Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
amazonAmazonALAS-2014-443
HistoryNov 11, 2014 - 10:25 a.m.

Medium: krb5

2014-11-1110:25:00
alas.aws.amazon.com
10

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.936 High

EPSS

Percentile

99.1%

JSON

Issue Overview:

It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. (CVE-2013-1418, CVE-2013-6800)

A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344)

A buffer overflow was found in the KADM5 administration server (kadmind) when it was used with an LDAP back end for the KDC database. A remote, authenticated attacker could potentially use this flaw to execute arbitrary code on the system running kadmind. (CVE-2014-4345)

Two buffer over-read flaws were found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application’s GSSAPI session could use either of these flaws to crash the application. (CVE-2014-4341, CVE-2014-4342)

A double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker able to spoof packets to appear as though they are from an GSSAPI acceptor could use this flaw to crash a client application that uses MIT Kerberos. (CVE-2014-4343)

Affected Packages:

krb5

Issue Correction:
Run yum update krb5 to update your system.

New Packages:

i686:  
    krb5-server-1.10.3-33.28.amzn1.i686  
    krb5-server-ldap-1.10.3-33.28.amzn1.i686  
    krb5-debuginfo-1.10.3-33.28.amzn1.i686  
    krb5-devel-1.10.3-33.28.amzn1.i686  
    krb5-libs-1.10.3-33.28.amzn1.i686  
    krb5-workstation-1.10.3-33.28.amzn1.i686  
    krb5-pkinit-openssl-1.10.3-33.28.amzn1.i686  
  
src:  
    krb5-1.10.3-33.28.amzn1.src  
  
x86_64:  
    krb5-libs-1.10.3-33.28.amzn1.x86_64  
    krb5-server-1.10.3-33.28.amzn1.x86_64  
    krb5-debuginfo-1.10.3-33.28.amzn1.x86_64  
    krb5-pkinit-openssl-1.10.3-33.28.amzn1.x86_64  
    krb5-workstation-1.10.3-33.28.amzn1.x86_64  
    krb5-devel-1.10.3-33.28.amzn1.x86_64  
    krb5-server-ldap-1.10.3-33.28.amzn1.x86_64

Additional References

Red Hat: CVE-2013-1418, CVE-2013-6800, CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-4344, CVE-2014-4345

Mitre: CVE-2013-1418, CVE-2013-6800, CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-4344, CVE-2014-4345

OSVersionArchitecturePackageVersionFilename
Amazon Linux1i686krb5-server< 1.10.3-33.28.amzn1krb5-server-1.10.3-33.28.amzn1.i686.rpm
Amazon Linux1i686krb5-server-ldap< 1.10.3-33.28.amzn1krb5-server-ldap-1.10.3-33.28.amzn1.i686.rpm
Amazon Linux1i686krb5-debuginfo< 1.10.3-33.28.amzn1krb5-debuginfo-1.10.3-33.28.amzn1.i686.rpm
Amazon Linux1i686krb5-devel< 1.10.3-33.28.amzn1krb5-devel-1.10.3-33.28.amzn1.i686.rpm
Amazon Linux1i686krb5-libs< 1.10.3-33.28.amzn1krb5-libs-1.10.3-33.28.amzn1.i686.rpm
Amazon Linux1i686krb5-workstation< 1.10.3-33.28.amzn1krb5-workstation-1.10.3-33.28.amzn1.i686.rpm
Amazon Linux1i686krb5-pkinit-openssl< 1.10.3-33.28.amzn1krb5-pkinit-openssl-1.10.3-33.28.amzn1.i686.rpm
Amazon Linux1x86_64krb5-libs< 1.10.3-33.28.amzn1krb5-libs-1.10.3-33.28.amzn1.x86_64.rpm
Amazon Linux1x86_64krb5-server< 1.10.3-33.28.amzn1krb5-server-1.10.3-33.28.amzn1.x86_64.rpm
Amazon Linux1x86_64krb5-debuginfo< 1.10.3-33.28.amzn1krb5-debuginfo-1.10.3-33.28.amzn1.x86_64.rpm
Rows per page:
1-10 of 141

Related

nessus 47
oraclelinux 4
openvas 32
centos 4
redhat 4
fedora 7
debian 4
osv 3
mageia 3
veracode 8
ubuntu 1
aix 1
gentoo 2
prion 7
ubuntucve 7
f5 14
cve 7
ibm 4
freebsd 1
debiancve 6
checkpoint_advisories 3
securityvulns 4
suse 1
oracle 1
nessus
nessus
Scientific Linux Security Update : krb5 on SL6.x i386/x86_64 (20141014)
2014-11-04 00:00:00
Amazon Linux AMI : krb5 (ALAS-2014-443)
2014-11-18 00:00:00
RHEL 6 : krb5 (RHSA-2014:1389)
2014-10-14 00:00:00
oraclelinux
oraclelinux
krb5 security and bug fix update
2014-10-15 00:00:00
krb5 security and bug fix update
2014-09-17 00:00:00
krb5 security, bug fix and enhancement update
2015-03-11 00:00:00
openvas
openvas
RedHat Update for krb5 RHSA-2014:1389-02
2014-10-15 00:00:00
Amazon Linux: Security Advisory (ALAS-2014-443)
2015-09-08 00:00:00
Oracle: Security Advisory (ELSA-2014-1389)
2015-10-06 00:00:00
centos
centos
krb5 security update
2014-10-20 18:09:24
krb5 security update
2014-09-30 11:21:52
krb5 security update
2015-03-17 13:28:30
redhat
redhat
(RHSA-2014:1389) Moderate: krb5 security and bug fix update
2014-10-14 00:00:00
(RHSA-2014:1245) Moderate: krb5 security and bug fix update
2014-09-16 00:00:00
(RHSA-2015:0439) Moderate: krb5 security, bug fix and enhancement update
2015-03-05 00:00:00
fedora
fedora
[SECURITY] Fedora 19 Update: krb5-1.11.3-25.fc19
2014-08-27 01:34:45
[SECURITY] Fedora 20 Update: krb5-1.11.5-11.fc20
2014-08-15 02:45:53
[SECURITY] Fedora 19 Update: krb5-1.11.3-24.fc19
2014-08-07 15:27:20
debian
debian
[SECURITY] [DSA 3000-1] krb5 security update
2014-08-09 14:54:58
[SECURITY] [DSA 3000-1] krb5 security update
2014-08-09 14:55:17
[DLA 37-1] krb5 security update
2014-08-18 17:46:47
osv
osv
krb5 - security update
2014-08-18 00:00:00
krb5 - security update
2014-08-09 00:00:00
krb5 - security update
2018-01-31 00:00:00
mageia
mageia
Updated krb5 package fixes security vulnerabilities
2014-08-22 14:58:14
Updated krb5 package fixes security vulnerabily
2013-11-21 00:38:57
Updated krb5 package fixes security vulnerabilities
2013-11-21 00:41:07
veracode
veracode
Denial Of Service (DoS)
2019-05-02 05:04:04
Denial Of Service (DoS)
2019-05-02 05:04:04
Denial Of Service (DoS)
2019-05-02 05:04:04
ubuntu
ubuntu
Kerberos vulnerabilities
2014-08-11 00:00:00
aix
aix
Multiple Security vulnerabilities in IBM NAS
2014-08-28 03:15:00
gentoo
gentoo
MIT Kerberos 5: User-assisted execution of arbitrary code
2014-12-31 00:00:00
MIT Kerberos 5: Multiple vulnerabilities
2013-12-16 00:00:00
prion
prion
Null pointer dereference
2013-11-18 02:55:00
Design/Logic Flaw
2014-07-20 11:12:00
Null pointer dereference
2014-08-14 05:01:00
ubuntucve
ubuntucve
CVE-2013-6800
2013-11-17 00:00:00
CVE-2014-4342
2014-07-20 00:00:00
CVE-2014-4341
2014-07-20 00:00:00
f5
f5
K15785 : Kerberos vulnerability CVE-2013-6800
2014-11-03 00:00:00
SOL15785 - Kerberos vulnerability CVE-2013-6800
2014-11-03 00:00:00
K15552 : MIT Kerberos 5 vulnerability CVE-2014-4341
2015-11-10 00:00:00
cve
cve
CVE-2013-6800
2013-11-18 02:55:00
CVE-2014-4341
2014-07-20 11:12:00
CVE-2014-4344
2014-08-14 05:01:00
ibm
ibm
Security Bulletin: IBM Security Network Intrusion Prevention System is affected by krb5 vulnerabilities (CVE-2014-4341, CVE-2013-1418 )
2022-02-23 19:48:26
Security Bulletin: Power Hardware Management Console is affected by security vulnerabilities in Kerberos (CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423)
2021-09-23 01:31:39
Security Bulletin: IBM DataPower Gateway affected by vulnerabilities in Kerberos
2022-06-02 13:24:33
freebsd
freebsd
krb5 1.11 -- New release/fix multiple vulnerabilities
2015-02-25 00:00:00
debiancve
debiancve
CVE-2014-4341
2014-07-20 11:12:00
CVE-2013-1418
2013-11-18 03:55:00
CVE-2014-4344
2014-08-14 05:01:00
checkpoint_advisories
checkpoint_advisories
Kerberos Multi-realm KDC NULL Pointer Dereference Denial of Service (CVE-2013-1418)
2013-01-06 00:00:00
MIT Kerberos SPNEGO Acceptor acc_ctx_cont Denial of Service (CVE-2014-4344)
2014-09-14 00:00:00
MIT Kerberos Invalid RFC 1964 Token Denial of Service (CVE-2014-4342)
2014-09-23 00:00:00
securityvulns
securityvulns
MIT Kerberos 5 KDC DoS
2013-11-26 00:00:00
[ MDVSA-2013:275 ] krb5
2013-11-26 00:00:00
MITKRB5-SA-2014-001 Buffer overrun in kadmind with LDAP backend
2014-08-26 00:00:00
suse
suse
Security update for krb5 (important)
2014-08-16 01:04:22
oracle
oracle
Oracle Critical Patch Update - October 2017
2017-10-17 00:00:00

8.5 High

CVSS2

Access Vector

NETWORK

Access Complexity

MEDIUM

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:M/Au:S/C:C/I:C/A:C

0.936 High

EPSS

Percentile

99.1%

JSON
Related for ALAS-2014-443
nessus47oraclelinux4openvas32centos4redhat4fedora7debian4osv3mageia3veracode8ubuntu1aix1gentoo2prion7ubuntucve7f514cve7ibm4freebsd1debiancve6checkpoint_advisories3securityvulns4suse1oracle1