OracleVM 2.2 : krb5 (OVMSA-2011-0015)

Critical Nessus Plugin ID 79475

Synopsis

The remote OracleVM host is missing one or more security updates.

Description

The remote OracleVM system is missing necessary patches to address critical security updates :

- Fix for (CVE-2011-4862)

- incorporate a fix to teach the file labeling bits about when replay caches are expunged (#712453)

- rebuild

- ftp: handle larger command inputs (#665833)

- don't bail halfway through an unlock operation when the result will be discarded and the end-result not cleaned up (Martin Osvald, #586032)

- add a versioned dependency between krb5-server-ldap and krb5-libs (internal tooling)

- don't discard the error code from an error message received in response to a change-password request (#658871, RT#6893)

- ftpd: add patch from Jatin Nansi to correctly match restrict lines in /etc/ftpusers (#644215, RT#6889)

- ftp: add modified patch from Rogan Kyuseok Lee to report the number of bytes transferred correctly when transferring large files on 32-bit systems (#648404)

- backport fix for RT#6514: memory leak freeing rcache type none (#678205)

- add upstream patch to fix hang or crash in the KDC when using the LDAP kdb backend (CVE-2011-0281, CVE-2011-0282, #671097)

- incorporate upstream patch for checksum acceptance issues from MITKRB5-SA-2010-007 (CVE-2010-1323, #652308)

- backport a fix to the previous change (#539423)

- backport the k5login_directory and k5login_authoritative settings (#539423)

- krshd: don't limit user names to 16 chars when utmp can handle names at least a bit longer than that (#611713)

- fix a logic bug in computing key expiration times (RT#6762, #627038)

- correct the post-rotate scriptlet in the kadmind logrotate config (more of #462658)

- ftpd: backport changes to modify behavior to match telnetd,rshd,rlogind and accept GSSAPI auth to any service for which we have a matching key (#538075)

- pull in fix for RT#5551 to treat the referral realm when seen in a ticket as though it were the local realm (#498554, also very likely #450122)

- add aes256-cts:normal and aes128-cts:normal to the list of keysalts in the default kdc.conf (part of #565941)

- add a note to kdc.conf(5) pointing to the admin guide for the list of recognized key and salt types (the rest of #565941)

- add logrotate configuration files for krb5kdc and kadmind (#462658)

- libgssapi: backport patch from svn to stop returning context-expired errors when the ticket which was used to set up the context expires (#605367, upstream #6739)

- enable building the -server-ldap subpackage (#514362)

- stop caring about the endianness of stash files (#514741), which will be replaced by proper keytab files in later releases

- don't crash in krb5_get_init_creds_password if the passed-in options struct is NULL and the clients keys have expired (#555875)

- ksu: perform PAM account and session management before dropping privileges to those of the target user (#540769 and #596887, respectively)

- add candidate patch to correct libgssapi null pointer dereference which could be triggered by malformed client requests (CVE-2010-1321, #583704)

- fix a null pointer dereference and crash introduced in our PAM patch that would happen if ftpd was given the name of a user who wasnt known to the local system, limited to being triggerable by gssapi-authenticated clients by the default xinetd config (Olivier Fourdan, #569472)

- add upstream patch to fix a few use-after-free bugs, including one in kadmind (CVE-2010-0629, #578186)

- merge patch to correct KDC integer overflows which could be triggered by malformed RC4 and AES ciphertexts (CVE-2009-4212, #546348)

- pull changes to libkrb5 to properly handle and chase off-path referrals back from 1.7 (#546538)

- add an auth stack to ksus PAM configuration so that it can successfully pam_setcred

- also set PAM_RUSER in ksu for completeness (#479071+#477033)

- fix various typos, except for bits pertaining to licensing (#499190)

- kdb5_util: when renaming a database, if the new names associated lock files don't exist, go ahead and create them (#442879)

- ksu: perform PAM account and session management for the target user authentication is still performed as before (#477033)

- fix typo in ksus reporting of errors getting credentials (#462890)

- kadmind.init: stop setting up a keytab, as kadminds been able to use the database directly for a while now (#473151)

- pull up patch to set PAM_RHOST (James Leddy, #479071)

Solution

Update the affected krb5-libs / krb5-workstation packages.

See Also

http://www.nessus.org/u?783bc3a1

Plugin Details

Severity: Critical

ID: 79475

File Name: oraclevm_OVMSA-2011-0015.nasl

Version: 1.8

Type: local

Published: 2014/11/26

Updated: 2018/11/05

Dependencies: 12634

Risk Information

Risk Factor: Critical

CVSS v2.0

Base Score: 10

Temporal Score: 7.8

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:POC/RL:OF/RC:C

CVSS v3.0

Base Score: 3.7

Temporal Score: 3.4

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:vm:krb5-libs, p-cpe:/a:oracle:vm:krb5-workstation, cpe:/o:oracle:vm_server:2.2

Required KB Items: Host/local_checks_enabled, Host/OracleVM/release, Host/OracleVM/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2012/01/04

Exploitable With

Core Impact

Metasploit (Linux BSD-derived Telnet Service Encryption Key ID Buffer Overflow)

ExploitHub (EH-11-760)

Reference Information

CVE: CVE-2009-4212, CVE-2010-0629, CVE-2010-1321, CVE-2010-1323, CVE-2011-0281, CVE-2011-0282, CVE-2011-4862

BID: 37749, 39247, 40235, 45118, 46265, 46271, 51182

CWE: 189