
    "cveId": "CVE-2015-2694",
    "datePublished": "2015-05-25T19:00:00",
    "dateReserved": "2015-03-24T00:00:00",
    "dateUpdated": "2024-08-06T05:24:38.376Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or seen somewhere by the user.
Confirmed: The vulnerability is confirmed from an analyst perspective.
Exploited: This vulnerability was exploited and seen by the user reporting the sighting.
Patched: This vulnerability was successfully patched by the user reporting the sighting.
Not exploited: This vulnerability was not exploited or seen by the user reporting the sighting.
Not confirmed: The user expresses doubt about the veracity of the vulnerability.
Not patched: This vulnerability was not successfully patched by the user reporting the sighting.

Action not permitted