http://advisories.mageia.org/MGASA-2014-0477.html

http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018

FEDORA-2014-11940

FEDORA-2015-2382

SUSE-SU-2015:0290

openSUSE-SU-2015:0255

GLSA-201412-53

MDVSA-2014:224

70380

1031003

USN-2498-1

https://bugzilla.redhat.com/show_bug.cgi?id=1145425

kerberos-cve20145351-sec-bypass(97028)

https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca

[debian-lts-announce] 20180131 [SECURITY] [DLA 1265-1] krb5 security update

Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues.

CVE-2013-1418 Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured.

CVE-2014-5351 Kerberos sends old keys in a response to a -randkey
-keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.

CVE-2014-5353 When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.

CVE-2014-5355 Kerberos expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character,

CVE-2016-3119 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.

CVE-2016-3120 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.

For Debian 7 'Wheezy', these problems have been fixed in version 1.10.1+dfsg-5+deb7u9.

We recommend that you upgrade your krb5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

MIT kerberos krb5 was updated to fix several security issues and bugs.

Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) sent old keys in a response to a -randkey -keepold request, which allowed remote authenticated users to forge tickets by leveraging administrative access.

  - CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library,     after gss_process_context_token() is used to process a     valid context deletion token, the caller was left with a     security context handle containing a dangling pointer.
    Further uses of this handle would have resulted in     use-after-free and double-free memory access violations.
    libgssrpc server applications such as kadmind were     vulnerable as they can be instructed to call     gss_process_context_token().

  - CVE-2014-9421: If the MIT krb5 kadmind daemon receives     invalid XDR data from an authenticated user, it may have     performed use-after-free and double-free memory access     violations while cleaning up the partial deserialization     results. Other libgssrpc server applications might also     been vulnerable if they contain insufficiently defensive     XDR functions.

  - CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly     accepted authentications to two-component server     principals whose first component is a left substring of     'kadmin' or whose realm is a left prefix of the default     realm.

  - CVE-2014-9423: libgssrpc applications including kadmind     output four or eight bytes of uninitialized memory to     the network as part of an unused 'handle' field in     replies to clients.

Bugs fixed :

  - Work around replay cache creation race; (bnc#898439).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423 Security fix for CVE-2014-5351

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

krb5 was updated to fix five security issues.

These security issues were fixed :

  - CVE-2014-5351: current keys returned when randomizing     the keys for a service principal (bnc#897874) 

  - CVE-2014-5352: An authenticated attacker could cause a     vulnerable application (including kadmind) to crash or     to execute arbitrary code (bnc#912002).

  - CVE-2014-9421: An authenticated attacker could cause     kadmind or other vulnerable server application to crash     or to execute arbitrary code (bnc#912002).

  - CVE-2014-9422: An attacker who possess the key of a     particularly named principal (such as 'kad/root') could     impersonate any user to kadmind and perform     administrative actions as that user (bnc#912002).

  - CVE-2014-9423: An attacker could attempt to glean     sensitive information from the four or eight bytes of     uninitialized data output by kadmind or other libgssrpc     server application. Because MIT krb5 generally sanitizes     memory containing krb5 keys before freeing it, it is     unlikely that kadmind would leak Kerberos key     information, but it is not impossible (bnc#912002).

This non-security issue was fixed :

  - Work around replay cache creation race (bnc#898439).

It was discovered that Kerberos incorrectly sent old keys in response to a -randkey -keepold request. An authenticated remote attacker could use this issue to forge tickets by leveraging administrative access.
This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5351)

It was discovered that the libgssapi_krb5 library incorrectly processed security context handles. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2014-5352)

Patrik Kis discovered that Kerberos incorrectly handled LDAP queries with no results. An authenticated remote attacker could use this issue to cause the KDC to crash, resulting in a denial of service.
(CVE-2014-5353)

It was discovered that Kerberos incorrectly handled creating database entries for a keyless principal when using LDAP. An authenticated remote attacker could use this issue to cause the KDC to crash, resulting in a denial of service. (CVE-2014-5354)

It was discovered that Kerberos incorrectly handled memory when processing XDR data. A remote attacker could use this issue to cause kadmind to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-9421)

It was discovered that Kerberos incorrectly handled two-component server principals. A remote attacker could use this issue to perform impersonation attacks. (CVE-2014-9422)

It was discovered that the libgssrpc library leaked uninitialized bytes. A remote attacker could use this issue to possibly obtain sensitive information. (CVE-2014-9423).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of the Network Authentication Service (NAS) installed on the remote AIX host is affected by a vulnerability related to Kerberos 5 which allows authenticated users to retrieve current keys, which can be used to forge tickets.

The remote host is affected by the vulnerability described in GLSA-201412-53 (MIT Kerberos 5: User-assisted execution of arbitrary code)

    Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process or cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

Updated krb5 packages fix security vulnerability :

The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access (CVE-2014-5351).

This update for krb5 fixes the following issues :

  - When randomizing the keys for a service principal,     current keys could be returned. (CVE-2014-5351)

  - klist -s crashes when handling multiple referral     entries. (bnc#890623)

Security fix for CVE-2014-5351

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
106536	Debian DLA-1265-1 : krb5 security update	Nessus	Debian Local Security Checks	medium
83683	SUSE SLED12 / SLES12 Security Update : krb5 (SUSE-SU-2015:0290-2)	Nessus	SuSE Local Security Checks	high
83682	SUSE SLES12 Security Update : krb5 (SUSE-SU-2015:0290-1)	Nessus	SuSE Local Security Checks	high
81705	Fedora 20 : krb5-1.11.5-18.fc20 (2015-2382)	Nessus	Fedora Local Security Checks	high
81304	openSUSE Security Update : krb5 (openSUSE-2015-128)	Nessus	SuSE Local Security Checks	high
81297	Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : krb5 vulnerabilities (USN-2498-1)	Nessus	Ubuntu Local Security Checks	high
81022	AIX NAS Advisory : nas_advisory2.asc	Nessus	AIX Local Security Checks	low
80328	GLSA-201412-53 : MIT Kerberos 5: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
79411	Mandriva Linux Security Advisory : krb5 (MDVSA-2014:224)	Nessus	Mandriva Local Security Checks	low
79232	SuSE 11.3 Security Update : krb5 (SAT Patch Number 9827)	Nessus	SuSE Local Security Checks	low
78100	Fedora 21 : krb5-1.12.2-9.fc21 (2014-11940)	Nessus	Fedora Local Security Checks	low

CVE-2014-5351

LOW

Description

References

Details

Risk Information

CVSS v2.0

Vulnerable Software

Configuration 1

Tenable Plugins

medium

high

high

high

high

high

low

high

low

low

low