Mandriva Linux Security Advisory : krb5 (MDVSA-2010:246)

This script is Copyright (C) 2010-2013 Tenable Network Security, Inc.


Synopsis :

The remote Mandriva Linux host is missing one or more security
updates.

Description :

Multiple vulnerabilities were discovered and corrected in krb5 :

An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC. Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token. An unauthenticated remote attacker has a 1/256 chance
of forging KRB-SAFE messages in an application protocol if the
targeted pre-existing session uses an RC4 session key. Few application
protocols use KRB-SAFE messages (CVE-2010-1323).

An unauthenticated remote attacker can forge GSS tokens that are
intended to be integrity-protected but unencrypted, if the targeted
pre-existing application session uses a DES session key. An
authenticated remote attacker can forge PACs if using a KDC that does
not filter client-provided PAC data. This can result in privilege
escalation against a service that relies on PAC contents to make
authorization decisions. An unauthenticated remote attacker has a
1/256 chance of swapping a client-issued KrbFastReq into a different
KDC-REQ, if the armor key is RC4. The consequences are believed to be
minor (CVE-2010-1324).

An authenticated remote attacker that controls a legitimate service
principal has a 1/256 chance of forging the AD-SIGNEDPATH signature if
the TGT key is RC4, allowing it to use self-generated evidence tickets
for S4U2Proxy, instead of tickets obtained from the user or with
S4U2Self. Configurations using RC4 for the TGT key are believed to be
rare. An authenticated remote attacker has a 1/256 chance of forging
AD-KDC-ISSUED signatures on authdata elements in tickets having an RC4
service key, resulting in privilege escalation against a service that
relies on these signatures. There are no known uses of the KDC-ISSUED
authdata container at this time (CVE-2010-4020.

An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ it
has intercepted. The attacker could then use this ticket for S4U2Proxy
to impersonate the targeted client even if the client never
authenticated to the subverted service. The vulnerable configuration
is believed to be rare (CVE-2010-4021).

The updated packages have been patched to correct this issue.

See also :

http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt

Solution :

Update the affected packages.

Risk factor :

Medium / CVSS Base Score : 4.3
(CVSS2#AV:N/AC:M/Au:N/C:N/I:P/A:N)
CVSS Temporal Score : 3.4
(CVSS2#E:POC/RL:OF/RC:C)
Public Exploit Available : true

Family: Mandriva Local Security Checks

Nessus Plugin ID: 50849 ()

Bugtraq ID: 45116
45117
45118
45122

CVE ID: CVE-2010-1323
CVE-2010-1324
CVE-2010-4020
CVE-2010-4021

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now