plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command.

The remote NewStart CGSL host, running version MAIN 6.06, has krb5 packages installed that are affected by multiple vulnerabilities:

  - plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles     Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial     of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related     to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use     cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin     code that is specific to Red Hat. (CVE-2017-15088)

  - The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT     Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute     arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error     condition. (CVE-2011-0285)

  - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly     validate UDP packets before sending responses, which allows remote attackers to cause a denial of service     (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by     krb_pingpong.nasl, a related issue to CVE-1999-0103. (CVE-2002-2443)

  - The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b)     Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to     gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known     whether an exploitable attack scenario exists for these issues. (CVE-2006-3084)

  - The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration     daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in     freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute     arbitrary code via unspecified vectors. (CVE-2006-6143)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

krb5 was updated to fix three security issues.

Remote authenticated users could cause denial of service.

These security issues were fixed :

  - CVE-2014-5353: NULL pointer dereference when using a     ticket policy name as password name (bsc#910457).

  - CVE-2014-5354: NULL pointer dereference when using     keyless entries (bsc#910458).

  - CVE-2014-5355: Denial of service in krb5_read_message     (bsc#918595).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

krb5 was updated to fix four security issues.

These security issues were fixed :

  - CVE-2014-5353: NULL pointer dereference when using a     ticket policy name as password name (bsc#910457).

  - CVE-2014-5354: NULL pointer dereference when using     keyless entries (bsc#910458).

  - CVE-2014-5355: Denial of service in krb5_read_message     (bsc#918595).

  - CVE-2015-2694: OTP and PKINIT kdcpreauth modules leading     to requires_preauth bypass (bsc#928978).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

krb5 was updated to fix three security issues.

Remote authenticated users could cause denial of service.

On openSUSE 13.1 and 13.2 krb5 was updated to fix the following vulnerabilities :

  - bnc#910457: CVE-2014-5353: NULL pointer dereference when     using a ticket policy name as password name

  - bnc#918595: CVE-2014-5355: krb5: denial of service in     krb5_read_message On openSUSE 13.1 krb5 was updated to     fix the following vulnerability :

  - bnc#910458: CVE-2014-5354: NULL pointer dereference when     using keyless entries

The MIT Kerberos team reports :

CVE-2014-5353: The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.

CVE-2014-5354: plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin 'add_principal -nokey' or 'purgekeys -all' command.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2498-1 advisory.

    It was discovered that Kerberos incorrectly sent old keys in response to a -randkey -keepold request. An     authenticated remote attacker could use this issue to forge tickets by leveraging administrative access.
    This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5351)

    It was discovered that the libgssapi_krb5 library incorrectly processed security context handles. A remote     attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
    (CVE-2014-5352)

    Patrik Kis discovered that Kerberos incorrectly handled LDAP queries with no results. An authenticated     remote attacker could use this issue to cause the KDC to crash, resulting in a denial of service.
    (CVE-2014-5353)

    It was discovered that Kerberos incorrectly handled creating database entries for a keyless principal when     using LDAP. An authenticated remote attacker could use this issue to cause the KDC to crash, resulting in     a denial of service. (CVE-2014-5354)

    It was discovered that Kerberos incorrectly handled memory when processing XDR data. A remote attacker     could use this issue to cause kadmind to crash, resulting in a denial of service, or possibly execute     arbitrary code. (CVE-2014-9421)

    It was discovered that Kerberos incorrectly handled two-component server principals. A remote attacker     could use this issue to perform impersonation attacks. (CVE-2014-9422)

    It was discovered that the libgssrpc library leaked uninitialized bytes. A remote attacker could use this     issue to possibly obtain sensitive information. (CVE-2014-9423)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
266225	NewStart CGSL MAIN 6.06 : krb5 Multiple Vulnerabilities (NS-SA-2025-0215)	Nessus	NewStart CGSL Local Security Checks	critical
84979	SUSE SLED11 / SLES11 Security Update : krb5 (SUSE-SU-2015:1282-1)	Nessus	SuSE Local Security Checks	medium
84914	SUSE SLES12 Security Update : krb5 (SUSE-SU-2015:1276-1)	Nessus	SuSE Local Security Checks	medium
81965	openSUSE Security Update : krb5 (openSUSE-2015-246)	Nessus	SuSE Local Security Checks	medium
81331	FreeBSD : krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092 (3a888a1e-b321-11e4-83b2-206a8a720317)	Nessus	FreeBSD Local Security Checks	low
81297	Ubuntu 14.04 LTS : Kerberos vulnerabilities (USN-2498-1)	Nessus	Ubuntu Local Security Checks	high

Detections

Analytics

CVE-2014-5354

medium

Tenable Plugins

critical

medium

medium

medium

low

high