Oracle Solaris Third-Party Patch Update : kerberos (cve_2010_1322_improper_input)

This script is Copyright (C) 2015-2016 Tenable Network Security, Inc.


Synopsis :

The remote Solaris system is missing a security patch for third-party
software.

Description :

The remote Solaris system is missing necessary patches to address
security updates :

- The merge_authdata function in kdc_authdata.c in the Key
Distribution Center (KDC) in MIT Kerberos 5 (aka krb5)
1.8.x before 1.8.4 does not properly manage an index
into an authorization-data list, which allows remote
attackers to cause a denial of service (daemon crash),
or possibly obtain sensitive information, spoof
authorization, or execute arbitrary code, via a TGS
request that triggers an uninitialized pointer
dereference, as demonstrated by a request from a Windows
Active Directory client. (CVE-2010-1322)

- MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x,
1.7.x, and 1.8.x through 1.8.3 does not properly
determine the acceptability of checksums, which might
allow remote attackers to modify user-visible prompt
text, modify a response to a Key Distribution Center
(KDC), or forge a KRB-SAFE message via certain checksums
that (1) are unkeyed or (2) use RC4 keys.
(CVE-2010-1323)

- MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3
does not properly determine the acceptability of
checksums, which might allow remote attackers to forge
GSS tokens, gain privileges, or have unspecified other
impact via (1) an unkeyed checksum, (2) an unkeyed PAC
checksum, or (3) a KrbFastArmoredReq checksum based on
an RC4 key. (CVE-2010-1324)

- MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not
reject RC4 key-derivation checksums, which might allow
remote authenticated users to forge a (1) AD-SIGNEDPATH
or (2) AD-KDC-ISSUED signature, and possibly gain
privileges, by leveraging the small key space that
results from certain one-byte stream-cipher operations.
(CVE-2010-4020)

- The Key Distribution Center (KDC) in MIT Kerberos 5 (aka
krb5) 1.7 does not properly restrict the use of TGT
credentials for armoring TGS requests, which might allow
remote authenticated users to impersonate a client by
rewriting an inner request, aka a 'KrbFastReq forgery
issue.' (CVE-2010-4021)

- Double free vulnerability in the prepare_error_as
function in do_as_req.c in the Key Distribution Center
(KDC) in MIT Kerberos 5 (aka krb5) 1.7 through 1.9, when
the PKINIT feature is enabled, allows remote attackers
to cause a denial of service (daemon crash) or possibly
execute arbitrary code via an e_data field containing
typed data. (CVE-2011-0284)

See also :

http://www.nessus.org/u?b5f8def1
http://www.nessus.org/u?991fdc40
http://www.nessus.org/u?e593eb89
http://www.nessus.org/u?7a7b5715

Solution :

Upgrade to Solaris 11.1.11.4.0.

Risk factor :

High / CVSS Base Score : 7.6
(CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C)

Family: Solaris Local Security Checks

Nessus Plugin ID: 80653 ()

Bugtraq ID:

CVE ID: CVE-2010-1322
CVE-2010-1323
CVE-2010-1324
CVE-2010-4020
CVE-2010-4021
CVE-2011-0284

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now