schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103.

The remote NewStart CGSL host, running version MAIN 6.06, has krb5 packages installed that are affected by multiple vulnerabilities:

  - plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles     Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial     of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related     to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use     cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin     code that is specific to Red Hat. (CVE-2017-15088)

  - The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT     Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute     arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error     condition. (CVE-2011-0285)

  - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly     validate UDP packets before sending responses, which allows remote attackers to cause a denial of service     (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by     krb_pingpong.nasl, a related issue to CVE-1999-0103. (CVE-2002-2443)

  - The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b)     Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to     gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known     whether an exploitable attack scenario exists for these issues. (CVE-2006-3084)

  - The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration     daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in     freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute     arbitrary code via unspecified vectors. (CVE-2006-6143)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2810-1 advisory.

    It was discovered that the Kerberos kpasswd service incorrectly handled certain UDP packets. A remote     attacker could possibly use this issue to cause resource consumption, resulting in a denial of service.
    This issue only affected Ubuntu 12.04 LTS. (CVE-2002-2443)

    It was discovered that Kerberos incorrectly handled null bytes in certain data fields. A remote attacker     could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and     Ubuntu 14.04 LTS. (CVE-2014-5355)

    It was discovered that the Kerberos kdcpreauth modules incorrectly tracked certain client requests. A     remote attacker could possibly use this issue to bypass intended preauthentication requirements. This     issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-2694)

    It was discovered that Kerberos incorrectly handled certain SPNEGO packets. A remote attacker could     possibly use this issue to cause a denial of service. (CVE-2015-2695)

    It was discovered that Kerberos incorrectly handled certain IAKERB packets. A remote attacker could     possibly use this issue to cause a denial of service. (CVE-2015-2696, CVE-2015-2698)

    It was discovered that Kerberos incorrectly handled certain TGS requests. A remote attacker could possibly     use this issue to cause a denial of service. (CVE-2015-2697)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Solaris system is missing necessary patches to address security updates :

  - schpw.c in the kpasswd service in kadmind in MIT     Kerberos 5 (aka krb5) before 1.11.3 does not properly     validate UDP packets before sending responses, which     allows remote attackers to cause a denial of service     (CPU and bandwidth consumption) via a forged packet that     triggers a communication loop, as demonstrated by     krb_pingpong.nasl, a related issue to CVE-1999-0103.
    (CVE-2002-2443)

  - The pkinit_server_return_padata function in     plugins/preauth/pkinit/pkinit_srv.c in the PKINIT     implementation in the Key Distribution Center (KDC) in     MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find     an agility KDF identifier in inappropriate     circumstances, which allows remote attackers to cause a     denial of service (NULL pointer dereference and daemon     crash) via a crafted Draft 9 request. (CVE-2012-1016)

  - The pkinit_check_kdc_pkid function in     plugins/preauth/pkinit/ pkinit_crypto_openssl.c in the     PKINIT implementation in the Key Distribution Center     (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and     1.11.x before 1.11.1 does not properly handle errors     during extraction of fields from an X.509 certificate,     which allows remote attackers to cause a denial of     service (NULL pointer dereference and daemon crash) via     a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.
    (CVE-2013-1415)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - actually apply that last patch

  - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345,     #1128157)

  - ksu: when evaluating .k5users, don't throw away data     from .k5users when we're not passed a command to run,     which implicitly means we're attempting to run the     target user's shell (#1026721, revised)

  - ksu: when evaluating .k5users, treat lines with just a     principal name as if they contained the principal name     followed by '*', and don't throw away data from .k5users     when we're not passed a command to run, which implicitly     means we're attempting to run the target user's shell     (#1026721, revised)

  - gssapi: pull in upstream fix for a possible NULL     dereference in spnego (CVE-2014-4344, #1121510)

  - gssapi: pull in proposed-and-accepted fix for a double     free in initiators (David Woodhouse, CVE-2014-4343,     #1121510)

  - correct a type mistake in the backported fix for     (CVE-2013-1418, CVE-2013-6800)

  - pull in backported fix for denial of service by     injection of malformed GSSAPI tokens (CVE-2014-4341,     CVE-2014-4342, #1121510)

  - incorporate backported patch for remote crash of KDCs     which serve multiple realms simultaneously (RT#7756,     CVE-2013-1418/CVE-2013-6800, more of

  - pull in backport of patch to not subsequently always     require that responses come from master KDCs if we get     one from a master somewhere along the way while chasing     referrals (RT#7650, #1113652)

  - ksu: if the -e flag isn't used, use the target user's     shell when checking for authorization via the target     user's .k5users file (#1026721)

  - define _GNU_SOURCE in files where we use EAI_NODATA, to     make sure that it's declared (#1059730)

  - spnego: pull in patch from master to restore preserving     the OID of the mechanism the initiator requested when we     have multiple OIDs for the same mechanism, so that we     reply using the same mechanism OID and the initiator     doesn't get confused (#1087068, RT#7858)

  - add patch from Jatin Nansi to avoid attempting to clear     memory at the NULL address if krb5_encrypt_helper     returns an error when called from encrypt_credencpart     (#1055329, pull #158)

  - drop patch to add additional access checks to ksu - they     shouldn't be resulting in any benefit

  - apply patch from Nikolai Kondrashov to pass a default     realm set in /etc/sysconfig/krb5kdc to the     kdb_check_weak helper, so that it doesn't produce an     error if there isn't one set in krb5.conf (#1009389)

  - packaging: don't Obsoletes: older versions of     krb5-pkinit-openssl and virtual Provide:
    krb5-pkinit-openssl on EL6, where we don't need to     bother with any of that (#1001961)

  - pkinit: backport tweaks to avoid trying to call the     prompter callback when one isn't set (part of #965721)

  - pkinit: backport the ability to use a prompter callback     to prompt for a password when reading private keys (the     rest of #965721)

  - backport fix to not spin on a short read when reading     the length of a response over TCP (RT#7508, #922884)

  - backport fix for trying all compatible keys when not     being strict about acceptor names while reading AP-REQs     (RT#7883, #1070244)

  - backport fix for not being able to verify the list of     transited realms in GSS acceptors (RT#7639, #959685)

  - pull fix for keeping track of the message type when     parsing FAST requests in the KDC (RT#7605, #951965)

  - incorporate upstream patch to fix a NULL pointer     dereference while processing certain TGS requests     (CVE-2013-1416, #950343)

  - incorporate upstream patch to fix a NULL pointer     dereference when the client supplies an     otherwise-normal-looking PKINIT request (CVE-2013-1415,     #917910)

  - add patch to avoid dereferencing a NULL pointer in the     KDC when handling a draft9 PKINIT request (#917910,     CVE-2012-1016)

  - pull up fix for UDP ping-pong flaw in kpasswd service     (CVE-2002-2443, 

  - don't leak the memory used to hold the previous entry     when walking a keytab to figure out which kinds of keys     we have (#911147)

This update fixes a kpasswd UDP ping-pong security bug (CVE-2002-2443).

The remote host is affected by the vulnerability described in GLSA-201312-12 (MIT Kerberos 5: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the Key Distribution       Center in MIT Kerberos 5. Please review the CVE identifiers referenced       below for details.
  Impact :

    A remote attacker could send a specially crafted request, possibly       resulting in execution of arbitrary code with the privileges of the       process or a Denial of Service condition. Additionally, a remote attacker       could impersonate a kadmind server and send a specially crafted packet to       the password change port, which can result in a ping-pong condition and a       Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

It was found that kadmind's kpasswd service did not perform any validation on incoming network packets, causing it to reply to all requests. A remote attacker could use this flaw to send spoofed packets to a kpasswd service that appear to come from kadmind on a different server, causing the services to keep replying packets to each other, consuming network bandwidth and CPU. (CVE-2002-2443)

This krb5 update fixes a security issue.

  - kpasswd UDP ping-pong (bug#825985 / CVE-2002-2443)

The remote Oracle Linux 5 / 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2013-0942 advisory.

    [1.10.3-10.3]
    - pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was found that kadmind's kpasswd service did not perform any validation on incoming network packets, causing it to reply to all requests. A remote attacker could use this flaw to send spoofed packets to a kpasswd service that appear to come from kadmind on a different server, causing the services to keep replying packets to each other, consuming network bandwidth and CPU. (CVE-2002-2443)

After installing the updated packages, the krb5kdc and kadmind daemons will be restarted automatically.

Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 5 and 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC).

It was found that kadmind's kpasswd service did not perform any validation on incoming network packets, causing it to reply to all requests. A remote attacker could use this flaw to send spoofed packets to a kpasswd service that appear to come from kadmind on a different server, causing the services to keep replying packets to each other, consuming network bandwidth and CPU. (CVE-2002-2443)

All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc and kadmind daemons will be restarted automatically.

No advisory has been released yet.

schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. [CVE-2002-2443].

It was discovered that the kpasswd service running on UDP port 464 could respond to response packets, creating a packet loop and a denial of service condition.

This update pulls in the upstream fix for a UDP ping-pong vulnerability in the kpasswd service provided by kadmind (CVE-2002-2443), and modifies the client library to treat KRB5CCNAME values which begin with 'DIR::' in a way that's almost the same as the way it treats values which begin with 'DIR:'.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update pulls in the upstream fix for a UDP ping-pong vulnerability in the kpasswd service provided by kadmind (CVE-2002-2443).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A vulnerability has been discovered and corrected in krb5 :

The kpasswd service provided by kadmind was vulnerable to a UDP ping-pong attack (CVE-2002-2443).

The updated packages have been patched to correct this issue.

The remote host is running a Kerberos server that seems to be vulnerable to a 'ping-pong' attack. 

When contacted on the UDP port, this service always responds, even to malformed requests.  This makes it possible to involve it in a 'ping-pong' attack, in which an attacker spoofs a packet between two machines running this service, causing them to spew characters at each other, slowing the machines down and saturating the network.

ID	Name	Product	Family	Severity
266225	NewStart CGSL MAIN 6.06 : krb5 Multiple Vulnerabilities (NS-SA-2025-0215)	Nessus	NewStart CGSL Local Security Checks	critical
86872	Ubuntu 14.04 LTS : Kerberos vulnerabilities (USN-2810-1)	Nessus	Ubuntu Local Security Checks	high
80652	Oracle Solaris Third-Party Patch Update : kerberos (cve_2002_2443_denial_of)	Nessus	Solaris Local Security Checks	high
79549	OracleVM 3.3 : krb5 (OVMSA-2014-0034)	Nessus	OracleVM Local Security Checks	high
75067	openSUSE Security Update : krb5 (openSUSE-SU-2013:1119-1)	Nessus	SuSE Local Security Checks	medium
71487	GLSA-201312-12 : MIT Kerberos 5: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69766	Amazon Linux AMI : krb5 (ALAS-2013-208)	Nessus	Amazon Linux Local Security Checks	medium
68877	SuSE 10 Security Update : krb5 (ZYPP Patch Number 8631)	Nessus	SuSE Local Security Checks	medium
68875	SuSE 11.2 / 11.3 Security Update : krb5 (SAT Patch Numbers 7962 / 7968)	Nessus	SuSE Local Security Checks	medium
68835	Oracle Linux 5 / 6 : krb5 (ELSA-2013-0942)	Nessus	Oracle Linux Local Security Checks	high
66891	Scientific Linux Security Update : krb5 on SL5.x, SL6.x i386/x86_64 (20130612)	Nessus	Scientific Linux Local Security Checks	medium
66888	CentOS 5 / 6 : krb5 (CESA-2013:0942)	Nessus	CentOS Local Security Checks	medium
66883	RHEL 5 / 6 : krb5 (RHSA-2013:0942)	Nessus	Red Hat Local Security Checks	medium
66777	FreeBSD : krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443] (e3f64457-cccd-11e2-af76-206a8a720317)	Nessus	FreeBSD Local Security Checks	medium
66768	Debian DSA-2701-1 : krb5 - denial of service	Nessus	Debian Local Security Checks	medium
66597	Fedora 19 : krb5-1.11.2-6.fc19 (2013-8113)	Nessus	Fedora Local Security Checks	medium
66579	Fedora 17 : krb5-1.10.2-12.fc17 (2013-8219)	Nessus	Fedora Local Security Checks	medium
66535	Mandriva Linux Security Advisory : krb5 (MDVSA-2013:166)	Nessus	Mandriva Local Security Checks	medium
66534	Fedora 18 : krb5-1.10.3-17.fc18 (2013-8212)	Nessus	Fedora Local Security Checks	medium
10640	Kerberos Server Spoofed Packet Amplification DoS (PingPong)	Nessus	Misc.	high

Detections

Analytics

CVE-2002-2443

high

Tenable Plugins

critical

high

high

high

medium

high

medium

medium

medium

high

medium

medium

medium

medium

medium

medium

medium

medium

medium

high