The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.

The remote Solaris system is missing necessary patches to address security updates :

  - schpw.c in the kpasswd service in kadmind in MIT     Kerberos 5 (aka krb5) before 1.11.3 does not properly     validate UDP packets before sending responses, which     allows remote attackers to cause a denial of service     (CPU and bandwidth consumption) via a forged packet that     triggers a communication loop, as demonstrated by     krb_pingpong.nasl, a related issue to CVE-1999-0103.
    (CVE-2002-2443)

  - The pkinit_server_return_padata function in     plugins/preauth/pkinit/pkinit_srv.c in the PKINIT     implementation in the Key Distribution Center (KDC) in     MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find     an agility KDF identifier in inappropriate     circumstances, which allows remote attackers to cause a     denial of service (NULL pointer dereference and daemon     crash) via a crafted Draft 9 request. (CVE-2012-1016)

  - The pkinit_check_kdc_pkid function in     plugins/preauth/pkinit/ pkinit_crypto_openssl.c in the     PKINIT implementation in the Key Distribution Center     (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and     1.11.x before 1.11.1 does not properly handle errors     during extraction of fields from an X.509 certificate,     which allows remote attackers to cause a denial of     service (NULL pointer dereference and daemon crash) via     a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.
    (CVE-2013-1415)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - actually apply that last patch

  - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345,     #1128157)

  - ksu: when evaluating .k5users, don't throw away data     from .k5users when we're not passed a command to run,     which implicitly means we're attempting to run the     target user's shell (#1026721, revised)

  - ksu: when evaluating .k5users, treat lines with just a     principal name as if they contained the principal name     followed by '*', and don't throw away data from .k5users     when we're not passed a command to run, which implicitly     means we're attempting to run the target user's shell     (#1026721, revised)

  - gssapi: pull in upstream fix for a possible NULL     dereference in spnego (CVE-2014-4344, #1121510)

  - gssapi: pull in proposed-and-accepted fix for a double     free in initiators (David Woodhouse, CVE-2014-4343,     #1121510)

  - correct a type mistake in the backported fix for     (CVE-2013-1418, CVE-2013-6800)

  - pull in backported fix for denial of service by     injection of malformed GSSAPI tokens (CVE-2014-4341,     CVE-2014-4342, #1121510)

  - incorporate backported patch for remote crash of KDCs     which serve multiple realms simultaneously (RT#7756,     CVE-2013-1418/CVE-2013-6800, more of

  - pull in backport of patch to not subsequently always     require that responses come from master KDCs if we get     one from a master somewhere along the way while chasing     referrals (RT#7650, #1113652)

  - ksu: if the -e flag isn't used, use the target user's     shell when checking for authorization via the target     user's .k5users file (#1026721)

  - define _GNU_SOURCE in files where we use EAI_NODATA, to     make sure that it's declared (#1059730)

  - spnego: pull in patch from master to restore preserving     the OID of the mechanism the initiator requested when we     have multiple OIDs for the same mechanism, so that we     reply using the same mechanism OID and the initiator     doesn't get confused (#1087068, RT#7858)

  - add patch from Jatin Nansi to avoid attempting to clear     memory at the NULL address if krb5_encrypt_helper     returns an error when called from encrypt_credencpart     (#1055329, pull #158)

  - drop patch to add additional access checks to ksu - they     shouldn't be resulting in any benefit

  - apply patch from Nikolai Kondrashov to pass a default     realm set in /etc/sysconfig/krb5kdc to the     kdb_check_weak helper, so that it doesn't produce an     error if there isn't one set in krb5.conf (#1009389)

  - packaging: don't Obsoletes: older versions of     krb5-pkinit-openssl and virtual Provide:
    krb5-pkinit-openssl on EL6, where we don't need to     bother with any of that (#1001961)

  - pkinit: backport tweaks to avoid trying to call the     prompter callback when one isn't set (part of #965721)

  - pkinit: backport the ability to use a prompter callback     to prompt for a password when reading private keys (the     rest of #965721)

  - backport fix to not spin on a short read when reading     the length of a response over TCP (RT#7508, #922884)

  - backport fix for trying all compatible keys when not     being strict about acceptor names while reading AP-REQs     (RT#7883, #1070244)

  - backport fix for not being able to verify the list of     transited realms in GSS acceptors (RT#7639, #959685)

  - pull fix for keeping track of the message type when     parsing FAST requests in the KDC (RT#7605, #951965)

  - incorporate upstream patch to fix a NULL pointer     dereference while processing certain TGS requests     (CVE-2013-1416, #950343)

  - incorporate upstream patch to fix a NULL pointer     dereference when the client supplies an     otherwise-normal-looking PKINIT request (CVE-2013-1415,     #917910)

  - add patch to avoid dereferencing a NULL pointer in the     KDC when handling a draft9 PKINIT request (#917910,     CVE-2012-1016)

  - pull up fix for UDP ping-pong flaw in kpasswd service     (CVE-2002-2443, 

  - don't leak the memory used to hold the previous entry     when walking a keytab to figure out which kinds of keys     we have (#911147)

It was discovered that Kerberos incorrectly handled certain crafted Draft 9 requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1016)

It was discovered that Kerberos incorrectly handled certain malformed KRB5_PADATA_PK_AS_REQ AS-REQ requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1415)

It was discovered that Kerberos incorrectly handled certain crafted TGS-REQ requests. A remote authenticated attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2013-1416)

It was discovered that Kerberos incorrectly handled certain crafted requests when multiple realms were configured. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1418, CVE-2013-6800)

It was discovered that Kerberos incorrectly handled certain invalid tokens. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4341, CVE-2014-4342)

It was discovered that Kerberos incorrectly handled certain mechanisms when used with SPNEGO. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause clients to crash, resulting in a denial of service. (CVE-2014-4343)

It was discovered that Kerberos incorrectly handled certain continuation tokens during SPNEGO negotiations. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4344)

Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon incorrectly handled buffers when used with the LDAP backend. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-4345).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

krb5 was updated to fix security issues in PKINIT :

  - fix PKINIT NULL pointer deref in pkinit_check_kdc_pkid()     (CVE-2012-1016 bnc#807556)

  - fix PKINIT NULL pointer deref (CVE-2013-1415 bnc#806715)

Also package a missing file on 12.3 (bnc#794784).

From Red Hat Security Advisory 2013:0656 :

Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC).

When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC's possibly-many certificates the client has in its possession, as a hint to the KDC that it should use the corresponding key to sign its response. If that specification was malformed, the KDC could attempt to dereference a NULL pointer and crash. (CVE-2013-1415)

When a client attempts to use PKINIT to obtain credentials from the KDC, the client will typically format its request to conform to the specification published in RFC 4556. For interoperability reasons, clients and servers also provide support for an older, draft version of that specification. If a client formatted its request to conform to this older version of the specification, with a non-default key agreement option, it could cause the KDC to attempt to dereference a NULL pointer and crash. (CVE-2012-1016)

All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.

Multiple vulnerabilities has been discovered and corrected in krb5 :

Fix a kadmind denial of service issue (NULL pointer dereference), which could only be triggered by an administrator with the create privilege (CVE-2012-1013).

The MIT krb5 KDC (Key Distribution Center) daemon can free an uninitialized pointer while processing an unusual AS-REQ, corrupting the process heap and possibly causing the daemon to abnormally terminate. An attacker could use this vulnerability to execute malicious code, but exploiting frees of uninitialized pointers to execute code is believed to be difficult. It is possible that a legitimate client that is misconfigured in an unusual way could trigger this vulnerability (CVE-2012-1015).

It was reported that the KDC plugin for PKINIT could dereference a NULL pointer when a malformed packet caused processing to terminate early, which led to a crash of the KDC process. An attacker would require a valid PKINIT certificate or have observed a successful PKINIT authentication to execute a successful attack. In addition, an unauthenticated attacker could execute the attack of anonymouse PKINIT was enabled (CVE-2013-1415).

The updated packages have been patched to correct these issues.

This update for Kerberos 5 fixes one security issue :

The KDC plugin for PKINIT can dereference a NULL pointer when processing malformed packets, leading to a crash of the KDC process.
(bnc#806715, CVE-2013-1415)

Additionally, it improves compatibility with processes that handle large numbers of open files. (bnc#787272)

This update incorporates the upstream fix for possible NULL pointer dereferences which could occur if a client sent a malformed PKINIT request to a KDC (CVE-2013-1415), or if a client sent a draft9 PKINIT request to a KDC (CVE-2012-1016).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC).

When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC's possibly-many certificates the client has in its possession, as a hint to the KDC that it should use the corresponding key to sign its response. If that specification was malformed, the KDC could attempt to dereference a NULL pointer and crash. (CVE-2013-1415)

When a client attempts to use PKINIT to obtain credentials from the KDC, the client will typically format its request to conform to the specification published in RFC 4556. For interoperability reasons, clients and servers also provide support for an older, draft version of that specification. If a client formatted its request to conform to this older version of the specification, with a non-default key agreement option, it could cause the KDC to attempt to dereference a NULL pointer and crash. (CVE-2012-1016)

All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.

When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC's possibly-many certificates the client has in its possession, as a hint to the KDC that it should use the corresponding key to sign its response. If that specification was malformed, the KDC could attempt to dereference a NULL pointer and crash. (CVE-2013-1415)

When a client attempts to use PKINIT to obtain credentials from the KDC, the client will typically format its request to conform to the specification published in RFC 4556. For interoperability reasons, clients and servers also provide support for an older, draft version of that specification. If a client formatted its request to conform to this older version of the specification, with a non-default key agreement option, it could cause the KDC to attempt to dereference a NULL pointer and crash. (CVE-2012-1016)

After installing the updated packages, the krb5kdc daemon will be restarted automatically.

No advisory has been released yet.

Fix a NULL pointer dereference in the KDC PKINIT code [CVE-2013-1415].

ID	Name	Product	Family	Severity
80652	Oracle Solaris Third-Party Patch Update : kerberos (cve_2002_2443_denial_of)	Nessus	Solaris Local Security Checks	high
79549	OracleVM 3.3 : krb5 (OVMSA-2014-0034)	Nessus	OracleVM Local Security Checks	high
77147	Ubuntu 14.04 LTS : Kerberos vulnerabilities (USN-2310-1)	Nessus	Ubuntu Local Security Checks	critical
74931	openSUSE Security Update : krb5 (openSUSE-SU-2013:0498-1)	Nessus	SuSE Local Security Checks	high
68792	Oracle Linux 6 : krb5 (ELSA-2013-0656)	Nessus	Oracle Linux Local Security Checks	high
66056	Mandriva Linux Security Advisory : krb5 (MDVSA-2013:042)	Nessus	Mandriva Local Security Checks	high
65717	SuSE 11.2 Security Update : Kerberos 5 (SAT Patch Number 7446)	Nessus	SuSE Local Security Checks	high
65657	Fedora 18 : krb5-1.10.3-14.fc18 (2013-3147)	Nessus	Fedora Local Security Checks	high
65618	CentOS 6 : krb5 (CESA-2013:0656)	Nessus	CentOS Local Security Checks	high
65606	Scientific Linux Security Update : krb5 on SL6.x i386/x86_64 (20130318)	Nessus	Scientific Linux Local Security Checks	high
65605	RHEL 6 : krb5 (RHSA-2013:0656)	Nessus	Red Hat Local Security Checks	high
65589	Fedora 17 : krb5-1.10.2-9.fc17 (2013-3116)	Nessus	Fedora Local Security Checks	high
64860	FreeBSD : krb5 -- NULL pointer dereference in the KDC PKINIT code [CVE-2013-1415] (f54584bc-7d2b-11e2-9bd1-206a8a720317)	Nessus	FreeBSD Local Security Checks	high

Detections

Analytics

CVE-2013-1415

high

Tenable Plugins

high

high

critical

high

high

high

high

high

high

high

high

high

high