9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.018 Low
EPSS
Percentile
86.8%
In the MIT krb5 libgssapi_krb5 library, after
gss_process_context_token() is used to process a valid context deletion
token, the caller is left with a security context handle containing a
dangling pointer. Further uses of this handle will result in
use-after-free and double-free memory access violations. libgssrpc
server applications such as kadmind are vulnerable as they can be
instructed to call gss_process_context_token().
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal. The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.
In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by inserting into the database a principal entry which contains no
long-term keys.
If the MIT krb5 kadmind daemon receives invalid XDR data from an
authenticated user, it may perform use-after-free and double-free memory
access violations while cleaning up the partial deserialization results.
Other libgssrpc server applications may also be vulnerable if they
contain insufficiently defensive XDR functions.
The MIT krb5 kadmind daemon incorrectly accepts authentications to
two-component server principals whose first component is a left
substring of "kadmin" or whose realm is a left prefix of the default realm.
libgssrpc applications including kadmind output four or eight bytes of
uninitialized memory to the network as part of an unused "handle" field
in replies to clients.
web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt
www.openwall.com/lists/oss-security/2014/12/16/1
access.redhat.com/security/cve/CVE-2014-5352
access.redhat.com/security/cve/CVE-2014-9421
access.redhat.com/security/cve/CVE-2014-9422
access.redhat.com/security/cve/CVE-2014-9423
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5353
web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5354