The remote Redhat Enterprise Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2015:2154 advisory.

  - krb5: unauthenticated denial of service in recvauth_common() and others (CVE-2014-5355)

  - krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass (CVE-2015-2694)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

MIT reports :

In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.

Updated krb5 packages that fix two security issues, several bugs, and add various enhancements are now available for Red Hat Enterprise Linux 7.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC).

It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.
(CVE-2014-5355)

A flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694)

The krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version. (BZ#1203889)

Notably, this update fixes the following bugs :

* Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the correct code path is now used in this situation. (BZ#1251586)

* Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP NetWeaver developer trace displayed the following error message :

No credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context

Querying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems. (BZ#1252454)

All krb5 users are advised to upgrade to these updated packages, which correct these issues and add these enhancements.

The remote MiracleLinux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the AXSA:2015-622:02 advisory.

    Kerberos V5 is a trusted-third-party network authentication system,     which can improve your network's security by eliminating the insecure     practice of sending passwords over the network in unencrypted form.
    Security issues fixed with this release:
    CVE-2014-5355     MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a     krb5_read_message data field is represented as a string ending with a     '\0' character, which allows remote attackers to (1) cause a denial of     service (NULL pointer dereference) via a zero-byte version string or     (2) cause a denial of service (out-of-bounds read) by omitting the     '\0' character, related to appl/user_user/server.c and     lib/krb5/krb/recvauth.c.
    CVE-2015-2694     The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x     before 1.13.2 do not properly track whether a client's request has     been validated, which allows remote attackers to bypass an intended     preauthentication requirement by providing (1) zero bytes of data or     (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and     plugins/preauth/pkinit/pkinit_srv.c.
    Fixed bugs:
    * Previously, the RADIUS support (libkrad) in krb5 was sending krb5 authentication for Transmission     Control Protocol (TCP) transports multiple times, accidentally using a code path intended to be used only     for unreliable transport types, for example User Datagram Protocol (UDP) transports. A patch that fixes     the problem by disabling manual retries for reliable transports, such as TCP, has been applied, and the     correct code path is now used in this situation.
    * Attempts to use Kerberos single sign-on (SSO) to access SAP NetWeaver systems sometimes failed. The SAP     NetWeaver developer trace displayed the following error message:

Tenable has extracted the preceding description block directly from the MiracleLinux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Security fix for CVE-2015-2694

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

krb5 was updated to fix four security issues.

These security issues were fixed :

  - CVE-2014-5353: NULL pointer dereference when using a     ticket policy name as password name (bsc#910457).

  - CVE-2014-5354: NULL pointer dereference when using     keyless entries (bsc#910458).

  - CVE-2014-5355: Denial of service in krb5_read_message     (bsc#918595).

  - CVE-2015-2694: OTP and PKINIT kdcpreauth modules leading     to requires_preauth bypass (bsc#928978).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

A flaw was found in the OTP kdcpreauth module of MIT Kerberos. A remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.

It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.

Security fix for CVE-2015-2694 Security fix for CVE-2014-5353 (this was fixed in an older build but the announcement was lost)

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote NewStart CGSL host, running version MAIN 6.06, has krb5 packages installed that are affected by multiple vulnerabilities:

  - plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles     Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial     of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related     to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use     cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin     code that is specific to Red Hat. (CVE-2017-15088)

  - The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT     Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute     arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error     condition. (CVE-2011-0285)

  - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly     validate UDP packets before sending responses, which allows remote attackers to cause a denial of service     (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by     krb_pingpong.nasl, a related issue to CVE-1999-0103. (CVE-2002-2443)

  - The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b)     Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to     gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known     whether an exploitable attack scenario exists for these issues. (CVE-2006-3084)

  - The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration     daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in     freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute     arbitrary code via unspecified vectors. (CVE-2006-6143)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2810-1 advisory.

    It was discovered that the Kerberos kpasswd service incorrectly handled certain UDP packets. A remote     attacker could possibly use this issue to cause resource consumption, resulting in a denial of service.
    This issue only affected Ubuntu 12.04 LTS. (CVE-2002-2443)

    It was discovered that Kerberos incorrectly handled null bytes in certain data fields. A remote attacker     could possibly use this issue to cause a denial of service. This issue only affected Ubuntu 12.04 LTS and     Ubuntu 14.04 LTS. (CVE-2014-5355)

    It was discovered that the Kerberos kdcpreauth modules incorrectly tracked certain client requests. A     remote attacker could possibly use this issue to bypass intended preauthentication requirements. This     issue only affected Ubuntu 14.04 LTS and Ubuntu 15.04. (CVE-2015-2694)

    It was discovered that Kerberos incorrectly handled certain SPNEGO packets. A remote attacker could     possibly use this issue to cause a denial of service. (CVE-2015-2695)

    It was discovered that Kerberos incorrectly handled certain IAKERB packets. A remote attacker could     possibly use this issue to cause a denial of service. (CVE-2015-2696, CVE-2015-2698)

    It was discovered that Kerberos incorrectly handled certain TGS requests. A remote attacker could possibly     use this issue to cause a denial of service. (CVE-2015-2697)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2015-2154 advisory.

    - the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed:
      - Bug 1144498 ('Fix the race condition in the libkrb5 replay cache')
      - Bug 1163402 ('kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64')
      - Bug 1185770 ('Missing upstream test in krb5-1.12.2: src/tests/gssapi/t_invalid.c')
      - Bug 1204211 ('CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and other')
    - fix for CVE-2015-2694 (#1218020) 'requires_preauth bypass       in PKINIT-enabled KDC'.
      In MIT krb5 1.12 and later, when the KDC is configured with       PKINIT support, an unauthenticated remote attacker can       bypass the requires_preauth flag on a client principal and       obtain a ciphertext encrypted in the principal's long-term       key.  This ciphertext could be used to conduct an off-line       dictionary attack against the user's password.

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.
(CVE-2014-5355)

A flaw was found in the OTP kdcpreauth module of MIT kerberos. An unauthenticated remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. (CVE-2015-2694)

The krb5 packages have been upgraded to upstream version 1.13.2, which provides a number of bug fixes and enhancements over the previous version.

Notably, this update fixes the following bugs :

  - Previously, the RADIUS support (libkrad) in krb5 was     sending krb5 authentication for Transmission Control     Protocol (TCP) transports multiple times, accidentally     using a code path intended to be used only for     unreliable transport types, for example User Datagram     Protocol (UDP) transports. A patch that fixes the     problem by disabling manual retries for reliable     transports, such as TCP, has been applied, and the     correct code path is now used in this situation.

  - Attempts to use Kerberos single sign-on (SSO) to access     SAP NetWeaver systems sometimes failed. The SAP     NetWeaver developer trace displayed the following error     message :

No credentials were supplied, or the credentials were unavailable or inaccessible Unable to establish the security context

Querying SSO credential lifetime has been modified to trigger credential acquisition, thus preventing the error from occurring. Now, the user can successfully use Kerberos SSO for accessing SAP NetWeaver systems.

The remote NewStart CGSL host, running version MAIN 6.06 (SP), has krb5 packages installed that are affected by multiple vulnerabilities:

  - plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles     Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial     of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related     to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use     cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin     code that is specific to Red Hat. (CVE-2017-15088)

  - The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT     Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute     arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error     condition. (CVE-2011-0285)

  - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly     validate UDP packets before sending responses, which allows remote attackers to cause a denial of service     (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by     krb_pingpong.nasl, a related issue to CVE-1999-0103. (CVE-2002-2443)

  - The (1) ftpd and (2) ksu programs in (a) MIT Kerberos 5 (krb5) up to 1.5, and 1.4.x before 1.4.4, and (b)     Heimdal 0.7.2 and earlier, do not check return codes for setuid calls, which might allow local users to     gain privileges by causing setuid to fail to drop privileges. NOTE: as of 20060808, it is not known     whether an exploitable attack scenario exists for these issues. (CVE-2006-3084)

  - The RPC library in Kerberos 5 1.4 through 1.4.4, and 1.5 through 1.5.1, as used in Kerberos administration     daemon (kadmind) and other products that use this library, calls an uninitialized function pointer in     freed memory, which allows remote attackers to cause a denial of service (crash) and possibly execute     arbitrary code via unspecified vectors. (CVE-2006-6143)

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Published	Updated	Severity
86933	RHEL 7 : krb5 (RHSA-2015:2154)	Nessus	Red Hat Local Security Checks	11/19/2015	4/27/2024	high
83901	FreeBSD : krb5 -- requires_preauth bypass in PKINIT-enabled KDC (406636fe-055d-11e5-aab1-d050996490d0)	Nessus	FreeBSD Local Security Checks	5/29/2015	1/6/2021	medium
87136	CentOS 7 : krb5 (CESA-2015:2154)	Nessus	CentOS Local Security Checks	12/2/2015	1/4/2021	medium
289354	MiracleLinux 7 : krb5-1.13.2-10.el7 (AXSA:2015-622:02)	Nessus	Miracle Linux Local Security Checks	1/16/2026	1/16/2026	high
83340	Fedora 22 : krb5-1.13.1-3.fc22 (2015-7866)	Nessus	Fedora Local Security Checks	5/12/2015	1/11/2021	medium
84914	SUSE SLES12 Security Update : krb5 (SUSE-SU-2015:1276-1)	Nessus	SuSE Local Security Checks	7/22/2015	1/6/2021	medium
87350	Amazon Linux AMI : krb5 (ALAS-2015-624)	Nessus	Amazon Linux Local Security Checks	12/15/2015	4/18/2018	medium
84305	Fedora 21 : krb5-1.12.2-17.fc21 (2015-7878)	Nessus	Fedora Local Security Checks	6/22/2015	1/11/2021	medium
266225	NewStart CGSL MAIN 6.06 : krb5 Multiple Vulnerabilities (NS-SA-2025-0215)	Nessus	NewStart CGSL Local Security Checks	9/30/2025	10/1/2025	critical
86872	Ubuntu 14.04 LTS : Kerberos vulnerabilities (USN-2810-1)	Nessus	Ubuntu Local Security Checks	11/13/2015	9/3/2025	high
87026	Oracle Linux 7 : krb5 (ELSA-2015-2154)	Nessus	Oracle Linux Local Security Checks	11/24/2015	11/1/2024	high
87560	Scientific Linux Security Update : krb5 on SL7.x x86_64 (20151119)	Nessus	Scientific Linux Local Security Checks	12/22/2015	1/14/2021	medium
301200	NewStart CGSL MAIN 6.06 (SP) : krb5 Multiple Vulnerabilities (NS-SA-2026-0007)	Nessus	NewStart CGSL Local Security Checks	3/6/2026	3/9/2026	critical

Detections

Analytics

Plugins Search

high

medium

medium

high

medium

medium

medium

medium

critical

high

high

medium

critical