openSUSE Security Update : krb5 (openSUSE-2015-128)

This script is Copyright (C) 2015 Tenable Network Security, Inc.


Synopsis :

The remote openSUSE host is missing a security update.

Description :

krb5 was updated to fix five security issues.

These security issues were fixed :

- CVE-2014-5351: current keys returned when randomizing
the keys for a service principal (bnc#897874)

- CVE-2014-5352: An authenticated attacker could cause a
vulnerable application (including kadmind) to crash or
to execute arbitrary code (bnc#912002).

- CVE-2014-9421: An authenticated attacker could cause
kadmind or other vulnerable server application to crash
or to execute arbitrary code (bnc#912002).

- CVE-2014-9422: An attacker who possess the key of a
particularly named principal (such as 'kad/root') could
impersonate any user to kadmind and perform
administrative actions as that user (bnc#912002).

- CVE-2014-9423: An attacker could attempt to glean
sensitive information from the four or eight bytes of
uninitialized data output by kadmind or other libgssrpc
server application. Because MIT krb5 generally sanitizes
memory containing krb5 keys before freeing it, it is
unlikely that kadmind would leak Kerberos key
information, but it is not impossible (bnc#912002).

This non-security issue was fixed :

- Work around replay cache creation race (bnc#898439).

See also :

https://bugzilla.opensuse.org/show_bug.cgi?id=897874
https://bugzilla.opensuse.org/show_bug.cgi?id=898439
https://bugzilla.opensuse.org/show_bug.cgi?id=912002

Solution :

Update the affected krb5 packages.

Risk factor :

High / CVSS Base Score : 9.0
(CVSS2#AV:N/AC:L/Au:S/C:C/I:C/A:C)

Family: SuSE Local Security Checks

Nessus Plugin ID: 81304 ()

Bugtraq ID:

CVE ID: CVE-2014-5351
CVE-2014-5352
CVE-2014-9421
CVE-2014-9422
CVE-2014-9423

Ready to Amp Up Your Nessus Experience?

Get Nessus Professional to scan unlimited IPs, run compliance checks & more

Buy Nessus Professional Now