Next Page >>
Kerberos
Topic: double-free, uninitialized data vulnerabilities in krb5kdc
CVE-2008-0062
VU#895609
Use of a null or dangling pointer in the MIT Kerberos KDC can result
in a crash or double-free, and may leak portions of process memory to
an attacker.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:C/E:P/RL:O/RC:C
CVE-2010-4020, and CVE-2010-4021.
SUMMARY
=======
These vulnerabilities are in the MIT implementation of Kerberos
(krb5), but because these vulnerabilities arise from flaws in protocol
handling logic, other implementations may also be vulnerable.
CVE-2010-1324
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: MIT Kerberos 5: Multiple vulnerabilities
Date: March 24, 2008
Bugs: #199205, #212363
ID: 200803-31
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
=======
[CVE-2009-0846]
An ASN.1 decoder can free an uninitialized pointer when decoding an
invalid encoding. This can cause a Kerberos application to crash, or,
under theoretically possible but unlikely circumstances, execute
arbitrary malicious code. No exploit is known to exist that would
cause arbitrary code execution.
This is an implementation vulnerability in MIT krb5, and is not a
Certain invalid GSS-API tokens can cause a GSS-API acceptor (server)
to crash due to a null pointer dereference in the GSS-API library.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.
IMPACT
======
An authenticated remote attacker can cause a GSS-API application
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The MIT Kerberos Team has discovered a problem with the originally
published patch for svc_auth_gss.c [CVE-2007-3999], which allowed a
32-byte overflow. Depending on the compilation environment and
machine architecture, this may or may not be a significant continued
vulnerability. The new patch in the updated advisory (below)
correctly checks the buffer length.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: MIT Kerberos 5: Multiple vulnerabilities
Date: April 08, 2009
Bugs: #262736, #263398
ID: 200904-09
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
_______________________________________________________________________
Problem Description:
Multiple memory management flaws were found in the GSSAPI library
used by Kerberos that could result in the use of already freed memory
or an attempt to free already freed memory, possibly leading to a
crash or allowing the execution of arbitrary code (CVE-2007-5901,
CVE-2007-5971).
A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
SUMMARY
=======
Integer underflow bugs in the AES and RC4 decryption operations of the
crypto library of the MIT Kerberos software can cause crashes, heap
corruption, or, under extraordinarily unlikely conditions, arbitrary
code execution. Only releases krb5-1.3 and later are vulnerable, as
earlier releases did not contain the functionality implemented by the
vulnerable code.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02657328
Version: 1
HPSBUX02623 SSRT100355 rev.1 - HP-UX Running Kerberos, Remote Unauthorized Modification
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2011-01-19
Last Updated: 2011-01-19
This advisory concerns two vulnerabilities. CVE-2007-3999 is much
easier to exploit than CVE-2007-4000.
[CVE-2007-3999]
The MIT krb5 Kerberos administration daemon (kadmind) is vulnerable to
a stack buffer overflow in the RPCSEC_GSS authentication flavor of the
RPC library. Third-party applications using the RPC library provided
with MIT krb5 may also be affected.
We have received a proof-of-concept exploit that does not appear to
_______________________________________________________________________
Problem Description:
A memory management flaw was found in the GSSAPI library used by
Kerberos that could result in an attempt to free already freed memory,
possibly leading to a crash or allowing the execution of arbitrary code
(CVE-2007-5971).
A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
protocol packets. An unauthenticated remote attacker could use this
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: MIT Kerberos 5: Multiple vulnerabilities
Date: January 23, 2012
Bugs: #303723, #308021, #321935, #323525, #339866, #347369,
#352859, #359129, #363507, #387585, #393429
ID: 201201-13
SUMMARY
=======
These are implementation vulnerabilities in MIT krb5, and not
vulnerabilities in the Kerberos protocol.
[CVE-2009-0844]
The MIT krb5 implementation of the SPNEGO GSS-API mechanism can read
beyond the end of a network input buffer. This can cause a GSS-API
SUMMARY
=======
In previous MIT krb5 releases krb5-1.5 through krb5-1.6.3, the
Kerberos administration daemon (kadmind) can crash due to referencing
freed memory. A legitimate user can trigger this crash by using a
newer version of the kadmin protocol than the server supports.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol. This vulnerability is not
Affected: Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
protocol packets. An unauthenticated remote attacker could use this
flaw to crash the krb5kdc daemon, disclose portions of its memory,
or possibly %execute arbitrary code using malformed or truncated
Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).
* Workaround: restart the KDC when it becomes unresponsive or crashes,
possibly using an automated monitoring process.
* The patch for the krb5-1.9 release is available at
http://web.mit.edu/kerberos/advisories/2011-002-patch.txt
A PGP-signed patch is available at
http://web.mit.edu/kerberos/advisories/2011-002-patch.txt.asc
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c01717795
Version: 2
HPSBUX02421 SSRT090047 rev.2 - HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2009-07-29
Last Updated: 2009-09-30
+#!/usr/bin/python
+from k5test import *
+
+realm = K5Realm(start_kadmind=False, create_host=False)
+output = realm.run_as_client([kvno, 'krbtgt/'], expected_code=1)
+if 'not found in Kerberos database' not in output:
+ fail('TGT lookup for empty realm failed in unexpected way')
+success('Empty tgt lookup.')
This patch is also available at
In MIT krb5 releases krb5-1.7 and later, the SPNEGO GSS-API mechanism
can experience an assertion failure when receiving certain invalid
messages. This can cause a GSS-API application to crash.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.
IMPACT
======
An unauthenticated remote attacker could cause a GSS-API application,
Report Confidence: Confirmed
SUMMARY
=======
When the MIT krb5 KDC receives certain Kerberos TGS request messages,
it may dereference an uninitialized pointer while processing
authorization data, causing a crash, or in rare cases, unauthorized
information disclosure, ticket modification, or execution of arbitrary
code. The crash may be triggered by legitimate requests.
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c02257427
Version: 1
HPSBUX02544 SSRT100107 rev.1 - HP-UX Running Kerberos, Remote Denial of Service (DoS), Execution of Arbitrary Code
NOTICE: The information in this Security Bulletin should be acted upon as soon as possible.
Release Date: 2010-06-23
Last Updated: 2010-06-23
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: High
Title: MIT Kerberos 5: Multiple vulnerabilities
Date: September 11, 2007
Bugs: #191301
ID: 200709-01
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Affected: Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
protocol packets. An unauthenticated remote attacker could use this
flaw to crash the krb5kdc daemon, disclose portions of its memory,
or possibly %execute arbitrary code using malformed or truncated
Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).
Affected: Corporate 3.0, Multi Network Firewall 2.0
_______________________________________________________________________
Problem Description:
A flaw was discovered in how the Kerberos krb5kdc handled Kerberos v4
protocol packets. An unauthenticated remote attacker could use this
flaw to crash the krb5kdc daemon, disclose portions of its memory,
or possibly %execute arbitrary code using malformed or truncated
Kerberos v4 protocol requests (CVE-2008-0062, CVE-2008-0063).
A double free vulnerability exists in the KDC in MIT krb5 releases
krb5-1.7 and later.
This is an implementation vulnerability in MIT krb5, and not a
vulnerability in the Kerberos protocol.
IMPACT
======
An authenticated remote attacker can crash the KDC by inducing the KDC
Report Confidence: Confirmed
SUMMARY
=======
The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable
to a double-free condition if the Public Key Cryptography for Initial
Authentication (PKINIT) capability is enabled, resulting in daemon
crash or arbitrary code execution (which is believed to be difficult).
IMPACT
A null pointer dereference can occur in an error condition in the KDC
cross-realm referral processing code in MIT krb5-1.7. This can cause
the KDC to crash.
This is an implementation vulnerability in MIT krb5, and is not a
vulnerability in the Kerberos protocol.
IMPACT
======
An unauthenticated remote attacker could cause the KDC to crash due to
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
http://security.gentoo.org/
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Severity: Normal
Title: MIT Kerberos 5 Applications: Multiple vulnerabilities
Date: January 23, 2012
Bugs: #374229, #396137
ID: 201201-14
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
xprt->xp_addrlen = len;
xprt->xp_laddr = laddr;
This patch will result in too-high-numbered file descriptors being
immediately closed after the connection comes in. Clients will see
connections established, and then closed; a "GSS-API (or Kerberos)
error while initializing kadmin interface" will eventually result.
Once some of the lower-numbered file descriptors are closed, clients
will be able to get useful connections again.
* Apply the following patch for krb5-1.2.2 and probably other pre-1.3
Next Page>>
|
