Scientific Linux Security Update : krb5 on SL5.x i386/x86_64

2012-08-01T00:00:00
ID SL_20100406_KRB5_ON_SL5_X.NASL
Type nessus
Reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
Modified 2020-03-02T00:00:00

Description

A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629)

This update also fixes the following bug :

  • when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork.

If the service belongs to a realm other than the client

                                        
                                            #%NASL_MIN_LEVEL 80502
#
# (C) Tenable Network Security, Inc.
#
# The descriptive text is (C) Scientific Linux.
#

include("compat.inc");

if (description)
{
  script_id(60779);
  script_version("1.4");
  script_cvs_date("Date: 2019/10/25 13:36:18");

  script_cve_id("CVE-2010-0629");

  script_name(english:"Scientific Linux Security Update : krb5 on SL5.x i386/x86_64");
  script_summary(english:"Checks rpm output for the updated packages");

  script_set_attribute(
    attribute:"synopsis", 
    value:
"The remote Scientific Linux host is missing one or more security
updates."
  );
  script_set_attribute(
    attribute:"description", 
    value:
"A use-after-free flaw was discovered in the MIT Kerberos
administration daemon, kadmind. A remote, authenticated attacker could
use this flaw to crash the kadmind daemon. Administrative privileges
are not required to trigger this flaw, as any realm user can request
information about their own principal from kadmind. (CVE-2010-0629)

This update also fixes the following bug :

  - when a Kerberos client seeks tickets for use with a
    service, it must contact the Key Distribution Center
    (KDC) to obtain them. The client must also determine
    which realm the service belongs to and it typically does
    this with a combination of client configuration detail,
    DNS information and guesswork.

If the service belongs to a realm other than the client's, cross-realm
authentication is required. Using a combination of client
configuration and guesswork, the client determines the trust
relationship sequence which forms the trusted path between the
client's realm and the service's realm. This may include one or more
intermediate realms.

Anticipating the KDC has better knowledge of extant trust
relationships, the client then requests a ticket from the service's
KDC, indicating it will accept guidance from the service's KDC by
setting a special flag in the request. A KDC which recognizes the flag
can, at its option, return a ticket-granting ticket for the next realm
along the trust path the client should be following.

If the ticket-granting ticket returned by the service's KDC is for use
with a realm the client has already determined was in the trusted
path, the client accepts this as an optimization and continues. If,
however, the ticket is for use in a realm the client is not expecting,
the client responds incorrectly: it treats the case as an error rather
than continuing along the path suggested by the service's KDC.

For this update, the krb5 1.7 modifications which allow the client to
trust such KDCs to send them along the correct path, resulting in the
client obtaining the tickets it originally desired, were backported to
krb 1.6.1 (the version shipped with Scientific Linux 5.5). (BZ#578540)

All running KDC services must be restarted for the update to take
effect."
  );
  script_set_attribute(
    attribute:"see_also",
    value:"https://bugzilla.redhat.com/show_bug.cgi?id=578540"
  );
  # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1004&L=scientific-linux-errata&T=0&P=1154
  script_set_attribute(
    attribute:"see_also",
    value:"http://www.nessus.org/u?dcbfd8ab"
  );
  script_set_attribute(attribute:"solution", value:"Update the affected packages.");
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux");

  script_set_attribute(attribute:"patch_publication_date", value:"2010/04/06");
  script_set_attribute(attribute:"plugin_publication_date", value:"2012/08/01");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_copyright(english:"This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
  script_family(english:"Scientific Linux Local Security Checks");

  script_dependencies("ssh_get_info.nasl");
  script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list");

  exit(0);
}


include("audit.inc");
include("global_settings.inc");
include("rpm.inc");


if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
release = get_kb_item("Host/RedHat/release");
if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux");
if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);

cpu = get_kb_item("Host/cpu");
if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu);


flag = 0;
if (rpm_check(release:"SL5", reference:"krb5-devel-1.6.1-36.el5_5.2")) flag++;
if (rpm_check(release:"SL5", reference:"krb5-libs-1.6.1-36.el5_5.2")) flag++;
if (rpm_check(release:"SL5", reference:"krb5-server-1.6.1-36.el5_5.2")) flag++;
if (rpm_check(release:"SL5", reference:"krb5-workstation-1.6.1-36.el5_5.2")) flag++;


if (flag)
{
  if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
  else security_warning(0);
  exit(0);
}
else audit(AUDIT_HOST_NOT, "affected");