Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator.

A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database.
A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345)

A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) call the gss_process_context_token() function could use this flaw to crash that application. (CVE-2014-5352)

If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker with the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal.
(CVE-2014-5353)

A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets. (CVE-2014-9421)

It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)

An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS implementation (libgssrpc) handled certain requests. An attacker could send a specially crafted request to an application using libgssrpc to disclose a limited portion of uninitialized memory used by that application. (CVE-2014-9423)

Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application. (CVE-2014-4341, CVE-2014-4342)

A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343)

The krb5 packages have been upgraded to upstream version 1.12, which provides a number of bug fixes and enhancements, including :

  - Added plug-in interfaces for principal-to-username     mapping and verifying authorization to user accounts.

  - When communicating with a KDC over a connected TCP or     HTTPS socket, the client gives the KDC more time to     reply before it transmits the request to another server.

This update also fixes multiple bugs, for example :

  - The Kerberos client library did not recognize certain     exit statuses that the resolver libraries could return     when looking up the addresses of servers configured in     the /etc/krb5.conf file or locating Kerberos servers     using DNS service location. The library could treat     non-fatal return codes as fatal errors. Now, the library     interprets the specific return codes correctly.

In addition, this update adds various enhancements. Among others :

  - Added support for contacting KDCs and kpasswd servers     through HTTPS proxies implementing the Kerberos KDC     Proxy (KKDCP) protocol.

Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems :

CVE-2014-4341

An unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when attempting to read beyond the end of a buffer.

CVE-2014-4342

An unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when reading beyond the end of a buffer or by causing a NULL pointer dereference.

CVE-2014-4343

An unauthenticated remote attacker with the ability to spoof packets appearing to be from a GSSAPI acceptor can cause a double-free condition in GSSAPI initiators (clients) which are using the SPNEGO mechanism, by returning a different underlying mechanism than was proposed by the initiator. A remote attacker could exploit this flaw to cause an application crash or potentially execute arbitrary code.

CVE-2014-4344

An unauthenticated or partially authenticated remote attacker can cause a NULL dereference and application crash during a SPNEGO negotiation by sending an empty token as the second or later context token from initiator to acceptor.

CVE-2014-4345

When kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause it to perform an out-of-bounds write (buffer overflow).

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated krb5 packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC.

A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application.
(CVE-2014-4344)

A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database.
A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345)

A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) call the gss_process_context_token() function could use this flaw to crash that application. (CVE-2014-5352)

If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker with the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal.
(CVE-2014-5353)

A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets. (CVE-2014-9421)

It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)

An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS implementation (libgssrpc) handled certain requests. An attacker could send a specially crafted request to an application using libgssrpc to disclose a limited portion of uninitialized memory used by that application. (CVE-2014-9423)

Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application. (CVE-2014-4341, CVE-2014-4342)

A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343)

Red Hat would like to thank the MIT Kerberos project for reporting the CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues.
MIT Kerberos project acknowledges Nico Williams for helping with the analysis of CVE-2014-5352.

The krb5 packages have been upgraded to upstream version 1.12, which provides a number of bug fixes and enhancements, including :

* Added plug-in interfaces for principal-to-username mapping and verifying authorization to user accounts.

* When communicating with a KDC over a connected TCP or HTTPS socket, the client gives the KDC more time to reply before it transmits the request to another server. (BZ#1049709, BZ#1127995)

This update also fixes multiple bugs, for example :

* The Kerberos client library did not recognize certain exit statuses that the resolver libraries could return when looking up the addresses of servers configured in the /etc/krb5.conf file or locating Kerberos servers using DNS service location. The library could treat non-fatal return codes as fatal errors. Now, the library interprets the specific return codes correctly. (BZ#1084068, BZ#1109102)

In addition, this update adds various enhancements. Among others :

* Added support for contacting KDCs and kpasswd servers through HTTPS proxies implementing the Kerberos KDC Proxy (KKDCP) protocol.
(BZ#1109919)

From Red Hat Security Advisory 2015:0439 :

Updated krb5 packages that fix multiple security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC.

A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application.
(CVE-2014-4344)

A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database.
A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345)

A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) call the gss_process_context_token() function could use this flaw to crash that application. (CVE-2014-5352)

If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker with the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal.
(CVE-2014-5353)

A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets. (CVE-2014-9421)

It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)

An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS implementation (libgssrpc) handled certain requests. An attacker could send a specially crafted request to an application using libgssrpc to disclose a limited portion of uninitialized memory used by that application. (CVE-2014-9423)

Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application. (CVE-2014-4341, CVE-2014-4342)

A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343)

Red Hat would like to thank the MIT Kerberos project for reporting the CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues.
MIT Kerberos project acknowledges Nico Williams for helping with the analysis of CVE-2014-5352.

The krb5 packages have been upgraded to upstream version 1.12, which provides a number of bug fixes and enhancements, including :

* Added plug-in interfaces for principal-to-username mapping and verifying authorization to user accounts.

* When communicating with a KDC over a connected TCP or HTTPS socket, the client gives the KDC more time to reply before it transmits the request to another server. (BZ#1049709, BZ#1127995)

This update also fixes multiple bugs, for example :

* The Kerberos client library did not recognize certain exit statuses that the resolver libraries could return when looking up the addresses of servers configured in the /etc/krb5.conf file or locating Kerberos servers using DNS service location. The library could treat non-fatal return codes as fatal errors. Now, the library interprets the specific return codes correctly. (BZ#1084068, BZ#1109102)

In addition, this update adds various enhancements. Among others :

* Added support for contacting KDCs and kpasswd servers through HTTPS proxies implementing the Kerberos KDC Proxy (KKDCP) protocol.
(BZ#1109919)

The remote host is affected by the vulnerability described in GLSA-201412-53 (MIT Kerberos 5: User-assisted execution of arbitrary code)

    Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process or cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - actually apply that last patch

  - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345,     #1128157)

  - ksu: when evaluating .k5users, don't throw away data     from .k5users when we're not passed a command to run,     which implicitly means we're attempting to run the     target user's shell (#1026721, revised)

  - ksu: when evaluating .k5users, treat lines with just a     principal name as if they contained the principal name     followed by '*', and don't throw away data from .k5users     when we're not passed a command to run, which implicitly     means we're attempting to run the target user's shell     (#1026721, revised)

  - gssapi: pull in upstream fix for a possible NULL     dereference in spnego (CVE-2014-4344, #1121510)

  - gssapi: pull in proposed-and-accepted fix for a double     free in initiators (David Woodhouse, CVE-2014-4343,     #1121510)

  - correct a type mistake in the backported fix for     (CVE-2013-1418, CVE-2013-6800)

  - pull in backported fix for denial of service by     injection of malformed GSSAPI tokens (CVE-2014-4341,     CVE-2014-4342, #1121510)

  - incorporate backported patch for remote crash of KDCs     which serve multiple realms simultaneously (RT#7756,     CVE-2013-1418/CVE-2013-6800, more of

  - pull in backport of patch to not subsequently always     require that responses come from master KDCs if we get     one from a master somewhere along the way while chasing     referrals (RT#7650, #1113652)

  - ksu: if the -e flag isn't used, use the target user's     shell when checking for authorization via the target     user's .k5users file (#1026721)

  - define _GNU_SOURCE in files where we use EAI_NODATA, to     make sure that it's declared (#1059730)

  - spnego: pull in patch from master to restore preserving     the OID of the mechanism the initiator requested when we     have multiple OIDs for the same mechanism, so that we     reply using the same mechanism OID and the initiator     doesn't get confused (#1087068, RT#7858)

  - add patch from Jatin Nansi to avoid attempting to clear     memory at the NULL address if krb5_encrypt_helper     returns an error when called from encrypt_credencpart     (#1055329, pull #158)

  - drop patch to add additional access checks to ksu - they     shouldn't be resulting in any benefit

  - apply patch from Nikolai Kondrashov to pass a default     realm set in /etc/sysconfig/krb5kdc to the     kdb_check_weak helper, so that it doesn't produce an     error if there isn't one set in krb5.conf (#1009389)

  - packaging: don't Obsoletes: older versions of     krb5-pkinit-openssl and virtual Provide:
    krb5-pkinit-openssl on EL6, where we don't need to     bother with any of that (#1001961)

  - pkinit: backport tweaks to avoid trying to call the     prompter callback when one isn't set (part of #965721)

  - pkinit: backport the ability to use a prompter callback     to prompt for a password when reading private keys (the     rest of #965721)

  - backport fix to not spin on a short read when reading     the length of a response over TCP (RT#7508, #922884)

  - backport fix for trying all compatible keys when not     being strict about acceptor names while reading AP-REQs     (RT#7883, #1070244)

  - backport fix for not being able to verify the list of     transited realms in GSS acceptors (RT#7639, #959685)

  - pull fix for keeping track of the message type when     parsing FAST requests in the KDC (RT#7605, #951965)

  - incorporate upstream patch to fix a NULL pointer     dereference while processing certain TGS requests     (CVE-2013-1416, #950343)

  - incorporate upstream patch to fix a NULL pointer     dereference when the client supplies an     otherwise-normal-looking PKINIT request (CVE-2013-1415,     #917910)

  - add patch to avoid dereferencing a NULL pointer in the     KDC when handling a draft9 PKINIT request (#917910,     CVE-2012-1016)

  - pull up fix for UDP ping-pong flaw in kpasswd service     (CVE-2002-2443, 

  - don't leak the memory used to hold the previous entry     when walking a keytab to figure out which kinds of keys     we have (#911147)

It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. (CVE-2013-1418 , CVE-2013-6800)

A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application.
(CVE-2014-4344)

A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database.
A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345)

Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application.
(CVE-2014-4341 , CVE-2014-4342)

A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343)

Updated krb5 packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC.

It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. (CVE-2013-1418, CVE-2013-6800)

A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application.
(CVE-2014-4344)

A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database.
A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345)

Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application.
(CVE-2014-4341, CVE-2014-4342)

A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343)

These updated krb5 packages also include several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the References section, for information on the most significant of these changes.

All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. (CVE-2013-1418, CVE-2013-6800)

A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application.
(CVE-2014-4344)

A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database.
A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345)

Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application.
(CVE-2014-4341, CVE-2014-4342)

A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343)

From Red Hat Security Advisory 2014:1389 :

Updated krb5 packages that fix multiple security issues and several bugs are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC.

It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. (CVE-2013-1418, CVE-2013-6800)

A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application.
(CVE-2014-4344)

A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database.
A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345)

Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use either of these flaws to crash the application.
(CVE-2014-4341, CVE-2014-4342)

A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343)

These updated krb5 packages also include several bug fixes. Space precludes documenting all of these changes in this advisory. Users are directed to the Red Hat Enterprise Linux 6.6 Technical Notes, linked to in the References section, for information on the most significant of these changes.

All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.

Double free vulnerability in the init_ctx_reselect function in the SPNEGO initiator in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.10.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (memory corruption) or possibly execute arbitrary code via network traffic that appears to come from an intended acceptor, but specifies a security mechanism different from the one proposed by the initiator. (CVE-2014-4343)

The version of the Network Authentication Service (NAS) installed on the remote AIX host is affected by the following vulnerabilities related to Kerberos 5 :

  - An attacker can cause a denial of service (buffer     over-read and application crash) by injecting invalid     tokens into a GSSAPI application session.
    (CVE-2014-4341)

  - An attacker with the ability to spoof packets appearing     to be from a GSSAPI acceptor can cause a denial of     service or execute arbitrary code by using a double-free     condition in GSSAPI initiators (clients) which are using     the SPNEGO mechanism, by returning a different     underlying mechanism than was proposed by the initiator.
    (CVE-2014-4343)

  - An attacker can cause a denial of service through a NULL     pointer dereference and application crash during a     SPNEGO negotiation, by sending an empty token as the     second or later context token from initiator to     acceptor. (CVE-2014-4344)

It was discovered that Kerberos incorrectly handled certain crafted Draft 9 requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1016)

It was discovered that Kerberos incorrectly handled certain malformed KRB5_PADATA_PK_AS_REQ AS-REQ requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1415)

It was discovered that Kerberos incorrectly handled certain crafted TGS-REQ requests. A remote authenticated attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.
(CVE-2013-1416)

It was discovered that Kerberos incorrectly handled certain crafted requests when multiple realms were configured. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1418, CVE-2013-6800)

It was discovered that Kerberos incorrectly handled certain invalid tokens. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4341, CVE-2014-4342)

It was discovered that Kerberos incorrectly handled certain mechanisms when used with SPNEGO. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause clients to crash, resulting in a denial of service. (CVE-2014-4343)

It was discovered that Kerberos incorrectly handled certain continuation tokens during SPNEGO negotiations. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4344)

Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon incorrectly handled buffers when used with the LDAP backend. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service, or possibly execute arbitrary code.
(CVE-2014-4345).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The following security issues have been fixed in kerberos 5 :

  - Two denial of service flaws when handling RFC 1964     tokens. (CVE-2014-4341 / CVE-2014-4342)

  - Multiple flaws in SPNEGO. (CVE-2014-4343 /     CVE-2014-4344)

The following security isses are fixed in this update :

CVE-2014-4341 CVE-2014-4342: denial of service flaws when handling RFC 1964 tokens (bnc#886016)

CVE-2014-4343 CVE-2014-4344: multiple flaws in SPNEGO (bnc#888697)

Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2014-4341     An unauthenticated remote attacker with the ability to     inject packets into a legitimately established GSSAPI     application session can cause a program crash due to     invalid memory references when attempting to read beyond     the end of a buffer.

  - CVE-2014-4342     An unauthenticated remote attacker with the ability to     inject packets into a legitimately established GSSAPI     application session can cause a program crash due to     invalid memory references when reading beyond the end of     a buffer or by causing a NULL pointer dereference.

  - CVE-2014-4343     An unauthenticated remote attacker with the ability to     spoof packets appearing to be from a GSSAPI acceptor can     cause a double-free condition in GSSAPI initiators     (clients) which are using the SPNEGO mechanism, by     returning a different underlying mechanism than was     proposed by the initiator. A remote attacker could     exploit this flaw to cause an application crash or     potentially execute arbitrary code.

  - CVE-2014-4344     An unauthenticated or partially authenticated remote     attacker can cause a NULL dereference and application     crash during a SPNEGO negotiation by sending an empty     token as the second or later context token from     initiator to acceptor.

  - CVE-2014-4345     When kadmind is configured to use LDAP for the KDC     database, an authenticated remote attacker can cause it     to perform an out-of-bounds write (buffer overflow).

This update incorporates backported upstream fixes for potential crashes caused by attempts to process malformed GSSAPI messages (CVE-2014-4341, CVE-2014-4342). It also incorporates fexes for a possible double-free (CVE-2014-4343) and a possible NULL pointer dereference (CVE-2014-4344) in GSSAPI clients.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
82255	Scientific Linux Security Update : krb5 on SL7.x x86_64 (20150305)	Nessus	Scientific Linux Local Security Checks	high
82185	Debian DLA-37-1 : krb5 security update	Nessus	Debian Local Security Checks	high
81896	CentOS 7 : krb5 (CESA-2015:0439)	Nessus	CentOS Local Security Checks	high
81805	Oracle Linux 7 : krb5 (ELSA-2015-0439)	Nessus	Oracle Linux Local Security Checks	high
81637	RHEL 7 : krb5 (RHSA-2015:0439)	Nessus	Red Hat Local Security Checks	high
80328	GLSA-201412-53 : MIT Kerberos 5: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
79549	OracleVM 3.3 : krb5 (OVMSA-2014-0034)	Nessus	OracleVM Local Security Checks	high
79292	Amazon Linux AMI : krb5 (ALAS-2014-443)	Nessus	Amazon Linux Local Security Checks	high
79178	CentOS 6 : krb5 (CESA-2014:1389)	Nessus	CentOS Local Security Checks	high
78846	Scientific Linux Security Update : krb5 on SL6.x i386/x86_64 (20141014)	Nessus	Scientific Linux Local Security Checks	high
78523	Oracle Linux 6 : krb5 (ELSA-2014-1389)	Nessus	Oracle Linux Local Security Checks	high
78406	RHEL 6 : krb5 (RHSA-2014:1389)	Nessus	Red Hat Local Security Checks	high
78194	F5 Networks BIG-IP : Kerberos vulnerability (K15553)	Nessus	F5 Networks Local Security Checks	high
77532	AIX NAS Advisory : nas_advisory1.asc	Nessus	AIX Local Security Checks	high
77147	Ubuntu 14.04 LTS : Kerberos vulnerabilities (USN-2310-1)	Nessus	Ubuntu Local Security Checks	critical
77145	SuSE 11.3 Security Update : krb5 (SAT Patch Number 9564)	Nessus	SuSE Local Security Checks	high
77130	openSUSE Security Update : krb5 (openSUSE-SU-2014:0977-1)	Nessus	SuSE Local Security Checks	high
77101	Debian DSA-3000-1 : krb5 - security update	Nessus	Debian Local Security Checks	high
77063	Fedora 20 : krb5-1.11.5-10.fc20 (2014-8189)	Nessus	Fedora Local Security Checks	high
77062	Fedora 19 : krb5-1.11.3-24.fc19 (2014-8176)	Nessus	Fedora Local Security Checks	high

Detections

Analytics

CVE-2014-4343

high

Tenable Plugins

high

high

high

high

high

high

high

high

high

high

high

high

high

high

critical

high

high

high

high

high