Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
archlinuxArch LinuxASA-201502-12
HistoryFeb 17, 2015 - 12:00 a.m.

krb5: multiple issues

2015-02-1700:00:00
Arch Linux
lists.archlinux.org
18

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.018 Low

EPSS

Percentile

86.8%

JSON
  • CVE-2014-5352 (authenticated remote code execution):

In the MIT krb5 libgssapi_krb5 library, after
gss_process_context_token() is used to process a valid context deletion
token, the caller is left with a security context handle containing a
dangling pointer. Further uses of this handle will result in
use-after-free and double-free memory access violations. libgssrpc
server applications such as kadmind are vulnerable as they can be
instructed to call gss_process_context_token().

  • CVE-2014-5353 (authenticated remote denial of service):

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by attempting to use a named ticket policy object as a password policy
for a principal. The attacker needs to be authenticated as a user who
has the elevated privilege for setting password policy by adding or
modifying principals.

  • CVE-2014-5354 (authenticated remote denial of service):

In MIT krb5, when kadmind is configured to use LDAP for the KDC
database, an authenticated remote attacker can cause a NULL dereference
by inserting into the database a principal entry which contains no
long-term keys.

  • CVE-2014-9421 (authenticated remote code execution):

If the MIT krb5 kadmind daemon receives invalid XDR data from an
authenticated user, it may perform use-after-free and double-free memory
access violations while cleaning up the partial deserialization results.
Other libgssrpc server applications may also be vulnerable if they
contain insufficiently defensive XDR functions.

  • CVE-2014-9422 (privilege escalation):

The MIT krb5 kadmind daemon incorrectly accepts authentications to
two-component server principals whose first component is a left
substring of "kadmin" or whose realm is a left prefix of the default realm.

  • CVE-2014-9423 (unauthenticated remote information leak):

libgssrpc applications including kadmind output four or eight bytes of
uninitialized memory to the network as part of an unused "handle" field
in replies to clients.

OSVersionArchitecturePackageVersionFilename
anyanyanykrb5< 1.13.1-1UNKNOWN

Related

nessus 33
fedora 4
freebsd 4
openvas 25
ubuntu 1
altlinux 6
debian 3
mageia 2
suse 3
securityvulns 4
osv 3
ibm 9
aix 1
oraclelinux 2
veracode 5
centos 2
amazon 1
redhat 2
f5 6
ubuntucve 6
debiancve 6
prion 6
cve 6
attackerkb 1
nessus
nessus
FreeBSD : krb5 1.12 -- New release/fix multiple vulnerabilities (63527d0d-b9de-11e4-8a48-206a8a720317)
2015-02-23 00:00:00
Ubuntu 14.04 LTS : Kerberos vulnerabilities (USN-2498-1)
2015-02-11 00:00:00
SuSE 11.3 Security Update : krb5 (SAT Patch Number 10282)
2015-02-12 00:00:00
fedora
fedora
[SECURITY] Fedora 21 Update: krb5-1.12.2-14.fc21
2015-03-12 16:33:54
[SECURITY] Fedora 21 Update: krb5-1.12.2-17.fc21
2015-06-21 00:28:50
[SECURITY] Fedora 20 Update: krb5-1.11.5-18.fc20
2015-03-09 08:18:34
freebsd
freebsd
krb5 1.12 -- New release/fix multiple vulnerabilities
2015-02-20 00:00:00
krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092
2015-02-03 00:00:00
krb5 1.11 -- New release/fix multiple vulnerabilities
2015-02-25 00:00:00
openvas
openvas
Fedora Update for krb5 FEDORA-2015-2347
2015-03-13 00:00:00
Ubuntu: Security Advisory (USN-2498-1)
2015-02-11 00:00:00
SUSE: Security Advisory (SUSE-SU-2015:0257-1)
2021-06-09 00:00:00
ubuntu
ubuntu
Kerberos vulnerabilities
2015-02-10 00:00:00
altlinux
altlinux
Security fix for the ALT Linux 8 package krb5 version 1.13-alt3
2015-02-08 00:00:00
Security fix for the ALT Linux 9 package krb5 version 1.13-alt3
2015-02-08 00:00:00
Security fix for the ALT Linux 7 package krb5 version 1.13-alt3
2015-02-08 00:00:00
debian
debian
[SECURITY] [DSA 3153-1] krb5 security update
2015-02-03 20:50:06
[SECURITY] [DLA 146-1] krb5 security update
2015-02-07 10:52:32
[SECURITY] [DLA 1265-1] krb5 security update
2018-01-31 17:06:34
mageia
mageia
Updated krb5 packages fix security vulnerabilities
2015-02-15 18:57:20
Updated krb5 packages fix CVE-2014-5353
2014-12-19 18:06:35
suse
suse
Security update for krb5 (important)
2015-02-11 18:08:30
Security update for krb5 (important)
2015-02-16 14:05:49
Security update for krb5 (important)
2015-02-16 15:04:57
securityvulns
securityvulns
MIT Kerberos 5 multiple security vulnerabilities
2015-02-11 00:00:00
MITKRB5-SA-2015-001 Vulnerabilities in kadmind, libgssrpc, gss_process_context_token
2015-02-11 00:00:00
[ MDVSA-2015:009 ] krb5
2015-01-13 00:00:00
osv
osv
krb5 - security update
2015-02-03 00:00:00
krb5 - security update
2015-02-07 00:00:00
krb5 - security update
2018-01-31 00:00:00
ibm
ibm
Security Bulletin: IBM Security Network Intrusion Prevention System is affected by krb5 vulnerabilities (CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423)
2022-02-23 19:48:26
Security Bulletin: Multiple Kerberos (krb5) vulnerabilities affect PowerKVM (Multiple CVEs)
2018-06-18 01:27:54
Security Bulletin: Vulnerabilities in Kerberos (krb5) affect IBM Security Network Protection (CVE-2014-5352, CVE-2014-5353, CVE-2014-5355, CVE-2014-9421, and CVE-2014-9422)
2018-06-16 21:25:59
aix
aix
Multiple Security vulnerabilities in IBM NAS(kerberos)
2015-05-21 05:06:05
oraclelinux
oraclelinux
krb5 security update
2015-04-09 00:00:00
krb5 security, bug fix and enhancement update
2015-03-11 00:00:00
veracode
veracode
Arbitrary Code Execution
2019-05-02 05:13:02
Privilege Escalation
2019-05-02 05:13:02
Denial Of Service (DoS)
2019-01-15 09:05:33
centos
centos
krb5 security update
2015-04-09 11:47:52
krb5 security update
2015-03-17 13:28:30
amazon
amazon
Medium: krb5
2015-05-05 15:44:00
redhat
redhat
(RHSA-2015:0794) Moderate: krb5 security update
2015-04-09 00:00:00
(RHSA-2015:0439) Moderate: krb5 security, bug fix and enhancement update
2015-03-05 00:00:00
f5
f5
K16443 : MIT Kerberos 5 vulnerabilities CVE-2014-9421 and CVE-2014-5352
2015-04-15 00:00:00
SOL16443 - MIT Kerberos 5 vulnerabilities CVE-2014-9421 and CVE-2014-5352
2015-04-15 00:00:00
K16441 : MIT Kerberos 5 vulnerability CVE-2014-9423
2015-04-15 00:00:00
ubuntucve
ubuntucve
CVE-2014-9421
2015-02-03 00:00:00
CVE-2014-9423
2015-02-03 00:00:00
CVE-2014-9422
2015-02-03 00:00:00
debiancve
debiancve
CVE-2014-9421
2015-02-19 11:59:00
CVE-2014-9423
2015-02-19 11:59:00
CVE-2014-5354
2014-12-16 23:59:00
prion
prion
Design/Logic Flaw
2015-02-19 11:59:00
Authorization
2015-02-19 11:59:00
Double free
2015-02-19 11:59:00
cve
cve
CVE-2014-9423
2015-02-19 11:59:00
CVE-2014-9422
2015-02-19 11:59:00
CVE-2014-9421
2015-02-19 11:59:00
attackerkb
attackerkb
Microsoft Internet Explorer Use-After-Free Vulnerability
2014-10-15 00:00:00

9 High

CVSS2

Access Vector

NETWORK

Access Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

COMPLETE

Integrity Impact

COMPLETE

Availability Impact

COMPLETE

AV:N/AC:L/Au:S/C:C/I:C/A:C

0.018 Low

EPSS

Percentile

86.8%

JSON
Related for ASA-201502-12
nessus33fedora4freebsd4openvas25ubuntu1altlinux6debian3mageia2suse3securityvulns4osv3ibm9aix1oraclelinux2veracode5centos2amazon1redhat2f56ubuntucve6debiancve6prion6cve6attackerkb1