ID CVE-2014-9421 Type cve Reporter NVD Modified 2017-01-02T21:59:24
Description
The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.
{"title": "CVE-2014-9421", "reporter": "NVD", "enchantments": {"vulnersScore": 7.5}, "published": "2015-02-19T06:59:05", "cvelist": ["CVE-2014-9421"], "viewCount": 3, "objectVersion": "1.2", "type": "cve", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9421", "bulletinFamily": "NVD", "hashmap": [{"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "7c7ef8c166436db86753353fc3979519", "key": "cpe"}, {"hash": "3da6148ad6f05fecc9200dd1bff42030", "key": "cvelist"}, {"hash": "4ea840ff73b6affb0ff1787d26923e0e", "key": "cvss"}, {"hash": "20d5460682b7aea0d3a5d06a245e2d4e", "key": "description"}, {"hash": "d55fd815aab32d60e54ce3b7bb0167e2", "key": "href"}, {"hash": "004cb656d31e162e2dd19f2e4cb5d12d", "key": "modified"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "29dd9d728b9e44d6beea804f48a3ac5b", "key": "published"}, {"hash": "41c81b373fbb4c382d69f70be4d5041a", "key": "references"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "a45e50e960ce1d5ffef6aa1335ba029e", "key": "title"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}], "history": [{"bulletin": {"reporter": "NVD", "published": "2015-02-19T06:59:05", "cvelist": ["CVE-2014-9421"], "title": "CVE-2014-9421", "objectVersion": "1.2", "type": "cve", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-9421", "bulletinFamily": "NVD", "id": "CVE-2014-9421", "history": [], "scanner": [], "cpe": ["cpe:/a:mit:kerberos:5-1.11.1", "cpe:/a:mit:kerberos:5-1.12.2", "cpe:/a:mit:kerberos:5-1.11.3", "cpe:/a:mit:kerberos:5-1.11.4", "cpe:/a:mit:kerberos:5-1.11.2", "cpe:/a:mit:kerberos:5-1.11.5", "cpe:/a:mit:kerberos:5-1.12.1", "cpe:/a:mit:kerberos:5-1.12", "cpe:/a:mit:kerberos:5-1.13", "cpe:/a:mit:kerberos:5-1.11"], "modified": "2015-04-13T21:59:58", "hash": "be87743632510100f3f8403ce450099147761a44a84a0cdfab57d9de9d28887d", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "viewCount": 1, "edition": 1, "assessment": {"name": "", "href": "", "system": ""}, "references": ["http://rhn.redhat.com/errata/RHSA-2015-0794.html", "http://rhn.redhat.com/errata/RHSA-2015-0439.html", "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html", "http://www.debian.org/security/2015/dsa-3153", "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html", "http://www.ubuntu.com/usn/USN-2498-1", "http://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txt", "https://github.com/krb5/krb5/commit/a197e92349a4aa2141b5dff12e9dd44c2a2166e3", "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html", "http://www.mandriva.com/security/advisories?name=MDVSA-2015:069", "http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt", "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html"], "hashmap": [{"hash": "d41d8cd98f00b204e9800998ecf8427e", "key": "scanner"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "reporter"}, {"hash": "56765472680401499c79732468ba4340", "key": "objectVersion"}, {"hash": "7c7ef8c166436db86753353fc3979519", "key": "cpe"}, {"hash": "a45e50e960ce1d5ffef6aa1335ba029e", "key": "title"}, {"hash": "6d3f4796275bb54c21a33b82f399cc6d", "key": "assessment"}, {"hash": "29dd9d728b9e44d6beea804f48a3ac5b", "key": "published"}, {"hash": "1d9965e5c5db56daa90bd84bff1a5755", "key": "modified"}, {"hash": "0455ea7c78c2d61d14a7a0a360ebb9c8", "key": "references"}, {"hash": "1716b5fcbb7121af74efdc153d0166c5", "key": "type"}, {"hash": "3da6148ad6f05fecc9200dd1bff42030", "key": "cvelist"}, {"hash": "4ea840ff73b6affb0ff1787d26923e0e", "key": "cvss"}, {"hash": "601892ece72be3be2f57266ca2354792", "key": "bulletinFamily"}, {"hash": "d55fd815aab32d60e54ce3b7bb0167e2", "key": "href"}, {"hash": "20d5460682b7aea0d3a5d06a245e2d4e", "key": "description"}], "lastseen": "2016-09-03T21:38:22", "description": "The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind."}, "differentElements": ["references", "modified"], "edition": 1, "lastseen": "2016-09-03T21:38:22"}], "scanner": [], "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "modified": "2017-01-02T21:59:24", "hash": "0a7556d5124b3c1d92c1a2fbb9f66384d7d75d6b793746f5a804cccdc6a73478", "cpe": ["cpe:/a:mit:kerberos:5-1.11.1", "cpe:/a:mit:kerberos:5-1.12.2", "cpe:/a:mit:kerberos:5-1.11.3", "cpe:/a:mit:kerberos:5-1.11.4", "cpe:/a:mit:kerberos:5-1.11.2", "cpe:/a:mit:kerberos:5-1.11.5", "cpe:/a:mit:kerberos:5-1.12.1", "cpe:/a:mit:kerberos:5-1.12", "cpe:/a:mit:kerberos:5-1.13", "cpe:/a:mit:kerberos:5-1.11"], "edition": 2, "description": "The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.", "references": ["http://rhn.redhat.com/errata/RHSA-2015-0794.html", "http://rhn.redhat.com/errata/RHSA-2015-0439.html", "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html", "http://www.debian.org/security/2015/dsa-3153", "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html", "http://www.ubuntu.com/usn/USN-2498-1", "http://www.securityfocus.com/bid/72496", "http://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txt", "https://github.com/krb5/krb5/commit/a197e92349a4aa2141b5dff12e9dd44c2a2166e3", "http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html", "http://www.mandriva.com/security/advisories?name=MDVSA-2015:069", "http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt", "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html", "http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html"], "id": "CVE-2014-9421", "lastseen": "2017-04-18T15:55:35", "assessment": {"name": "", "href": "", "system": ""}}
{"result": {"f5": [{"id": "SOL16443", "type": "f5", "title": "SOL16443 - MIT Kerberos 5 vulnerabilities CVE-2014-9421 and CVE-2014-5352", "description": "Vulnerability Recommended Actions\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\nSupplemental Information\n\n * SOL9970: Subscribing to email notifications regarding F5 products\n * SOL9957: Creating a custom RSS feed to view new and updated documents\n * SOL4602: Overview of the F5 security vulnerability response policy\n", "published": "2015-04-15T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://support.f5.com/kb/en-us/solutions/public/16000/400/sol16443.html", "cvelist": ["CVE-2014-5352", "CVE-2014-9421"], "lastseen": "2016-09-26T17:22:55"}, {"id": "F5:K16443", "type": "f5", "title": "MIT Kerberos 5 vulnerabilities CVE-2014-9421 and CVE-2014-5352", "description": "\nF5 Product Development has assigned ID 476378 (ARX) to this vulnerability, and has evaluated the currently supported releases for potential vulnerability.\n\nTo determine if your release is known to be vulnerable, the components or features that are affected by the vulnerability, and for information about releases or hotfixes that address the vulnerability, refer to the following table:\n\nProduct| Versions known to be vulnerable| Versions known to be not vulnerable| Severity| Vulnerable component or feature \n---|---|---|---|--- \nBIG-IP LTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP AAM| None| 11.4.0 - 11.6.0| Not vulnerable| None \nBIG-IP AFM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP Analytics| None| 11.0.0 - 11.6.0| Not vulnerable| None \nBIG-IP APM| None| 11.0.0 - 11.6.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP ASM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Edge Gateway| None| 11.0.0 - 11.3.0 \n10.1.0 - 10.2.4| Not vulnerable| None \nBIG-IP GTM| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP Link Controller| None| 11.0.0 - 11.6.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP PEM| None| 11.3.0 - 11.6.0| Not vulnerable| None \nBIG-IP PSM| None| 11.0.0 - 11.4.1 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WebAccelerator| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nBIG-IP WOM| None| 11.0.0 - 11.3.0 \n10.0.0 - 10.2.4| Not vulnerable| None \nARX| 6.0.0 - 6.4.0| None| High| Kerberos 5 library \nEnterprise Manager| None| 3.0.0 - 3.1.1 \n2.1.0 - 2.3.0| Not vulnerable| None \nFirePass| None| 7.0.0 \n6.0.0 - 6.1.0| Not vulnerable| None \nBIG-IQ Cloud| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Device| None| 4.2.0 - 4.5.0| Not vulnerable| None \nBIG-IQ Security| None| 4.0.0 - 4.5.0| Not vulnerable| None \nBIG-IQ ADC| None| 4.5.0| Not vulnerable| None \nLineRate| None| 2.4.0 - 2.5.0| Not vulnerable| None \nF5 WebSafe| None| 1.0.0| Not vulnerable| None \nTraffix SDC| None| 4.0.0 - 4.1.0 \n3.3.2 - 3.5.1| Not vulnerable| None \nBIG-IP Edge Clients for Android| None| 2.0.0 - 2.0.6| Not vulnerable| None \nBIG-IP Edge Clients for Apple iOS| None| 2.0.0 - 2.0.4 \n1.0.5 - 1.0.6| Not vulnerable| None \nBIG-IP Edge Clients for Linux| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients for MAC OS X| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients for Windows| None| 6035.x - 7110.x| Not vulnerable| None \nBIG-IP Edge Clients Windows Phone 8.1| None| 1.0.0.x| Not vulnerable| None \nBIG-IP Edge Portal for Android| None| 1.0.0 - 1.0.2| Not vulnerable| None \nBIG-IP Edge Portal for Apple iOS| None| 1.0.0 - 1.0.3| Not vulnerable| None \n \n**Note**: As of February 17, 2015, AskF5 Security Advisory articles include the **Severity** value. Security Advisory articles published before this date do not list a **Severity** value.\n\nIf the previous table lists a version in the **Versions known to be not vulnerable** column, you can eliminate this vulnerability by upgrading to the listed version. If the listed version is older than the version you are currently running, or if the table does not list any version in the column, then no upgrade candidate currently exists.\n\n * [K9970: Subscribing to email notifications regarding F5 products](<https://support.f5.com/csp/article/K9970>)\n * [K9957: Creating a custom RSS feed to view new and updated documents](<https://support.f5.com/csp/article/K9957>)\n * [K4602: Overview of the F5 security vulnerability response policy](<https://support.f5.com/csp/article/K4602>)\n", "published": "2015-04-15T20:13:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://support.f5.com/csp/article/K16443", "cvelist": ["CVE-2014-5352", "CVE-2014-9421"], "lastseen": "2017-06-08T00:16:12"}], "suse": [{"id": "SUSE-SU-2015:0290-2", "type": "suse", "title": "Security update for krb5 (important)", "description": "MIT kerberos krb5 was updated to fix several security issues and bugs.\n\n Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3\n function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5\n (aka krb5) sent old keys in a response to a -randkey -keepold request,\n which allowed remote authenticated users to forge tickets by leveraging\n administrative access.\n\n CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after\n gss_process_context_token() is used to process a valid context deletion\n token, the caller was left with a security context handle containing a\n dangling pointer. Further uses of this handle would have resulted in\n use-after-free and double-free memory access violations. libgssrpc server\n applications such as kadmind were vulnerable as they can be instructed to\n call gss_process_context_token().\n\n CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data\n from an authenticated user, it may have performed use-after-free and\n double-free memory access violations while cleaning up the partial\n deserialization results. Other libgssrpc server applications might also\n been vulnerable if they contain insufficiently defensive XDR functions.\n\n CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepted\n authentications to two-component server principals whose first component\n is a left substring of "kadmin" or whose realm is a left prefix of the\n default realm.\n\n CVE-2014-9423: libgssrpc applications including kadmind output four or\n eight bytes of uninitialized memory to the network as part of an unused\n "handle" field in replies to clients.\n\n Bugs fixed:\n - Work around replay cache creation race; (bnc#898439).\n\n", "published": "2015-02-16T15:04:57", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00017.html", "cvelist": ["CVE-2014-9422", "CVE-2014-5351", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2016-09-04T12:40:30"}, {"id": "SUSE-SU-2015:0257-1", "type": "suse", "title": "Security update for krb5 (important)", "description": "krb5 has been updated to fix four security issues:\n\n * CVE-2014-5352: gss_process_context_token() incorrectly frees context\n (bsc#912002)\n * CVE-2014-9421: kadmind doubly frees partial deserialization results\n (bsc#912002)\n * CVE-2014-9422: kadmind incorrectly validates server principal name\n (bsc#912002)\n * CVE-2014-9423: libgssrpc server applications leak uninitialized\n bytes (bsc#912002)\n\n Additionally, these non-security issues have been fixed:\n\n * Winbind process hangs indefinitely without DC. (bsc#872912)\n * Hanging winbind processes. (bsc#906557)\n\n Security Issues:\n\n * CVE-2014-5352\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352</a>>\n * CVE-2014-9421\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421</a>>\n * CVE-2014-9422\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422</a>>\n * CVE-2014-9423\n <<a rel=\"nofollow\" href=\"http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423\">http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423</a>>\n\n", "published": "2015-02-11T18:08:30", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2016-09-04T12:30:16"}, {"id": "SUSE-SU-2015:0290-1", "type": "suse", "title": "Security update for krb5 (important)", "description": "MIT kerberos krb5 was updated to fix several security issues and bugs.\n\n Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3\n function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5\n (aka krb5) sent old keys in a response to a -randkey -keepold request,\n which allowed remote authenticated users to forge tickets by leveraging\n administrative access.\n\n CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after\n gss_process_context_token() is used to process a valid context deletion\n token, the caller was left with a security context handle containing a\n dangling pointer. Further uses of this handle would have resulted in\n use-after-free and double-free memory access violations. libgssrpc server\n applications such as kadmind were vulnerable as they can be instructed to\n call gss_process_context_token().\n\n CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data\n from an authenticated user, it may have performed use-after-free and\n double-free memory access violations while cleaning up the partial\n deserialization results. Other libgssrpc server applications might also\n been vulnerable if they contain insufficiently defensive XDR functions.\n\n CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepted\n authentications to two-component server principals whose first component\n is a left substring of "kadmin" or whose realm is a left prefix of the\n default realm.\n\n CVE-2014-9423: libgssrpc applications including kadmind output four or\n eight bytes of uninitialized memory to the network as part of an unused\n "handle" field in replies to clients.\n\n Bugs fixed:\n - Work around replay cache creation race; (bnc#898439).\n\n", "published": "2015-02-16T14:05:49", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html", "cvelist": ["CVE-2014-9422", "CVE-2014-5351", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2016-09-04T11:49:45"}], "nessus": [{"id": "SL_20150409_KRB5_ON_SL6_X.NASL", "type": "nessus", "title": "Scientific Linux Security Update : krb5 on SL6.x i386/x86_64", "description": "The following security issues are fixed with this release :\n\nA use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352)\n\nIf kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal.\n(CVE-2014-5353)\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.\n(CVE-2014-5355)\n\nA double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421)\n\nIt was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)", "published": "2015-04-10T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82694", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2017-10-29T13:40:27"}, {"id": "OPENSUSE-2015-128.NASL", "type": "nessus", "title": "openSUSE Security Update : krb5 (openSUSE-2015-128)", "description": "krb5 was updated to fix five security issues.\n\nThese security issues were fixed :\n\n - CVE-2014-5351: current keys returned when randomizing the keys for a service principal (bnc#897874) \n\n - CVE-2014-5352: An authenticated attacker could cause a vulnerable application (including kadmind) to crash or to execute arbitrary code (bnc#912002).\n\n - CVE-2014-9421: An authenticated attacker could cause kadmind or other vulnerable server application to crash or to execute arbitrary code (bnc#912002).\n\n - CVE-2014-9422: An attacker who possess the key of a particularly named principal (such as 'kad/root') could impersonate any user to kadmind and perform administrative actions as that user (bnc#912002).\n\n - CVE-2014-9423: An attacker could attempt to glean sensitive information from the four or eight bytes of uninitialized data output by kadmind or other libgssrpc server application. Because MIT krb5 generally sanitizes memory containing krb5 keys before freeing it, it is unlikely that kadmind would leak Kerberos key information, but it is not impossible (bnc#912002).\n\nThis non-security issue was fixed :\n\n - Work around replay cache creation race (bnc#898439).", "published": "2015-02-12T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=81304", "cvelist": ["CVE-2014-9422", "CVE-2014-5351", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-10-29T13:34:15"}, {"id": "FREEBSD_PKG_24CE5597ACAB11E4A847206A8A720317.NASL", "type": "nessus", "title": "FreeBSD : krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092 (24ce5597-acab-11e4-a847-206a8a720317)", "description": "SO-AND-SO reports :\n\nCVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller is left with a security context handle containing a dangling pointer. Further uses of this handle will result in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind are vulnerable as they can be instructed to call gss_process_context_token().\n\nCVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may perform use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications may also be vulnerable if they contain insufficiently defensive XDR functions.\n\nCVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepts authentications to two-component server principals whose first component is a left substring of 'kadmin' or whose realm is a left prefix of the default realm.\n\nCVE-2014-9423: libgssrpc applications including kadmind output four or eight bytes of uninitialized memory to the network as part of an unused 'handle' field in replies to clients.", "published": "2015-02-05T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=81175", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-10-29T13:35:38"}, {"id": "ORACLELINUX_ELSA-2015-0794.NASL", "type": "nessus", "title": "Oracle Linux 6 : krb5 (ELSA-2015-0794)", "description": "From Red Hat Security Advisory 2015:0794 :\n\nUpdated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nKerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC.\n\nThe following security issues are fixed with this release :\n\nA use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352)\n\nIf kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal.\n(CVE-2014-5353)\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.\n(CVE-2014-5355)\n\nA double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421)\n\nIt was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)\n\nRed Hat would like to thank the MIT Kerberos project for reporting CVE-2014-5352, CVE-2014-9421, and CVE-2014-9422. The MIT Kerberos project acknowledges Nico Williams for assisting with the analysis of CVE-2014-5352.\n\nAll krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.", "published": "2015-04-10T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82689", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2018-07-21T07:56:14"}, {"id": "MANDRIVA_MDVSA-2015-069.NASL", "type": "nessus", "title": "Mandriva Linux Security Advisory : krb5 (MDVSA-2015:069)", "description": "Multiple vulnerabilities has been discovered and corrected in krb5 :\n\nThe krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind (CVE-2014-5352).\n\nMIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c (CVE-2014-5355).\n\nThe auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind (CVE-2014-9421).\n\nThe check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial kadmind substring, as demonstrated by a ka/x principal (CVE-2014-9422).\n\nThe svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field (CVE-2014-9423).\n\nThe updated packages provides a solution for these security issues.", "published": "2015-03-30T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82322", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-10-29T13:36:28"}, {"id": "FEDORA_2015-2382.NASL", "type": "nessus", "title": "Fedora 20 : krb5-1.11.5-18.fc20 (2015-2382)", "description": "Security fix for CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423 Security fix for CVE-2014-5351\n\nNote that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-03-10T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=81705", "cvelist": ["CVE-2014-9422", "CVE-2014-5351", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-10-29T13:34:06"}, {"id": "SUSE_11_KRB5-20150206-150206.NASL", "type": "nessus", "title": "SuSE 11.3 Security Update : krb5 (SAT Patch Number 10282)", "description": "krb5 has been updated to fix four security issues :\n\n - gss_process_context_token() incorrectly frees context (bsc#912002). (CVE-2014-5352)\n\n - kadmind doubly frees partial deserialization results (bsc#912002). (CVE-2014-9421)\n\n - kadmind incorrectly validates server principal name (bsc#912002). (CVE-2014-9422)\n\n - libgssrpc server applications leak uninitialized bytes (bsc#912002) Additionally, these non-security issues have been fixed :. (CVE-2014-9423)\n\n - Winbind process hangs indefinitely without DC.\n (bsc#872912)\n\n - Hanging winbind processes. (bsc#906557)", "published": "2015-02-12T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=81312", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-10-29T13:42:02"}, {"id": "ALA_ALAS-2015-518.NASL", "type": "nessus", "title": "Amazon Linux AMI : krb5 (ALAS-2015-518)", "description": "A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352)\n\nIf kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal.\n(CVE-2014-5353)\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.\n(CVE-2014-5355)\n\nA double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421)\n\nIt was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)", "published": "2015-05-07T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=83269", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2018-04-19T07:52:50"}, {"id": "REDHAT-RHSA-2015-0794.NASL", "type": "nessus", "title": "RHEL 6 : krb5 (RHSA-2015:0794)", "description": "Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.\n\nRed Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.\n\nKerberos is a networked authentication system which allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos KDC.\n\nThe following security issues are fixed with this release :\n\nA use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. (CVE-2014-5352)\n\nIf kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal.\n(CVE-2014-5353)\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.\n(CVE-2014-5355)\n\nA double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. (CVE-2014-9421)\n\nIt was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as 'kad/x') could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. (CVE-2014-9422)\n\nRed Hat would like to thank the MIT Kerberos project for reporting CVE-2014-5352, CVE-2014-9421, and CVE-2014-9422. The MIT Kerberos project acknowledges Nico Williams for assisting with the analysis of CVE-2014-5352.\n\nAll krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues.", "published": "2015-04-09T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82656", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2017-10-29T13:42:24"}, {"id": "DEBIAN_DLA-146.NASL", "type": "nessus", "title": "Debian DLA-146-1 : krb5 security update", "description": "Multiples vulnerabilities have been found in krb5, the MIT implementation of Kerberos :\n\nCVE-2014-5352\n\nIncorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code.\n\nCVE-2014-9421\n\nIncorrect memory management in kadmind's processing of XDR data might result in denial of service or the execution of arbitrary code.\n\nCVE-2014-9422\n\nIncorrect processing of two-component server principals might result in impersonation attacks.\n\nCVE-2014-9423\n\nAn information leak in the libgssrpc library.\n\nNOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.", "published": "2015-03-26T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://www.tenable.com/plugins/index.php?view=single&id=82129", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2018-07-07T02:16:18"}], "openvas": [{"id": "OPENVAS:1361412562310871351", "type": "openvas", "title": "RedHat Update for krb5 RHSA-2015:0794-01", "description": "Check the version of krb5", "published": "2015-04-10T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310871351", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2017-07-27T10:53:13"}, {"id": "OPENVAS:1361412562310882160", "type": "openvas", "title": "CentOS Update for krb5-devel CESA-2015:0794 centos6 ", "description": "Check the version of krb5-devel", "published": "2015-04-10T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310882160", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2017-07-25T10:53:34"}, {"id": "OPENVAS:703153", "type": "openvas", "title": "Debian Security Advisory DSA 3153-1 (krb5 - security update)", "description": "Multiple vulnerabilities have\nbeen found in krb5, the MIT implementation of Kerberos:\n\nCVE-2014-5352\nIncorrect memory management in the libgssapi_krb5 library might\nresult in denial of service or the execution of arbitrary code.\n\nCVE-2014-9421\nIncorrect memory management in kadmind", "published": "2015-02-03T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=703153", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-07-24T12:52:55"}, {"id": "OPENVAS:1361412562310120539", "type": "openvas", "title": "Amazon Linux Local Check: ALAS-2015-518", "description": "Amazon Linux Local Security Checks", "published": "2015-09-08T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310120539", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2017-07-24T12:52:54"}, {"id": "OPENVAS:1361412562310850837", "type": "openvas", "title": "SuSE Update for krb5 SUSE-SU-2015:0257-1 (krb5)", "description": "Check the version of krb5", "published": "2015-10-13T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850837", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-12-12T11:16:06"}, {"id": "OPENVAS:1361412562310851052", "type": "openvas", "title": "SuSE Update for krb5 SUSE-SU-2015:0290-2 (krb5)", "description": "Check the version of krb5", "published": "2015-10-16T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310851052", "cvelist": ["CVE-2014-9422", "CVE-2014-5351", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-12-12T11:15:07"}, {"id": "OPENVAS:1361412562310703153", "type": "openvas", "title": "Debian Security Advisory DSA 3153-1 (krb5 - security update)", "description": "Multiple vulnerabilities have\nbeen found in krb5, the MIT implementation of Kerberos:\n\nCVE-2014-5352\nIncorrect memory management in the libgssapi_krb5 library might\nresult in denial of service or the execution of arbitrary code.\n\nCVE-2014-9421\nIncorrect memory management in kadmind", "published": "2015-02-03T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310703153", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2018-04-06T11:26:12"}, {"id": "OPENVAS:1361412562310850977", "type": "openvas", "title": "SuSE Update for krb5 SUSE-SU-2015:0290-1 (krb5)", "description": "Check the version of krb5", "published": "2015-10-16T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310850977", "cvelist": ["CVE-2014-9422", "CVE-2014-5351", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-12-12T11:17:09"}, {"id": "OPENVAS:1361412562310123137", "type": "openvas", "title": "Oracle Linux Local Check: ELSA-2015-0794", "description": "Oracle Linux Local Security Checks ELSA-2015-0794", "published": "2015-10-06T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310123137", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2017-07-24T12:53:58"}, {"id": "OPENVAS:1361412562310869079", "type": "openvas", "title": "Fedora Update for krb5 FEDORA-2015-2347", "description": "Check the version of krb5", "published": "2015-03-13T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310869079", "cvelist": ["CVE-2014-9422", "CVE-2014-5354", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2017-07-25T10:52:54"}], "centos": [{"id": "CESA-2015:0794", "type": "centos", "title": "krb5 security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0794\n\n\nKerberos is a networked authentication system which allows clients and\nservers to authenticate to each other with the help of a trusted third\nparty, the Kerberos KDC.\n\nThe following security issues are fixed with this release:\n\nA use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5\nlibrary processed valid context deletion tokens. An attacker able to make\nan application using the GSS-API library (libgssapi) could call the\ngss_process_context_token() function and use this flaw to crash that\napplication. (CVE-2014-5352)\n\nIf kadmind were used with an LDAP back end for the KDC database, a remote,\nauthenticated attacker who has the permissions to set the password policy\ncould crash kadmind by attempting to use a named ticket policy object as a\npassword policy for a principal. (CVE-2014-5353)\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not\ncorrectly sanitize input, and could create invalid krb5_data objects.\nA remote, unauthenticated attacker could use this flaw to crash a Kerberos\nchild process via a specially crafted request. (CVE-2014-5355)\n\nA double-free flaw was found in the way MIT Kerberos handled invalid\nExternal Data Representation (XDR) data. An authenticated user could use\nthis flaw to crash the MIT Kerberos administration server (kadmind), or\nother applications using Kerberos libraries, via specially crafted XDR\npackets. (CVE-2014-9421)\n\nIt was found that the MIT Kerberos administration server (kadmind)\nincorrectly accepted certain authentication requests for two-component\nserver principal names. A remote attacker able to acquire a key with a\nparticularly named principal (such as \"kad/x\") could use this flaw to\nimpersonate any user to kadmind, and perform administrative actions as that\nuser. (CVE-2014-9422)\n\nRed Hat would like to thank the MIT Kerberos project for reporting\nCVE-2014-5352, CVE-2014-9421, and CVE-2014-9422. The MIT Kerberos project\nacknowledges Nico Williams for assisting with the analysis of\nCVE-2014-5352.\n\nAll krb5 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-announce/2015-April/021058.html\n\n**Affected packages:**\nkrb5\nkrb5-devel\nkrb5-libs\nkrb5-pkinit-openssl\nkrb5-server\nkrb5-server-ldap\nkrb5-workstation\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0794.html", "published": "2015-04-09T11:47:52", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-announce/2015-April/021058.html", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2017-10-03T18:26:04"}, {"id": "CESA-2015:0439", "type": "centos", "title": "krb5 security update", "description": "**CentOS Errata and Security Advisory** CESA-2015:0439\n\n\nA NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor\nfor continuation tokens. A remote, unauthenticated attacker could use this flaw\nto crash a GSSAPI-enabled server application. (CVE-2014-4344)\n\nA buffer overflow was found in the KADM5 administration server (kadmind) when it\nwas used with an LDAP back end for the KDC database. A remote, authenticated\nattacker could potentially use this flaw to execute arbitrary code on the system\nrunning kadmind. (CVE-2014-4345)\n\nA use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5\nlibrary processed valid context deletion tokens. An attacker able to make an\napplication using the GSS-API library (libgssapi) call the\ngss_process_context_token() function could use this flaw to crash that\napplication. (CVE-2014-5352)\n\nIf kadmind were used with an LDAP back end for the KDC database, a remote,\nauthenticated attacker with the permissions to set the password policy could\ncrash kadmind by attempting to use a named ticket policy object as a password\npolicy for a principal. (CVE-2014-5353)\n\nA double-free flaw was found in the way MIT Kerberos handled invalid External\nData Representation (XDR) data. An authenticated user could use this flaw to\ncrash the MIT Kerberos administration server (kadmind), or other applications\nusing Kerberos libraries, using specially crafted XDR packets. (CVE-2014-9421)\n\nIt was found that the MIT Kerberos administration server (kadmind) incorrectly\naccepted certain authentication requests for two-component server principal\nnames. A remote attacker able to acquire a key with a particularly named\nprincipal (such as \"kad/x\") could use this flaw to impersonate any user to\nkadmind, and perform administrative actions as that user. (CVE-2014-9422)\n\nAn information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS\nimplementation (libgssrpc) handled certain requests. An attacker could send a\nspecially crafted request to an application using libgssrpc to disclose a\nlimited portion of uninitialized memory used by that application.\n(CVE-2014-9423)\n\nTwo buffer over-read flaws were found in the way MIT Kerberos handled certain\nrequests. A remote, unauthenticated attacker able to inject packets into a\nclient or server application's GSSAPI session could use either of these flaws to\ncrash the application. (CVE-2014-4341, CVE-2014-4342)\n\nA double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker\nable to spoof packets to appear as though they are from an GSSAPI acceptor could\nuse this flaw to crash a client application that uses MIT Kerberos.\n(CVE-2014-4343)\n\nRed Hat would like to thank the MIT Kerberos project for reporting the\nCVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT\nKerberos project acknowledges Nico Williams for helping with the analysis of\nCVE-2014-5352.\n\nThe krb5 packages have been upgraded to upstream version 1.12, which provides a\nnumber of bug fixes and enhancements, including:\n\n* Added plug-in interfaces for principal-to-username mapping and verifying\nauthorization to user accounts.\n\n* When communicating with a KDC over a connected TCP or HTTPS socket, the client\ngives the KDC more time to reply before it transmits the request to another\nserver. (BZ#1049709, BZ#1127995)\n\nThis update also fixes multiple bugs, for example:\n\n* The Kerberos client library did not recognize certain exit statuses that the\nresolver libraries could return when looking up the addresses of servers\nconfigured in the /etc/krb5.conf file or locating Kerberos servers using DNS\nservice location. The library could treat non-fatal return codes as fatal\nerrors. Now, the library interprets the specific return codes correctly.\n(BZ#1084068, BZ#1109102)\n\nIn addition, this update adds various enhancements. Among others:\n\n* Added support for contacting KDCs and kpasswd servers through HTTPS proxies\nimplementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919)\n\n\n**Merged security bulletin from advisories:**\nhttp://lists.centos.org/pipermail/centos-cr-announce/2015-March/001610.html\n\n**Affected packages:**\nkrb5-devel\nkrb5-libs\nkrb5-pkinit\nkrb5-server\nkrb5-server-ldap\nkrb5-workstation\n\n**Upstream details at:**\nhttps://rhn.redhat.com/errata/RHSA-2015-0439.html", "published": "2015-03-17T13:28:30", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://lists.centos.org/pipermail/centos-cr-announce/2015-March/001610.html", "cvelist": ["CVE-2014-9422", "CVE-2014-4342", "CVE-2014-5352", "CVE-2014-4343", "CVE-2014-5353", "CVE-2014-4344", "CVE-2014-9421", "CVE-2014-4345", "CVE-2014-4341", "CVE-2014-9423"], "lastseen": "2017-10-03T18:26:27"}], "debian": [{"id": "DSA-3153", "type": "debian", "title": "krb5 -- security update", "description": "Multiple vulnerabilities have been found in krb5, the MIT implementation of Kerberos:\n\n * [CVE-2014-5352](<https://security-tracker.debian.org/tracker/CVE-2014-5352>)\n\nIncorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code.\n\n * [CVE-2014-9421](<https://security-tracker.debian.org/tracker/CVE-2014-9421>)\n\nIncorrect memory management in kadmind's processing of XDR data might result in denial of service or the execution of arbitrary code.\n\n * [CVE-2014-9422](<https://security-tracker.debian.org/tracker/CVE-2014-9422>)\n\nIncorrect processing of two-component server principals might result in impersonation attacks.\n\n * [CVE-2014-9423](<https://security-tracker.debian.org/tracker/CVE-2014-9423>)\n\nAn information leak in the libgssrpc library.\n\nFor the stable distribution (wheezy), these problems have been fixed in version 1.10.1+dfsg-5+deb7u3.\n\nFor the unstable distribution (sid), these problems have been fixed in version 1.12.1+dfsg-17.\n\nWe recommend that you upgrade your krb5 packages.", "published": "2015-02-03T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/dsa-3153", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2016-09-02T18:23:56"}, {"id": "DLA-146", "type": "debian", "title": "krb5 -- LTS security update", "description": "Multiples vulnerabilities have been found in krb5, the MIT implementation of Kerberos:\n\n * [CVE-2014-5352](<https://security-tracker.debian.org/tracker/CVE-2014-5352>)\n\nIncorrect memory management in the libgssapi_krb5 library might result in denial of service or the execution of arbitrary code.\n\n * [CVE-2014-9421](<https://security-tracker.debian.org/tracker/CVE-2014-9421>)\n\nIncorrect memory management in kadmind's processing of XDR data might result in denial of service or the execution of arbitrary code.\n\n * [CVE-2014-9422](<https://security-tracker.debian.org/tracker/CVE-2014-9422>)\n\nIncorrect processing of two-component server principals might result in impersonation attacks.\n\n * [CVE-2014-9423](<https://security-tracker.debian.org/tracker/CVE-2014-9423>)\n\nAn information leak in the libgssrpc library.\n\nFor Debian 6 Squeeze, these issues have been fixed in krb5 version 1.8.3+dfsg-4squeeze9", "published": "2015-02-07T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://www.debian.org/security/2015/dla-146", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2016-09-02T12:56:45"}], "amazon": [{"id": "ALAS-2015-518", "type": "amazon", "title": "Medium: krb5", "description": "**Issue Overview:**\n\nA use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) could call the gss_process_context_token() function and use this flaw to crash that application. ([CVE-2014-5352 __](<https://access.redhat.com/security/cve/CVE-2014-5352>))\n\nIf kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. ([CVE-2014-5353 __](<https://access.redhat.com/security/cve/CVE-2014-5353>))\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request. ([CVE-2014-5355 __](<https://access.redhat.com/security/cve/CVE-2014-5355>))\n\nA double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, via specially crafted XDR packets. ([CVE-2014-9421 __](<https://access.redhat.com/security/cve/CVE-2014-9421>))\n\nIt was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as \"kad/x\") could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. ([CVE-2014-9422 __](<https://access.redhat.com/security/cve/CVE-2014-9422>))\n\n \n**Affected Packages:** \n\n\nkrb5\n\n \n**Issue Correction:** \nRun _yum update krb5_ to update your system. \n\n \n**New Packages:**\n \n \n i686: \n krb5-devel-1.10.3-37.29.amzn1.i686 \n krb5-pkinit-openssl-1.10.3-37.29.amzn1.i686 \n krb5-server-ldap-1.10.3-37.29.amzn1.i686 \n krb5-debuginfo-1.10.3-37.29.amzn1.i686 \n krb5-libs-1.10.3-37.29.amzn1.i686 \n krb5-workstation-1.10.3-37.29.amzn1.i686 \n krb5-server-1.10.3-37.29.amzn1.i686 \n \n src: \n krb5-1.10.3-37.29.amzn1.src \n \n x86_64: \n krb5-devel-1.10.3-37.29.amzn1.x86_64 \n krb5-server-1.10.3-37.29.amzn1.x86_64 \n krb5-debuginfo-1.10.3-37.29.amzn1.x86_64 \n krb5-server-ldap-1.10.3-37.29.amzn1.x86_64 \n krb5-workstation-1.10.3-37.29.amzn1.x86_64 \n krb5-libs-1.10.3-37.29.amzn1.x86_64 \n krb5-pkinit-openssl-1.10.3-37.29.amzn1.x86_64 \n \n \n", "published": "2015-05-05T15:44:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://alas.aws.amazon.com/ALAS-2015-518.html", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2016-09-28T21:04:10"}], "redhat": [{"id": "RHSA-2015:0794", "type": "redhat", "title": "(RHSA-2015:0794) Moderate: krb5 security update", "description": "Kerberos is a networked authentication system which allows clients and\nservers to authenticate to each other with the help of a trusted third\nparty, the Kerberos KDC.\n\nThe following security issues are fixed with this release:\n\nA use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5\nlibrary processed valid context deletion tokens. An attacker able to make\nan application using the GSS-API library (libgssapi) could call the\ngss_process_context_token() function and use this flaw to crash that\napplication. (CVE-2014-5352)\n\nIf kadmind were used with an LDAP back end for the KDC database, a remote,\nauthenticated attacker who has the permissions to set the password policy\ncould crash kadmind by attempting to use a named ticket policy object as a\npassword policy for a principal. (CVE-2014-5353)\n\nIt was found that the krb5_read_message() function of MIT Kerberos did not\ncorrectly sanitize input, and could create invalid krb5_data objects.\nA remote, unauthenticated attacker could use this flaw to crash a Kerberos\nchild process via a specially crafted request. (CVE-2014-5355)\n\nA double-free flaw was found in the way MIT Kerberos handled invalid\nExternal Data Representation (XDR) data. An authenticated user could use\nthis flaw to crash the MIT Kerberos administration server (kadmind), or\nother applications using Kerberos libraries, via specially crafted XDR\npackets. (CVE-2014-9421)\n\nIt was found that the MIT Kerberos administration server (kadmind)\nincorrectly accepted certain authentication requests for two-component\nserver principal names. A remote attacker able to acquire a key with a\nparticularly named principal (such as \"kad/x\") could use this flaw to\nimpersonate any user to kadmind, and perform administrative actions as that\nuser. (CVE-2014-9422)\n\nRed Hat would like to thank the MIT Kerberos project for reporting\nCVE-2014-5352, CVE-2014-9421, and CVE-2014-9422. The MIT Kerberos project\nacknowledges Nico Williams for assisting with the analysis of\nCVE-2014-5352.\n\nAll krb5 users are advised to upgrade to these updated packages, which\ncontain backported patches to correct these issues.\n", "published": "2015-04-09T04:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0794", "cvelist": ["CVE-2014-5352", "CVE-2014-5353", "CVE-2014-5355", "CVE-2014-9421", "CVE-2014-9422"], "lastseen": "2018-06-12T21:10:30"}, {"id": "RHSA-2015:0439", "type": "redhat", "title": "(RHSA-2015:0439) Moderate: krb5 security, bug fix and enhancement update", "description": "A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor\nfor continuation tokens. A remote, unauthenticated attacker could use this flaw\nto crash a GSSAPI-enabled server application. (CVE-2014-4344)\n\nA buffer overflow was found in the KADM5 administration server (kadmind) when it\nwas used with an LDAP back end for the KDC database. A remote, authenticated\nattacker could potentially use this flaw to execute arbitrary code on the system\nrunning kadmind. (CVE-2014-4345)\n\nA use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5\nlibrary processed valid context deletion tokens. An attacker able to make an\napplication using the GSS-API library (libgssapi) call the\ngss_process_context_token() function could use this flaw to crash that\napplication. (CVE-2014-5352)\n\nIf kadmind were used with an LDAP back end for the KDC database, a remote,\nauthenticated attacker with the permissions to set the password policy could\ncrash kadmind by attempting to use a named ticket policy object as a password\npolicy for a principal. (CVE-2014-5353)\n\nA double-free flaw was found in the way MIT Kerberos handled invalid External\nData Representation (XDR) data. An authenticated user could use this flaw to\ncrash the MIT Kerberos administration server (kadmind), or other applications\nusing Kerberos libraries, using specially crafted XDR packets. (CVE-2014-9421)\n\nIt was found that the MIT Kerberos administration server (kadmind) incorrectly\naccepted certain authentication requests for two-component server principal\nnames. A remote attacker able to acquire a key with a particularly named\nprincipal (such as \"kad/x\") could use this flaw to impersonate any user to\nkadmind, and perform administrative actions as that user. (CVE-2014-9422)\n\nAn information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS\nimplementation (libgssrpc) handled certain requests. An attacker could send a\nspecially crafted request to an application using libgssrpc to disclose a\nlimited portion of uninitialized memory used by that application.\n(CVE-2014-9423)\n\nTwo buffer over-read flaws were found in the way MIT Kerberos handled certain\nrequests. A remote, unauthenticated attacker able to inject packets into a\nclient or server application's GSSAPI session could use either of these flaws to\ncrash the application. (CVE-2014-4341, CVE-2014-4342)\n\nA double-free flaw was found in the MIT Kerberos SPNEGO initiators. An attacker\nable to spoof packets to appear as though they are from an GSSAPI acceptor could\nuse this flaw to crash a client application that uses MIT Kerberos.\n(CVE-2014-4343)\n\nRed Hat would like to thank the MIT Kerberos project for reporting the\nCVE-2014-5352, CVE-2014-9421, CVE-2014-9422, and CVE-2014-9423 issues. MIT\nKerberos project acknowledges Nico Williams for helping with the analysis of\nCVE-2014-5352.\n\nThe krb5 packages have been upgraded to upstream version 1.12, which provides a\nnumber of bug fixes and enhancements, including:\n\n* Added plug-in interfaces for principal-to-username mapping and verifying\nauthorization to user accounts.\n\n* When communicating with a KDC over a connected TCP or HTTPS socket, the client\ngives the KDC more time to reply before it transmits the request to another\nserver. (BZ#1049709, BZ#1127995)\n\nThis update also fixes multiple bugs, for example:\n\n* The Kerberos client library did not recognize certain exit statuses that the\nresolver libraries could return when looking up the addresses of servers\nconfigured in the /etc/krb5.conf file or locating Kerberos servers using DNS\nservice location. The library could treat non-fatal return codes as fatal\nerrors. Now, the library interprets the specific return codes correctly.\n(BZ#1084068, BZ#1109102)\n\nIn addition, this update adds various enhancements. Among others:\n\n* Added support for contacting KDCs and kpasswd servers through HTTPS proxies\nimplementing the Kerberos KDC Proxy (KKDCP) protocol. (BZ#1109919)\n", "published": "2015-03-05T05:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://access.redhat.com/errata/RHSA-2015:0439", "cvelist": ["CVE-2014-4341", "CVE-2014-4342", "CVE-2014-4343", "CVE-2014-4344", "CVE-2014-4345", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421", "CVE-2014-9422", "CVE-2014-9423"], "lastseen": "2018-04-15T11:09:12"}], "aix": [{"id": "NAS_ADVISORY3.ASC", "type": "aix", "title": "Multiple Security vulnerabilities in IBM NAS(kerberos)", "description": "IBM SECURITY ADVISORY\n\nFirst Issued : Thu May 21 05:06:05 CDT 2015\n\nThe most recent version of this document is available here:\n\nhttp://aix.software.ibm.com/aix/efixes/security/nas_advisory3.asc\nhttps://aix.software.ibm.com/aix/efixes/security/nas_advisory3.asc\nftp://aix.software.ibm.com/aix/efixes/security/nas_advisory3.asc\n===============================================================================\n VULNERABILITY SUMMARY\n\n1.VULNERABILITY: \tAIX NAS denial of service vulnerability\n\n PLATFORMS:\t\tAIX 5.3, 6.1 and 7.1\n\t\t\tVIOS 2.2.*\n\n SOLUTION:\t\tApply the fix as described below.\n\n THREAT:\t\tSee below\n\n CVE Numbers:\tCVE-2014-5352\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n2. VULNERABILITY:\tAIX NAS Denial of Service via a zero-byte version string\n\t\t\tor by omitting the '\\0' character\n\n PLATFORMS:\t\tAIX 5.3, 6.1 and 7.1\n\t\t\tVIOS 2.2.*\n\n SOLUTION:\t\tApply the fix as described below.\n\n THREAT:\t\tSee below\n\n CVE Numbers:\tCVE-2014-5355\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n3. VULNERABILITY:\tAIX NAS Denial of Service via malformed XDR data\n\n PLATFORMS:\t\tAIX 5.3, 6.1 and 7.1\n\t\t\tVIOS 2.2.*\n\n SOLUTION:\t\tApply the fix as described below.\n\n THREAT:\t\tSee below\n\n CVE Numbers:\tCVE-2014-9421\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n4. VULNERABILITY:\tAIX NAS allows remote users to obtain administrative \n\t\t\taccess by leveraging access to a two-component principal\n\n PLATFORMS:\t\tAIX 5.3, 6.1 and 7.1\n\t\t\tVIOS 2.2.*\n\n SOLUTION:\t\tApply the fix as described below.\n\n THREAT:\t\tSee below\n\n CVE Numbers:\tCVE-2014-9422\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n5. VULNERABILITY:\tAIX NAS allows remote users to obtain sensitive information \n\t\t\tfrom process heap memory\n\n PLATFORMS:\t\tAIX 5.3, 6.1 and 7.1\n\t\t\tVIOS 2.2.*\n\n SOLUTION:\t\tApply the fix as described below.\n\n THREAT:\t\tSee below\n\n CVE Numbers:\tCVE-2014-9423\n\n Reboot required? NO\n Workarounds? NO\n Protected by FPM? NO\n Protected by SED? NO\n\n===============================================================================\n DETAILED INFORMATION\n\nI. DESCRIPTION \n \n 1. CVE-2014-5352\n\tSecurity context handles are not properly maintained, which allows \n\tremote authenticated users to cause a denial of service(use-after-free \n\tand double free, and daemon crash) or possibly execute arbitrary code \n\tvia crafted GSSAPI traffic.\n\n 2. CVE-2014-5355\n\tA remote attackers can cause a denial of service (NULL pointer dereference) \n\tvia a zero-byte version string or cause a denial of service(out-of-bounds \n\tread) by omitting the '\\0' character. \n\n 3. CVE-2014-9421\n\tRemote authenticated users can cause a denial of service (use-after-free \n\tand double free, and daemon crash) or possibly execute arbitrary code via \n\tmalformed XDR data. \n\n 4. CVE-2014-9422\n\tA remote authenticated users can obtain administrative access by leveraging \n\taccess to a two-component principal with an initial \"kadmind\" substring. \n\n 5. CVE-2014-9423\n\tA remote attackers can obtain sensitive information from process heap memory \n\tby sniffing the network for data in a handle field \n\nII. CVSS\n\n 1. CVE-2014-5352\n CVSS Base Score: 9.0\n CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/100842\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)\n\n 2. CVE-2014-5355\n CVSS Base Score: 5.0\n CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/100972\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:N/I:N/A:P)\n\n 3. CVE-2014-9421\n CVSS Base Score: 9.0\n CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/100841\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:S/C:C/I:C/A:C)\n\n 4. CVE-2014-9422\n CVSS Base Score: 6.1\n CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/100840\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:H/Au:S/C:P/I:P/A:C)\n\n 5. CVE-2014-9423\n CVSS Base Score: 5.0\n CVSS Temporal Score: https://exchange.xforce.ibmcloud.com/vulnerabilities/100839\n CVSS Environmental Score*: Undefined\n CVSS Vector: (AV:N/AC:L/Au:N/C:P/I:N/A:N)\n\nIII. PLATFORM VULNERABILITY ASSESSMENT\n\n To determine if your system is vulnerable, execute the following\n command to obtain the NAS fileset level:\n\n lslpp -L krb5.client.rte\n \tlslpp -L krb5.server.rte\n \n The following fileset levels are vulnerable:\n\n AIX Fileset Lower Level Upper Level \n ------------------------------------------\n krb5.client.rte 1.4.0.8\t1.6.0.2\n krb5.server.rte 1.4.0.8\t1.6.0.2\n\n\tNote, 1.4.0.8 is the Lowest NAS version available in aix web download site. \n\tEven NAS version below this are impacted\n\n\nIV. SOLUTIONS\n\n A. FIXES\n\n Fix is available. The fix can be downloaded via ftp\n from:\n\n ftp://aix.software.ibm.com/aix/efixes/security/nas3_fix.tar\n\n The above link is to a tar file containing this signed advisory, \n \tfix packages, and OpenSSL signatures for each package.\n\n The fixes below include prerequisite checking. \n\tThis will enforce the correct mapping between the fixes and AIX\n releases.\n\n\tThe tar file contains Interim fixes that are based on NAS fileset levels.\n\t\n\tAIX Level 5.3, 6.1, 7.1 and VIOS Level 2.2.*\n\t-------------------------------------------- \n\tIf the NAS fileset level is at 1.5.0.7 then apply the ifix -\n\t1507c_fix.150404.epkg.Z if only krb5.client.rte is installed\n\t1507s_fix.150407.epkg.Z if krb5.server.rte is installed\n\n\tIf the NAS fileset level is at 1.6.0.2 then apply the ifix -\n\t1602c_fix.150404.epkg.Z if only krb5.client.rte is installed\n\t1602s_fix.150407.epkg.Z if krb5.server.rte is installed\n\n\tIf the NAS fileset level is at 1.5.0.3/1.5.0.4, then \n\tupgrade to fileset level 1.6.0.2 and apply the ifix -\n\t1602c_fix.150404.epkg.Z if only krb5.client.rte is installed\n\t1602s_fix.150407.epkg.Z if krb5.server.rte is installed\n\n\tFor other fileset level, upgrade to fileset level 1.5.0.7\n\tand apply the ifix -\n\t1507c_fix.150404.epkg.Z if only krb5.client.rte is installed\n\t1507s_fix.150407.epkg.Z if krb5.server.rte is installed\n\n To extract the fix from the tar file:\n\n tar xvf nas3_fix.tar\n cd nas3_fix\n\n Verify you have retrieved the fix intact:\n\n The checksums below were generated using the\n \"openssl dgst -sha256 file\" command is the followng:\n\n openssl dgst -sha256 \t\t\t\t filename\t \t \n -------------------------------------------------------------------------------------------\n\t4dc9f7af7f281d3b1b679230d7c957a107b0e14e471482ef86fbe2cff9a7672f\t1507c_fix.150404.epkg.Z\n\tfc4a7c777630380294c1835cca32b438882bb503a94b6ce43761a728ac05152b\t1507s_fix.150407.epkg.Z\n\tdd3356b711e822b5bd4599b4c327d047699cd492eed04d9d5b6c4d3042ef52e9\t1602c_fix.150404.epkg.Z\n\ta3ff287d83f05476ac64b72baebf17b69ffffc530c06ec44fb63b98359f332b6\t1602s_fix.150407.epkg.Z\n\n\tThese sums should match exactly. The OpenSSL signatures in the tar file and on this advisory \n\tcan also be used to verify the integrity of the fixes. \n\tIf the sums or signatures cannot be confirmed, contact IBM AIX Security at\n\tsecurity-alert@austin.ibm.com and describe the discrepancy.\n\n\tPublished advisory OpenSSL signature file location:\n\n http://aix.software.ibm.com/aix/efixes/security/nas_advisory3.asc.sig\n \thttps://aix.software.ibm.com/aix/efixes/security/nas_advisory3.asc.sig\n \tftp://aix.software.ibm.com/aix/efixes/security/nas_advisory13.asc.sig\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <advisory_file>.sig <advisory_file>\n\n openssl dgst -sha1 -verify <pubkey_file> -signature <ifix_file>.sig <ifix_file>\n \n B. FIX AND INTERIM FIX INSTALLATION\n\n IMPORTANT: If possible, it is recommended that a mksysb backup\n of the system be created. Verify it is both bootable and\n readable before proceeding.\n\n To preview a fix installation:\n\n installp -a -d fix_name -p all # where fix_name is the name of the\n # fix package being previewed.\n To install a fix package:\n\n installp -a -d fix_name -X all # where fix_name is the name of the\n # fix package being installed.\n\n Interim fixes have had limited functional and regression\n testing but not the full regression testing that takes place\n for Service Packs; however, IBM does fully support them.\n\n Interim fix management documentation can be found at:\n\n http://www14.software.ibm.com/webapp/set2/sas/f/aix.efixmgmt/home.html\n\n To preview an interim fix installation:\n\n emgr -e ipkg_name -p # where ipkg_name is the name of the\n # interim fix package being previewed.\n\n To install an interim fix package:\n\n emgr -e ipkg_name -X # where ipkg_name is the name of the\n # interim fix package being installed.\n\n\nV. WORKAROUNDS\n \n No workarounds.\n\nVI. CONTACT INFORMATION\n\n If you would like to receive AIX Security Advisories via email,\n please visit:\n\n http://www.ibm.com/systems/support\n\n and click on the \"My notifications\" link.\n\n To view previously issued advisories, please visit:\n\n http://www14.software.ibm.com/webapp/set2/subscriptions/onvdq\n \n Comments regarding the content of this announcement can be\n directed to:\n\n security-alert@austin.ibm.com\n\n To obtain the OpenSSL public key that can be used to verify the\n signed advisories and ifixes:\n\n Download the key from our web page:\n\n http://www.ibm.com/systems/resources/systems_p_os_aix_security_pgpkey.txt\n\n To obtain the PGP public key that can be used to communicate\n securely with the AIX Security Team you can either:\n\n A. Send an email with \"get key\" in the subject line to:\n\n security-alert@austin.ibm.com\n\n B. Download the key from a PGP Public Key Server. The key ID is:\n\n 0x28BFAA12\n\n Please contact your local IBM AIX support center for any\n assistance.\n\n\n\nVII. REFERENCES:\n\n Note: Keywords labeled as KEY in this document are used for parsing purposes.\n\n eServer is a trademark of International Business Machines\n Corporation. IBM, AIX and pSeries are registered trademarks of\n International Business Machines Corporation. All other trademarks\n are property of their respective holders.\n\n Complete CVSS Guide: http://www.first.org/cvss/cvss-guide.html\n On-line Calculator V2: http://nvd.nist.gov/cvss.cfm?calculator&adv&version=2\n CVE-2014-5352 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5352\n CVE-2014-5355 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-5355\n CVE-2014-9421 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9421\n CVE-2014-9422 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9422\n CVE-2014-9423 : http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9423\n\n *The CVSS Environment Score is customer environment specific and will\n ultimately impact the Overall CVSS Score. Customers can evaluate the\n impact of this vulnerability in their environments by accessing the links\n in the Reference section of this Flash.\n\n Note: According to the Forum of Incident Response and Security Teams\n (FIRST), the Common Vulnerability Scoring System (CVSS) is an \"industry\n open standard designed to convey vulnerability severity and help to\n determine urgency and priority of response.\" IBM PROVIDES THE CVSS SCORES\n \"AS IS\" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF\n MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE\n RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY\n VULNERABILITY.\n", "published": "2015-05-21T05:06:05", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://aix.software.ibm.com/aix/efixes/security/nas_advisory3.asc", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2016-10-24T17:48:11"}], "freebsd": [{"id": "24CE5597-ACAB-11E4-A847-206A8A720317", "type": "freebsd", "title": "krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092", "description": "\nSO-AND-SO reports:\n\nCVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after\n\t gss_process_context_token() is used to process a valid context\n\t deletion token, the caller is left with a security context handle\n\t containing a dangling pointer. Further uses of this handle will\n\t result in use-after-free and double-free memory access violations.\n\t libgssrpc server applications such as kadmind are vulnerable as\n\t they can be instructed to call gss_process_context_token().\nCVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR\n\t data from an authenticated user, it may perform use-after-free and\n\t double-free memory access violations while cleaning up the partial\n\t deserialization results. Other libgssrpc server applications may\n\t also be vulnerable if they contain insufficiently defensive XDR\n\t functions.\nCVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepts\n\t authentications to two-component server principals whose first\n\t component is a left substring of \"kadmin\" or whose realm is a left\n\t prefix of the default realm.\nCVE-2014-9423: libgssrpc applications including kadmind output\n\t four or eight bytes of uninitialized memory to the network as\n\t part of an unused \"handle\" field in replies to clients.\n\n", "published": "2015-02-03T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://vuxml.freebsd.org/freebsd/24ce5597-acab-11e4-a847-206a8a720317.html", "cvelist": ["CVE-2014-9422", "CVE-2014-5352", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2016-09-26T17:24:21"}], "oraclelinux": [{"id": "ELSA-2015-0794", "type": "oraclelinux", "title": "krb5 security update", "description": "[1.10.3-37]\n- fix for CVE-2014-5355 (#1193939) 'krb5: unauthenticated\n denial of service in recvauth_common() and others'\n[1.10.3-36]\n- fix for CVE-2014-5353 (#1174543) 'Fix LDAP misused policy\n name crash'\n[1.10.3-35]\n- Changelog fixes to make errata subsystem happy.\n[1.10.3-34]\n- fix for CVE-2014-5352 (#1179856) 'gss_process_context_token()\n incorrectly frees context (MITKRB5-SA-2015-001)'\n- fix for CVE-2014-9421 (#1179857) 'kadmind doubly frees partial\n deserialization results (MITKRB5-SA-2015-001)'\n- fix for CVE-2014-9422 (#1179861) 'kadmind incorrectly\n validates server principal name (MITKRB5-SA-2015-001)'", "published": "2015-04-09T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0794.html", "cvelist": ["CVE-2014-9422", "CVE-2014-5355", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421"], "lastseen": "2016-09-04T11:16:08"}, {"id": "ELSA-2015-0439", "type": "oraclelinux", "title": "krb5 security, bug fix and enhancement update", "description": "[1.12.2-14]\n- fix for kinit -C loops (#1184629, MIT/krb5 issue 243, 'Do not\n loop on principal unknown errors').\n[1.12.2-13]\n- fix for CVE-2014-5352 (#1179856) 'gss_process_context_token()\n incorrectly frees context (MITKRB5-SA-2015-001)'\n- fix for CVE-2014-9421 (#1179857) 'kadmind doubly frees partial\n deserialization results (MITKRB5-SA-2015-001)'\n- fix for CVE-2014-9422 (#1179861) 'kadmind incorrectly\n validates server principal name (MITKRB5-SA-2015-001)'\n- fix for CVE-2014-9423 (#1179863) 'libgssrpc server applications\n leak uninitialized bytes (MITKRB5-SA-2015-001)'\n[1.12.2-12]\n- fix for CVE-2014-5354 (#1174546) 'krb5: NULL pointer\n dereference when using keyless entries'\n[1.12.2-11]\n- fix for CVE-2014-5353 (#1174543) 'Fix LDAP misused policy\n name crash'\n[1.12.2-10]\n- In ksu, without the -e flag, also check .k5users (#1105489)\n When ksu was explicitly told to spawn a shell, a line in .k5users which\n listed '*' as the allowed command would cause the principal named on the\n line to be considered as a candidate for authentication.\n When ksu was not passed a command to run, which implicitly meant that\n the invoking user wanted to run the target user's login shell, knowledge\n that the principal was a valid candidate was ignored, which could cause\n a less optimal choice of the default target principal.\n This doesn't impact the authorization checks which we perform later.\n Patch by Nalin Dahyabhai \n[1.12.2-9]\n- Undo libkadmclnt SONAME change (from 8 to 9) which originally\n happened in the krb5 1.12 rebase (#1166012) but broke\n rubygem-rkerberos (sort of ruby language bindings for\n libkadmclnt&co.) dependicies, as side effect of\n rubygem-rkerberos using private interfaces in libkadmclnt.\n[1.12.2-8]\n- fix the problem where the %license file has been a dangling symlink\n- ksu: pull in fix from pull #206 to avoid breakage when the\n default_ccache_name doesn't include a cache type as a prefix\n- ksu: pull in a proposed fix for pull #207 to avoid breakage when the\n invoking user doesn't already have a ccache\n[1.12.2-7]\n- pull in patch from master to load plugins with RTLD_NODELETE, when\n defined (RT#7947)\n[1.12.2-6]\n- backport patch to make the client skip checking the server's reply\n address when processing responses to password-change requests, which\n between NAT and upcoming HTTPS support, can cause us to erroneously\n report an error to the user when the server actually reported success\n (RT#7886)\n- backport support for accessing KDCs and kpasswd services via HTTPS\n proxies (marked by being specified as https URIs instead as hostnames\n or hostname-and-port), such as the one implemented in python-kdcproxy\n (RT#7929, #109919), and pick up a subsequent patch to build HTTPS\n as a plugin\n[1.12.2-5]\n- backport fix for trying all compatible keys when not being strict about\n acceptor names while reading AP-REQs (RT#7883, #1078888)\n- define _GNU_SOURCE in files where we use EAI_NODATA, to make sure that\n it's declared (#1059730,#1084068,#1109102)\n[1.12.2-4]\n- kpropd hasn't bothered with -S since 1.11; stop trying to use that flag\n in the systemd unit file\n[1.12.2-3]\n- pull in upstream fix for an incorrect check on the value returned by a\n strdup() call (#1132062)\n[1.12.1-15]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild\n[1.12.2-2]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_22_Mass_Rebuild\n[1.12.2-1]\n- update to 1.12.2\n - drop patch for RT#7820, fixed in 1.12.2\n - drop patch for #231147, fixed as RT#3277 in 1.12.2\n - drop patch for RT#7818, fixed in 1.12.2\n - drop patch for RT#7836, fixed in 1.12.2\n - drop patch for RT#7858, fixed in 1.12.2\n - drop patch for RT#7924, fixed in 1.12.2\n - drop patch for RT#7926, fixed in 1.12.2\n - drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2\n - drop patch for CVE-2014-4343, included in 1.12.2\n - drop patch for CVE-2014-4344, included in 1.12.2\n - drop patch for CVE-2014-4345, included in 1.12.2\n- replace older proposed changes for ksu with backports of the changes\n after review and merging upstream (#1015559, #1026099, #1118347)\n[1.12.1-14]\n- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)\n[1.12.1-13]\n- gssapi: pull in upstream fix for a possible NULL dereference\n in spnego (CVE-2014-4344)\n[1.12.1-12]\n- gssapi: pull in proposed fix for a double free in initiators (David\n Woodhouse, CVE-2014-4343, #1117963)\n[1.12.1-11]\n- fix license handling\n[1.12.1-10]\n- pull in fix for denial of service by injection of malformed GSSAPI tokens\n (CVE-2014-4341, CVE-2014-4342, #1116181)\n[1.12.1-9]\n- pull in changes from upstream which add processing of the contents of\n /etc/gss/mech.d/*.conf when loading GSS modules (#1102839)\n[1.12.1-8]\n- pull in fix for building against tcl 8.6 (#1107061)\n[1.12.1-7]\n- Rebuilt for https://fedoraproject.org/wiki/Fedora_21_Mass_Rebuild\n[1.12.1-6]\n- Backport fix for change password requests when using FAST (RT#7868)\n[1.12.1-5]\n- spnego: pull in patch from master to restore preserving the OID of the\n mechanism the initiator requested when we have multiple OIDs for the same\n mechanism, so that we reply using the same mechanism OID and the initiator\n doesn't get confused (#1066000, RT#7858)\n[1.12.1-4]\n- pull in patch from master to move the default directory which the KDC uses\n when computing the socket path for a local OTP daemon from the database\n directory (/var/kerberos/krb5kdc) to the newly-added run directory\n (/run/krb5kdc), in line with what we're expecting in 1.13 (RT#7859, more\n of #1040056 as #1063905)\n- add a tmpfiles.d configuration file to have /run/krb5kdc created at\n boot-time\n- own /var/run/krb5kdc\n[1.12.1-3]\n- refresh nss_wrapper and add socket_wrapper to the %check environment\n* Fri Jan 31 2014 Nalin Dahyabhai \n- add currently-proposed changes to teach ksu about credential cache\n collections and the default_ccache_name setting (#1015559,#1026099)\n[1.12.1-2]\n- pull in multiple changes to allow replay caches to be added to a GSS\n credential store as 'rcache'-type credentials (RT#7818/#7819/#7836,\n[1.12.1-1]\n- update to 1.12.1\n - drop patch for RT#7794, included now\n - drop patch for RT#7797, included now\n - drop patch for RT#7803, included now\n - drop patch for RT#7805, included now\n - drop patch for RT#7807, included now\n - drop patch for RT#7045, included now\n - drop patches for RT#7813 and RT#7815, included now\n - add patch to always retrieve the KDC time offsets from keyring caches,\n so that we don't mistakenly interpret creds as expired before their\n time when our clock is ahead of the KDC's (RT#7820, #1030607)\n[1.12-11]\n- update the PIC patch for iaesx86.s to not use ELF relocations to the version\n that landed upstream (RT#7815, #1045699)\n* Thu Jan 09 2014 Nalin Dahyabhai \n- pass -Wl,--warn-shared-textrel to the compiler when we're creating shared\n libraries\n[1.12-10]\n- amend the PIC patch for iaesx86.s to also save/restore ebx in the\n functions where we modify it, because the ELF spec says we need to\n[1.12-9]\n- grab a more-commented version of the most recent patch from upstream\n master\n- make a guess at making the 32-bit AES-NI implementation sufficiently\n position-independent to not require execmod permissions for libk5crypto\n (more of #1045699)\n[1.12-8]\n- add patch from Dhiru Kholia for the AES-NI implementations to allow\n libk5crypto to be properly marked as not needing an executable stack\n on arches where they're used (#1045699, and so many others)\n[1.12-7]\n- revert that last change for a bit while sorting out execstack when we\n use AES-NI (#1045699)\n[1.12-6]\n- add yasm as a build requirement for AES-NI support, on arches that have\n yasm and AES-NI\n[1.12-5]\n- pull in fix from master to make reporting of errors encountered by\n the SPNEGO mechanism work better (RT#7045, part of #1043962)\n* Thu Dec 19 2013 Nalin Dahyabhai \n- update a test wrapper to properly handle things that the new libkrad does,\n and add python-pyrad as a build requirement so that we can run its tests\n[1.12-4]\n- revise previous patch to initialize one more element\n[1.12-3]\n- backport fixes to krb5_copy_context (RT#7807, #1044735/#1044739)\n[1.12-2]\n- pull in fix from master to return a NULL pointer rather than allocating\n zero bytes of memory if we read a zero-length input token (RT#7794, part of\n - pull in fix from master to ignore an empty token from an acceptor if\n we've already finished authenticating (RT#7797, part of #1043962)\n- pull in fix from master to avoid a memory leak when a mechanism's\n init_sec_context function fails (RT#7803, part of #1043962)\n- pull in fix from master to avoid a memory leak in a couple of error\n cases which could occur while obtaining acceptor credentials (RT#7805, part\n of #1043962)\n[1.12-1]\n- update to 1.12 final\n[1.12-beta2.0]\n- update to beta2\n - drop obsolete backports for storing KDC time offsets and expiration times\n in keyring credential caches\n[1.12-beta1.0]\n- rebase to master\n- update to beta1\n - drop obsolete backport of fix for RT#7706\n[1.11.4-2]\n- pull in fix to store KDC time offsets in keyring credential caches (RT#7768,\n - pull in fix to set expiration times on credentials stored in keyring\n credential caches (RT#7769, #1031724)\n[1.11.4-1]\n- update to 1.11.4\n - drop patch for RT#7650, obsoleted\n - drop patch for RT#7706, obsoleted as RT#7723\n - drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4", "published": "2015-03-11T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "http://linux.oracle.com/errata/ELSA-2015-0439.html", "cvelist": ["CVE-2014-9422", "CVE-2014-5354", "CVE-2014-4342", "CVE-2014-5352", "CVE-2014-4343", "CVE-2014-5353", "CVE-2014-4344", "CVE-2014-9421", "CVE-2014-4345", "CVE-2014-4341", "CVE-2013-1418", "CVE-2014-9423", "CVE-2013-6800"], "lastseen": "2016-09-04T11:16:57"}], "archlinux": [{"id": "ASA-201502-12", "type": "archlinux", "title": "krb5: multiple issues", "description": "- CVE-2014-5352 (authenticated remote code execution):\n\nIn the MIT krb5 libgssapi_krb5 library, after\ngss_process_context_token() is used to process a valid context deletion\ntoken, the caller is left with a security context handle containing a\ndangling pointer. Further uses of this handle will result in\nuse-after-free and double-free memory access violations. libgssrpc\nserver applications such as kadmind are vulnerable as they can be\ninstructed to call gss_process_context_token().\n\n- CVE-2014-5353 (authenticated remote denial of service):\n\nIn MIT krb5, when kadmind is configured to use LDAP for the KDC\ndatabase, an authenticated remote attacker can cause a NULL dereference\nby attempting to use a named ticket policy object as a password policy\nfor a principal. The attacker needs to be authenticated as a user who\nhas the elevated privilege for setting password policy by adding or\nmodifying principals.\n\n- CVE-2014-5354 (authenticated remote denial of service):\n\nIn MIT krb5, when kadmind is configured to use LDAP for the KDC\ndatabase, an authenticated remote attacker can cause a NULL dereference\nby inserting into the database a principal entry which contains no\nlong-term keys.\n\n- CVE-2014-9421 (authenticated remote code execution):\n\nIf the MIT krb5 kadmind daemon receives invalid XDR data from an\nauthenticated user, it may perform use-after-free and double-free memory\naccess violations while cleaning up the partial deserialization results.\n Other libgssrpc server applications may also be vulnerable if they\ncontain insufficiently defensive XDR functions.\n\n- CVE-2014-9422 (privilege escalation):\n\nThe MIT krb5 kadmind daemon incorrectly accepts authentications to\ntwo-component server principals whose first component is a left\nsubstring of "kadmin" or whose realm is a left prefix of the default realm.\n\n- CVE-2014-9423 (unauthenticated remote information leak):\n\nlibgssrpc applications including kadmind output four or eight bytes of\nuninitialized memory to the network as part of an unused "handle" field\nin replies to clients.", "published": "2015-02-17T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://lists.archlinux.org/pipermail/arch-security/2015-February/000235.html", "cvelist": ["CVE-2014-9422", "CVE-2014-5354", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2016-09-02T18:44:42"}], "ubuntu": [{"id": "USN-2498-1", "type": "ubuntu", "title": "Kerberos vulnerabilities", "description": "It was discovered that Kerberos incorrectly sent old keys in response to a -randkey -keepold request. An authenticated remote attacker could use this issue to forge tickets by leveraging administrative access. This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5351)\n\nIt was discovered that the libgssapi_krb5 library incorrectly processed security context handles. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2014-5352)\n\nPatrik Kis discovered that Kerberos incorrectly handled LDAP queries with no results. An authenticated remote attacker could use this issue to cause the KDC to crash, resulting in a denial of service. (CVE-2014-5353)\n\nIt was discovered that Kerberos incorrectly handled creating database entries for a keyless principal when using LDAP. An authenticated remote attacker could use this issue to cause the KDC to crash, resulting in a denial of service. (CVE-2014-5354)\n\nIt was discovered that Kerberos incorrectly handled memory when processing XDR data. A remote attacker could use this issue to cause kadmind to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-9421)\n\nIt was discovered that Kerberos incorrectly handled two-component server principals. A remote attacker could use this issue to perform impersonation attacks. (CVE-2014-9422)\n\nIt was discovered that the libgssrpc library leaked uninitialized bytes. A remote attacker could use this issue to possibly obtain sensitive information. (CVE-2014-9423)", "published": "2015-02-10T00:00:00", "cvss": {"score": 9.0, "vector": "AV:NETWORK/AC:LOW/Au:SINGLE_INSTANCE/C:COMPLETE/I:COMPLETE/A:COMPLETE/"}, "href": "https://usn.ubuntu.com/2498-1/", "cvelist": ["CVE-2014-9422", "CVE-2014-5351", "CVE-2014-5354", "CVE-2014-5352", "CVE-2014-5353", "CVE-2014-9421", "CVE-2014-9423"], "lastseen": "2018-03-29T18:19:25"}]}}
