Security fix for CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423 Security fix for CVE-2014-5351

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated krb5 packages fix security vulnerability :

The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access (CVE-2014-5351).

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2498-1 advisory.

    It was discovered that Kerberos incorrectly sent old keys in response to a -randkey -keepold request. An     authenticated remote attacker could use this issue to forge tickets by leveraging administrative access.
    This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5351)

    It was discovered that the libgssapi_krb5 library incorrectly processed security context handles. A remote     attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
    (CVE-2014-5352)

    Patrik Kis discovered that Kerberos incorrectly handled LDAP queries with no results. An authenticated     remote attacker could use this issue to cause the KDC to crash, resulting in a denial of service.
    (CVE-2014-5353)

    It was discovered that Kerberos incorrectly handled creating database entries for a keyless principal when     using LDAP. An authenticated remote attacker could use this issue to cause the KDC to crash, resulting in     a denial of service. (CVE-2014-5354)

    It was discovered that Kerberos incorrectly handled memory when processing XDR data. A remote attacker     could use this issue to cause kadmind to crash, resulting in a denial of service, or possibly execute     arbitrary code. (CVE-2014-9421)

    It was discovered that Kerberos incorrectly handled two-component server principals. A remote attacker     could use this issue to perform impersonation attacks. (CVE-2014-9422)

    It was discovered that the libgssrpc library leaked uninitialized bytes. A remote attacker could use this     issue to possibly obtain sensitive information. (CVE-2014-9423)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

MIT kerberos krb5 was updated to fix several security issues and bugs.

Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) sent old keys in a response to a -randkey -keepold request, which allowed remote authenticated users to forge tickets by leveraging administrative access.

  - CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library,     after gss_process_context_token() is used to process a     valid context deletion token, the caller was left with a     security context handle containing a dangling pointer.
    Further uses of this handle would have resulted in     use-after-free and double-free memory access violations.
    libgssrpc server applications such as kadmind were     vulnerable as they can be instructed to call     gss_process_context_token().

  - CVE-2014-9421: If the MIT krb5 kadmind daemon receives     invalid XDR data from an authenticated user, it may have     performed use-after-free and double-free memory access     violations while cleaning up the partial deserialization     results. Other libgssrpc server applications might also     been vulnerable if they contain insufficiently defensive     XDR functions.

  - CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly     accepted authentications to two-component server     principals whose first component is a left substring of     'kadmin' or whose realm is a left prefix of the default     realm.

  - CVE-2014-9423: libgssrpc applications including kadmind     output four or eight bytes of uninitialized memory to     the network as part of an unused 'handle' field in     replies to clients.

Bugs fixed :

  - Work around replay cache creation race; (bnc#898439).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update for krb5 fixes the following issues :

  - When randomizing the keys for a service principal,     current keys could be returned. (CVE-2014-5351)

  - klist -s crashes when handling multiple referral     entries. (bnc#890623)

The remote NewStart CGSL host, running version MAIN 6.06, has krb5 packages installed that are affected by multiple vulnerabilities:

  - plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles     Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial     of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related     to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use     cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin     code that is specific to Red Hat. (CVE-2017-15088)

  - The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT     Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute     arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error     condition. (CVE-2011-0285)

  - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly     validate UDP packets before sending responses, which allows remote attackers to cause a denial of service     (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by     krb_pingpong.nasl, a related issue to CVE-1999-0103. (CVE-2002-2443)

  - The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b)     Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to     gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known     whether an exploitable attack scenario exists for these issues. (CVE-2006-3084)

  - The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration     daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in     freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute     arbitrary code via unspecified vectors. (CVE-2006-6143)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Security fix for CVE-2014-5351

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The version of the Network Authentication Service (NAS) installed on the remote AIX host is affected by a vulnerability related to Kerberos 5 which allows authenticated users to retrieve current keys, which can be used to forge tickets.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka     krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote     authenticated users to forge tickets by leveraging administrative access. (CVE-2014-5351)

Note that Nessus relies on the presence of the package as reported by the vendor.

krb5 was updated to fix five security issues.

These security issues were fixed :

  - CVE-2014-5351: current keys returned when randomizing     the keys for a service principal (bnc#897874) 

  - CVE-2014-5352: An authenticated attacker could cause a     vulnerable application (including kadmind) to crash or     to execute arbitrary code (bnc#912002).

  - CVE-2014-9421: An authenticated attacker could cause     kadmind or other vulnerable server application to crash     or to execute arbitrary code (bnc#912002).

  - CVE-2014-9422: An attacker who possess the key of a     particularly named principal (such as 'kad/root') could     impersonate any user to kadmind and perform     administrative actions as that user (bnc#912002).

  - CVE-2014-9423: An attacker could attempt to glean     sensitive information from the four or eight bytes of     uninitialized data output by kadmind or other libgssrpc     server application. Because MIT krb5 generally sanitizes     memory containing krb5 keys before freeing it, it is     unlikely that kadmind would leak Kerberos key     information, but it is not impossible (bnc#912002).

This non-security issue was fixed :

  - Work around replay cache creation race (bnc#898439).

The remote host is affected by the vulnerability described in GLSA-201412-53 (MIT Kerberos 5: User-assisted execution of arbitrary code)

    Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process or cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues.

CVE-2013-1418 Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured.

CVE-2014-5351 Kerberos sends old keys in a response to a -randkey
-keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.

CVE-2014-5353 When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.

CVE-2014-5355 Kerberos expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character,

CVE-2016-3119 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.

CVE-2016-3120 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.

For Debian 7 'Wheezy', these problems have been fixed in version 1.10.1+dfsg-5+deb7u9.

We recommend that you upgrade your krb5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
81705	Fedora 20 : krb5-1.11.5-18.fc20 (2015-2382)	Nessus	Fedora Local Security Checks	3/10/2015	1/11/2021	high
79411	Mandriva Linux Security Advisory : krb5 (MDVSA-2014:224)	Nessus	Mandriva Local Security Checks	11/23/2014	1/6/2021	low
81297	Ubuntu 14.04 LTS : Kerberos vulnerabilities (USN-2498-1)	Nessus	Ubuntu Local Security Checks	2/11/2015	9/3/2025	high
83683	SUSE SLED12 / SLES12 Security Update : krb5 (SUSE-SU-2015:0290-2)	Nessus	SuSE Local Security Checks	5/20/2015	1/6/2021	high
79232	SuSE 11.3 Security Update : krb5 (SAT Patch Number 9827)	Nessus	SuSE Local Security Checks	11/13/2014	1/19/2021	low
83682	SUSE SLES12 Security Update : krb5 (SUSE-SU-2015:0290-1)	Nessus	SuSE Local Security Checks	5/20/2015	1/6/2021	high
266225	NewStart CGSL MAIN 6.06 : krb5 Multiple Vulnerabilities (NS-SA-2025-0215)	Nessus	NewStart CGSL Local Security Checks	9/30/2025	10/1/2025	critical
78100	Fedora 21 : krb5-1.12.2-9.fc21 (2014-11940)	Nessus	Fedora Local Security Checks	10/9/2014	1/11/2021	low
81022	AIX NAS Advisory : nas_advisory2.asc	Nessus	AIX Local Security Checks	1/27/2015	4/21/2023	low
218335	Linux Distros Unpatched Vulnerability : CVE-2014-5351	Nessus	Misc.	3/4/2025	9/3/2025	high
81304	openSUSE Security Update : krb5 (openSUSE-2015-128)	Nessus	SuSE Local Security Checks	2/12/2015	1/19/2021	high
80328	GLSA-201412-53 : MIT Kerberos 5: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	1/2/2015	1/6/2021	high
106536	Debian DLA-1265-1 : krb5 security update	Nessus	Debian Local Security Checks	2/1/2018	10/30/2025	medium

Detections

Analytics

Plugins Search

high

low

high

high

low

high

critical

low

low

high

high

high

medium