OracleVM 3.3 : krb5 (OVMSA-2014-0034)

This script is Copyright (C) 2014-2017 Tenable Network Security, Inc.


Synopsis :

The remote OracleVM host is missing a security update.

Description :

The remote OracleVM system is missing necessary patches to address
critical security updates :

- actually apply that last patch

- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345,
#1128157)

- ksu: when evaluating .k5users, don't throw away data
from .k5users when we're not passed a command to run,
which implicitly means we're attempting to run the
target user's shell (#1026721, revised)

- ksu: when evaluating .k5users, treat lines with just a
principal name as if they contained the principal name
followed by '*', and don't throw away data from .k5users
when we're not passed a command to run, which implicitly
means we're attempting to run the target user's shell
(#1026721, revised)

- gssapi: pull in upstream fix for a possible NULL
dereference in spnego (CVE-2014-4344, #1121510)

- gssapi: pull in proposed-and-accepted fix for a double
free in initiators (David Woodhouse, CVE-2014-4343,
#1121510)

- correct a type mistake in the backported fix for
(CVE-2013-1418, CVE-2013-6800)

- pull in backported fix for denial of service by
injection of malformed GSSAPI tokens (CVE-2014-4341,
CVE-2014-4342, #1121510)

- incorporate backported patch for remote crash of KDCs
which serve multiple realms simultaneously (RT#7756,
CVE-2013-1418/CVE-2013-6800, more of

- pull in backport of patch to not subsequently always
require that responses come from master KDCs if we get
one from a master somewhere along the way while chasing
referrals (RT#7650, #1113652)

- ksu: if the -e flag isn't used, use the target user's
shell when checking for authorization via the target
user's .k5users file (#1026721)

- define _GNU_SOURCE in files where we use EAI_NODATA, to
make sure that it's declared (#1059730)

- spnego: pull in patch from master to restore preserving
the OID of the mechanism the initiator requested when we
have multiple OIDs for the same mechanism, so that we
reply using the same mechanism OID and the initiator
doesn't get confused (#1087068, RT#7858)

- add patch from Jatin Nansi to avoid attempting to clear
memory at the NULL address if krb5_encrypt_helper
returns an error when called from encrypt_credencpart
(#1055329, pull #158)

- drop patch to add additional access checks to ksu - they
shouldn't be resulting in any benefit

- apply patch from Nikolai Kondrashov to pass a default
realm set in /etc/sysconfig/krb5kdc to the
kdb_check_weak helper, so that it doesn't produce an
error if there isn't one set in krb5.conf (#1009389)

- packaging: don't Obsoletes: older versions of
krb5-pkinit-openssl and virtual Provide:
krb5-pkinit-openssl on EL6, where we don't need to
bother with any of that (#1001961)

- pkinit: backport tweaks to avoid trying to call the
prompter callback when one isn't set (part of #965721)

- pkinit: backport the ability to use a prompter callback
to prompt for a password when reading private keys (the
rest of #965721)

- backport fix to not spin on a short read when reading
the length of a response over TCP (RT#7508, #922884)

- backport fix for trying all compatible keys when not
being strict about acceptor names while reading AP-REQs
(RT#7883, #1070244)

- backport fix for not being able to verify the list of
transited realms in GSS acceptors (RT#7639, #959685)

- pull fix for keeping track of the message type when
parsing FAST requests in the KDC (RT#7605, #951965)

- incorporate upstream patch to fix a NULL pointer
dereference while processing certain TGS requests
(CVE-2013-1416, #950343)

- incorporate upstream patch to fix a NULL pointer
dereference when the client supplies an
otherwise-normal-looking PKINIT request (CVE-2013-1415,
#917910)

- add patch to avoid dereferencing a NULL pointer in the
KDC when handling a draft9 PKINIT request (#917910,
CVE-2012-1016)

- pull up fix for UDP ping-pong flaw in kpasswd service
(CVE-2002-2443,

- don't leak the memory used to hold the previous entry
when walking a keytab to figure out which kinds of keys
we have (#911147)

See also :

http://www.nessus.org/u?4dbf93cd

Solution :

Update the affected krb5-libs package.

Risk factor :

High / CVSS Base Score : 8.5
(CVSS2#AV:N/AC:M/Au:S/C:C/I:C/A:C)
CVSS Temporal Score : 7.4
(CVSS2#E:ND/RL:OF/RC:C)
Public Exploit Available : false

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now