http://krbdev.mit.edu/rt/Ticket/Display.html?id=8343

openSUSE-SU-2016:0406

openSUSE-SU-2016:0501

RHSA-2016:0493

RHSA-2016:0532

DSA-3466

http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html

1034916

https://github.com/krb5/krb5/commit/83ed75feba32e46f736fcce0d96a0445f29b96c2

An update of the krb5 package has been released.

An update of [krb5,linux] packages for PhotonOS has been released.

According to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities :

  - A memory leak flaw was found in the krb5_unparse_name()     function of the MIT Kerberos kadmind service. An     authenticated attacker could repeatedly send specially     crafted requests to the server, which could cause the     server to consume large amounts of memory resources,     ultimately leading to a denial of service due to memory     exhaustion.(CVE-2015-8631)

  - An out-of-bounds read flaw was found in the kadmind     service of MIT Kerberos. An authenticated attacker     could send a maliciously crafted message to force     kadmind to read beyond the end of allocated memory, and     write the memory contents to the KDC database if the     attacker has write permission, leading to information     disclosure. (CVE-2015-8629)

  - A NULL pointer dereference flaw was found in the     procedure used by the MIT Kerberos kadmind service to     store policies: the kadm5_create_principal_3() and     kadm5_modify_principal() function did not ensure that a     policy was given when KADM5_POLICY was set. An     authenticated attacker with permissions to modify the     database could use this flaw to add or modify a     principal with a policy set to NULL, causing the     kadmind service to crash. (CVE-2015-8630)

Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. (CVE-2015-8629)

A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash. (CVE-2015-8630)

A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
(CVE-2015-8631)

Security Fix(es) :

  - A memory leak flaw was found in the krb5_unparse_name()     function of the MIT Kerberos kadmind service. An     authenticated attacker could repeatedly send specially     crafted requests to the server, which could cause the     server to consume large amounts of memory resources,     ultimately leading to a denial of service due to memory     exhaustion. (CVE-2015-8631)

  - An out-of-bounds read flaw was found in the kadmind     service of MIT Kerberos. An authenticated attacker could     send a maliciously crafted message to force kadmind to     read beyond the end of allocated memory, and write the     memory contents to the KDC database if the attacker has     write permission, leading to information disclosure.
    (CVE-2015-8629)

  - A NULL pointer dereference flaw was found in the     procedure used by the MIT Kerberos kadmind service to     store policies: the kadm5_create_principal_3() and     kadm5_modify_principal() function did not ensure that a     policy was given when KADM5_POLICY was set. An     authenticated attacker with permissions to modify the     database could use this flaw to add or modify a     principal with a policy set to NULL, causing the kadmind     service to crash. (CVE-2015-8630)

An update for krb5 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).

Security Fix(es) :

* A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
(CVE-2015-8631)

* An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. (CVE-2015-8629)

* A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash. (CVE-2015-8630)

The CVE-2015-8631 issue was discovered by Simo Sorce of Red Hat.

From Red Hat Security Advisory 2016:0532 :

An update for krb5 is now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.

Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).

Security Fix(es) :

* A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
(CVE-2015-8631)

* An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. (CVE-2015-8629)

* A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash. (CVE-2015-8630)

The CVE-2015-8631 issue was discovered by Simo Sorce of Red Hat.

A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
(CVE-2015-8631)

An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. (CVE-2015-8629)

After installing the updated packages, running Kerberos services (krb5kdc, kadmin, and kprop) will be restarted automatically.

The remote OracleVM system is missing necessary patches to address critical security updates :

  - Fix (CVE-2015-8629, CVE-2015-8631)

  - Also fix a spec trigger issue that prevents building

  - Resolves: #1306973

Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC.

A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
(CVE-2015-8631)

An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. (CVE-2015-8629)

The CVE-2015-8631 issue was discovered by Simo Sorce of Red Hat.

All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, running Kerberos services (krb5kdc, kadmin, and kprop) will be restarted automatically.

From Red Hat Security Advisory 2016:0493 :

Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC.

A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion.
(CVE-2015-8631)

An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. (CVE-2015-8629)

The CVE-2015-8631 issue was discovered by Simo Sorce of Red Hat.

All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, running Kerberos services (krb5kdc, kadmin, and kprop) will be restarted automatically.

CVE-2015-8629

It was discovered that an authenticated attacker can cause kadmind to read beyond the end of allocated memory by sending a string without a terminating zero byte. Information leakage may be possible for an attacker with permission to modify the database.

CVE-2015-8631

It was discovered that an authenticated attacker can cause kadmind to leak memory by supplying a null principal name in a request which uses one. Repeating these requests will eventually cause kadmind to exhaust all available memory.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for krb5 fixes the following issues :

  - CVE-2015-8629: Information leak authenticated attackers     with permissions to modify the database (bsc#963968)

  - CVE-2015-8630: An authenticated attacker with permission     to modify a principal entry may have caused kadmind to     crash (bsc#963964)

  - CVE-2015-8631: An authenticated attacker could have     caused a memory leak in auditd by supplying a null     principal name in request (bsc#963975)

This update was imported from the SUSE:SLE-12:Update update project.

This update for krb5 fixes the following issues :

  - CVE-2015-8629: Information leak authenticated attackers     with permissions to modify the database (bsc#963968)

  - CVE-2015-8631: An authenticated attacker could have     caused a memory leak in auditd by supplying a null     principal name in request (bsc#963975)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for krb5 fixes the following issues :

  - CVE-2015-8629: Information leak authenticated attackers     with permissions to modify the database (bsc#963968)

  - CVE-2015-8630: An authenticated attacker with permission     to modify a principal entry may have caused kadmind to     crash (bsc#963964)

  - CVE-2015-8631: An authenticated attacker could have     caused a memory leak in auditd by supplying a null     principal name in request (bsc#963975)

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for krb5 fixes the following issues :

  - CVE-2015-8629: Information leak authenticated attackers     with permissions to modify the database (bsc#963968)

  - CVE-2015-8630: An authenticated attacker with permission     to modify a principal entry may have caused kadmind to     crash (bsc#963964)

  - CVE-2015-8631: An authenticated attacker could have     caused a memory leak in auditd by supplying a null     principal name in request (bsc#963975)

Several vulnerabilities were discovered in krb5, the MIT implementation of Kerberos. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2015-8629     It was discovered that an authenticated attacker can     cause kadmind to read beyond the end of allocated memory     by sending a string without a terminating zero byte.
    Information leakage may be possible for an attacker with     permission to modify the database.

  - CVE-2015-8630     It was discovered that an authenticated attacker with     permission to modify a principal entry can cause kadmind     to dereference a null pointer by supplying a null policy     value but including KADM5_POLICY in the mask.

  - CVE-2015-8631     It was discovered that an authenticated attacker can     cause kadmind to leak memory by supplying a null     principal name in a request which uses one. Repeating     these requests will eventually cause kadmind to exhaust     all available memory.

ID	Name	Product	Family	Severity
121679	Photon OS 1.0: Krb5 PHSA-2017-0011	Nessus	PhotonOS Local Security Checks	high
111860	Photon OS 1.0: Krb5 / Linux PHSA-2017-0011 (deprecated)	Nessus	PhotonOS Local Security Checks	high
99775	EulerOS 2.0 SP1 : krb5 (EulerOS-SA-2016-1012)	Nessus	Huawei Local Security Checks	medium
90633	Amazon Linux AMI : krb5 (ALAS-2016-691)	Nessus	Amazon Linux Local Security Checks	medium
90344	Scientific Linux Security Update : krb5 on SL7.x x86_64 (20160404)	Nessus	Scientific Linux Local Security Checks	medium
90299	RHEL 7 : krb5 (RHSA-2016:0532)	Nessus	Red Hat Local Security Checks	medium
90295	Oracle Linux 7 : krb5 (ELSA-2016-0532)	Nessus	Oracle Linux Local Security Checks	medium
90275	CentOS 7 : krb5 (CESA-2016:0532)	Nessus	CentOS Local Security Checks	medium
90145	Scientific Linux Security Update : krb5 on SL6.x i386/x86_64 (20160323)	Nessus	Scientific Linux Local Security Checks	medium
90138	OracleVM 3.3 / 3.4 : krb5 (OVMSA-2016-0039)	Nessus	OracleVM Local Security Checks	medium
90122	CentOS 6 : krb5 (CESA-2016:0493)	Nessus	CentOS Local Security Checks	medium
90116	RHEL 6 : krb5 (RHSA-2016:0493)	Nessus	Red Hat Local Security Checks	medium
90112	Oracle Linux 6 : krb5 (ELSA-2016-0493)	Nessus	Oracle Linux Local Security Checks	medium
88886	Debian DLA-423-1 : krb5 security update	Nessus	Debian Local Security Checks	medium
88854	openSUSE Security Update : krb5 (openSUSE-2016-230)	Nessus	SuSE Local Security Checks	medium
88708	SUSE SLED11 / SLES11 Security Update : krb5 (SUSE-SU-2016:0430-1)	Nessus	SuSE Local Security Checks	medium
88707	SUSE SLED12 / SLES12 Security Update : krb5 (SUSE-SU-2016:0429-1)	Nessus	SuSE Local Security Checks	medium
88687	openSUSE Security Update : krb5 (openSUSE-2016-181)	Nessus	SuSE Local Security Checks	medium
88581	Debian DSA-3466-1 : krb5 - security update	Nessus	Debian Local Security Checks	medium

CVE-2015-8631

Description

References

Details

Risk Information

CVSS v2.0

CVSS v3.0

Vulnerable Software

Configuration 1

Tenable Plugins