The process_tgs_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS request that triggers an error other than the KRB5_KDB_NOENTRY error.

The remote NewStart CGSL host, running version MAIN 6.06, has krb5 packages installed that are affected by multiple vulnerabilities:

  - plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles     Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial     of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related     to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use     cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin     code that is specific to Red Hat. (CVE-2017-15088)

  - The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT     Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute     arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error     condition. (CVE-2011-0285)

  - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly     validate UDP packets before sending responses, which allows remote attackers to cause a denial of service     (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by     krb_pingpong.nasl, a related issue to CVE-1999-0103. (CVE-2002-2443)

  - The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b)     Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to     gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known     whether an exploitable attack scenario exists for these issues. (CVE-2006-3084)

  - The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration     daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in     freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute     arbitrary code via unspecified vectors. (CVE-2006-6143)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

- fix KDC NULL pointer dereference in TGS handling     (MITKRB5-SA-2011-007, bnc#730393) CVE-2011-1530

  - fix KDC HA feature introduced with implementing KDC poll     (RT#6951)

  - fix minor error messages for the IAKERB GSSAPI mechanism     (see:
    http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)

  - fix KDC NULL pointer dereference in TGS handling     (MITKRB5-SA-2011-007, bnc#730393) CVE-2011-1530

  - fix KDC HA feature introduced with implementing KDC poll     (RT#6951, bnc#731648)

  - fix minor error messages for the IAKERB GSSAPI mechanism     (see:
    http://krbdev.mit.edu/rt/Ticket/Display.html?id=7020)

A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2011-1530)

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2011-1790 advisory.

    [1.9-22.1]
    - add candidate patch to fix a NULL pointer dereference while processing TGS       requests (MITKRB5-SA-2011-007, #754046)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A vulnerability has been discovered and corrected in krb5 :

The process_tgs_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.2 allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS request that triggers an error other than the KRB5_KDB_NOENTRY error (CVE-2011-1530).

The updated packages have been patched to correct this issue.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC).

A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2011-1530)

All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically.

The remote host is affected by the vulnerability described in GLSA-201201-13 (MIT Kerberos 5: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to execute arbitrary code with the       privileges of the administration daemon or the Key Distribution Center       (KDC) daemon, cause a Denial of Service condition, or possibly obtain       sensitive information. Furthermore, a remote attacker may be able to       spoof Kerberos authorization, modify KDC responses, forge user data       messages, forge tokens, forge signatures, impersonate a client, modify       user-visible prompt text, or have other unspecified impact.
  Workaround :

    There is no known workaround at this time.

Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC).

A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2011-1530)

Red Hat would like to thank the MIT Kerberos project for reporting this issue.

All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically.

The MIT Kerberos Team reports :

In releases krb5-1.9 and later, the KDC can crash due to a NULL pointer dereference in code that handles TGS (Ticket Granting Service) requests. The trigger condition is trivial to produce using unmodified client software, but requires the ability to authenticate as a principal in the KDC's realm.

Simo Sorce discovered that a NULL pointer dereference existed in the Kerberos Key Distribution Center (KDC). An authenticated remote attacker could use this to cause a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2011:1790 advisory.

  - krb5 (krb5kdc): NULL pointer dereference in the TGS handling (MITKRB5-SA-2011-007) (CVE-2011-1530)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
266225	NewStart CGSL MAIN 6.06 : krb5 Multiple Vulnerabilities (NS-SA-2025-0215)	Nessus	NewStart CGSL Local Security Checks	critical
74531	openSUSE Security Update : krb5 (openSUSE-2011-58)	Nessus	SuSE Local Security Checks	medium
69587	Amazon Linux AMI : krb5 (ALAS-2011-28)	Nessus	Amazon Linux Local Security Checks	medium
68400	Oracle Linux 6 : krb5 (ELSA-2011-1790)	Nessus	Oracle Linux Local Security Checks	medium
61939	Mandriva Linux Security Advisory : krb5 (MDVSA-2011:184)	Nessus	Mandriva Local Security Checks	medium
61190	Scientific Linux Security Update : krb5 on SL6.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	medium
57655	GLSA-201201-13 : MIT Kerberos 5: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
57375	CentOS 6 : krb5 (CESA-2011:1790)	Nessus	CentOS Local Security Checks	medium
57293	FreeBSD : krb5 -- KDC NULL pointer dereference in TGS handling (6c7d9a35-2608-11e1-89b4-001ec9578670)	Nessus	FreeBSD Local Security Checks	medium
57048	Ubuntu 11.10 : krb5 vulnerability (USN-1290-1)	Nessus	Ubuntu Local Security Checks	medium
57036	RHEL 6 : krb5 (RHSA-2011:1790)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2011-1530

medium

Tenable Plugins

critical

medium

medium

medium

medium

medium

medium

medium

medium

medium

medium