9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). An uninitialized pointer use flaw was found in the way the MIT Kerberos KDC handled initial authentication requests (AS-REQ). A remote, unauthenticated attacker could use this flaw to crash the KDC via a specially-crafted AS-REQ request. (CVE-2012-1015) A NULL pointer dereference flaw was found in the MIT Kerberos administration daemon, kadmind. A Kerberos administrator who has the “create” privilege could use this flaw to crash kadmind. (CVE-2012-1013) Red Hat would like to thank the MIT Kerberos project for reporting CVE-2012-1015. Upstream acknowledges Emmanuel Bouillon (NCI Agency) as the original reporter of CVE-2012-1015. All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc and kadmind daemons will be restarted automatically.
lists.opensuse.org/opensuse-updates/2012-08/msg00016.html
rhn.redhat.com/errata/RHSA-2012-1131.html
web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
www.debian.org/security/2012/dsa-2518
www.mandriva.com/security/advisories?name=MDVSA-2012:120
access.redhat.com/security/updates/classification/#important
rhn.redhat.com/errata/RHSA-2012-1131.html