VuXML ID | Description |
6a3c3e5c-66cb-11e0-a116-c535f3aa24f0 | krb5 -- MITKRB5-SA-2011-004, kadmind invalid pointer free() [CVE-2011-0285]
An advisory published by the MIT Kerberos team says:
The password-changing capability of the MIT krb5 administration
daemon (kadmind) has a bug that can cause it to attempt to free()
an invalid pointer under certain error conditions. This can cause
the daemon to crash or induce the execution of arbitrary code
(which is believed to be difficult). No exploit that executes
arbitrary code is known to exist, but it is easy to trigger a
denial of service manually.
Some platforms detect attempted freeing of invalid pointers and
protectively terminate the process, preventing arbitrary code
execution on those platforms.
Discovery 2011-04-12 Entry 2011-04-14 krb5
ge 1.7 lt 1.7.2
ge 1.8 lt 1.8.4
eq 1.9
CVE-2011-0285
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txt
|
3f3837cc-48fb-4414-aa46-5b1c23c9feae | krb5 -- Multiple vulnerabilities
MIT reports:
CVE-2017-11368:
In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.
CVE-2017-11462:
RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to gss_init_sec_context()
or gss_accept_sec_context() if the call results in an error.
This API behavior has been found to be dangerous, leading to the
possibility of memory errors in some callers. For safety, GSS-API
implementations should instead preserve existing security contexts
on error until the caller deletes them.
All versions of MIT krb5 prior to this change may delete acceptor
contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts
on error.
Discovery 2017-07-14 Entry 2017-10-18 krb5
< 1.14.6
ge 1.15 lt 1.15.2
krb5-devel
< 1.14.6
ge 1.15 lt 1.15.2
krb5-115
< 1.15.2
krb5-114
< 1.14.6
krb5-113
< 1.14.6
https://nvd.nist.gov/vuln/detail/CVE-2017-11368
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8599
https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970
https://nvd.nist.gov/vuln/detail/CVE-2017-11462
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8598
https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf
CVE-2017-11368
CVE-2017-11462
|
406636fe-055d-11e5-aab1-d050996490d0 | krb5 -- requires_preauth bypass in PKINIT-enabled KDC
MIT reports:
In MIT krb5 1.12 and later, when the KDC is configured
with PKINIT support, an unauthenticated remote attacker
can bypass the requires_preauth flag on a client principal
and obtain a ciphertext encrypted in the principal's
long-term key. This ciphertext could be used to conduct
an off-line dictionary attack against the user's password.
Discovery 2015-05-25 Entry 2015-05-28 krb5
< 1.13.2
krb5-112
< 1.12.3_2
CVE-2015-2694
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160
|
3a888a1e-b321-11e4-83b2-206a8a720317 | krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092
The MIT Kerberos team reports:
CVE-2014-5353: The krb5_ldap_get_password_policy_from_dn
function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in
MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP,
allows remote authenticated users to cause a denial of service
(daemon crash) via a successful LDAP query with no results, as
demonstrated by using an incorrect object type for a password
policy.
CVE-2014-5354: plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in
MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when
the KDC uses LDAP, allows remote authenticated users to cause a
denial of service (NULL pointer dereference and daemon crash) by
creating a database entry for a keyless principal, as
demonstrated by a kadmin "add_principal -nokey" or "purgekeys
-all" command.
Discovery 2015-02-12 Entry 2015-02-12 Modified 2015-02-13 krb5
< 1.13.1
krb5-112
< 1.12.2_2
krb5-111
< 1.11.5_5
CVE-2014-5353
CVE-2014-5354
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt
|
24ce5597-acab-11e4-a847-206a8a720317 | krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092
SO-AND-SO reports:
CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after
gss_process_context_token() is used to process a valid context
deletion token, the caller is left with a security context handle
containing a dangling pointer. Further uses of this handle will
result in use-after-free and double-free memory access violations.
libgssrpc server applications such as kadmind are vulnerable as
they can be instructed to call gss_process_context_token().
CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR
data from an authenticated user, it may perform use-after-free and
double-free memory access violations while cleaning up the partial
deserialization results. Other libgssrpc server applications may
also be vulnerable if they contain insufficiently defensive XDR
functions.
CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepts
authentications to two-component server principals whose first
component is a left substring of "kadmin" or whose realm is a left
prefix of the default realm.
CVE-2014-9423: libgssrpc applications including kadmind output
four or eight bytes of uninitialized memory to the network as
part of an unused "handle" field in replies to clients.
Discovery 2015-02-03 Entry 2015-02-04 krb5
< 1.13_1
krb5-112
< 1.12.2_1
krb5-111
< 1.11.5_4
CVE-2014-5352
CVE-2014-9421
CVE-2014-9422
CVE-2014-9423
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt
|
e3f64457-cccd-11e2-af76-206a8a720317 | krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443]
No advisory has been released yet.
schpw.c in the kpasswd service in kadmind in MIT Kerberos 5
(aka krb5) before 1.11.3 does not properly validate UDP packets
before sending responses, which allows remote attackers to cause
a denial of service (CPU and bandwidth consumption) via a forged
packet that triggers a communication loop, as demonstrated by
krb_pingpong.nasl, a related issue to CVE-1999-0103.
[CVE-2002-2443].
Discovery 2013-05-10 Entry 2013-06-03 krb5
le 1.11.2
CVE-2002-2443
http://web.mit.edu/kerberos/www/krb5-1.11/
|
f54584bc-7d2b-11e2-9bd1-206a8a720317 | krb5 -- null pointer dereference in the KDC PKINIT code [CVE-2013-1415]
No advisory has been released yet.
Fix a null pointer dereference in the KDC PKINIT code [CVE-2013-1415].
Discovery 2013-02-21 Entry 2013-02-22 krb5
le 1.11
CVE-2013-1415
http://web.mit.edu/kerberos/www/krb5-1.11/
|
7edac52a-66cd-11e0-9398-5d45f3aa24f0 | krb5 -- MITKRB5-SA-2011-003, KDC vulnerable to double-free when PKINIT enabled
An advisory published by the MIT Kerberos team says:
The MIT Kerberos 5 Key Distribution Center (KDC) daemon is
vulnerable to a double-free condition if the Public Key
Cryptography for Initial Authentication (PKINIT) capability is
enabled, resulting in daemon crash or arbitrary code execution
(which is believed to be difficult).
An unauthenticated remote attacker can induce a double-free
event, causing the KDC daemon to crash (denial of service),
or to execute arbitrary code. Exploiting a double-free event
to execute arbitrary code is believed to be difficult.
Discovery 2011-03-15 Entry 2011-04-14 krb5
ge 1.7 lt 1.7.2
ge 1.8 lt 1.8.4
eq 1.9
CVE-2011-0284
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt
|
4ab413ea-66ce-11e0-bf05-d445f3aa24f0 | krb5 -- MITKRB5-SA-2011-002, KDC vulnerable to hang when using LDAP back end
An advisory published by the MIT Kerberos team says:
The MIT krb5 Key Distribution Center (KDC) daemon is vulnerable
to denial of service attacks from unauthenticated remote
attackers. CVE-2011-0281 and CVE-2011-0282 occur only in KDCs
using LDAP back ends, but CVE-2011-0283 occurs in all krb5-1.9
KDCs.
Exploit code is not known to exist, but the vulnerabilities are
easy to trigger manually. The trigger for CVE-2011-0281 has
already been disclosed publicly, but that fact might not be
obvious to casual readers of the message in which it was
disclosed. The triggers for CVE-2011-0282 and CVE-2011-0283
have not yet been disclosed publicly, but they are also
trivial.
CVE-2011-0281: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to become completely unresponsive
until restarted.
CVE-2011-0282: An unauthenticated remote attacker can cause a KDC
configured with an LDAP back end to crash with a null pointer
dereference.
CVE-2011-0283: An unauthenticated remote attacker can cause a
krb5-1.9 KDC with any back end to crash with a null pointer
dereference.
Discovery 2011-02-08 Entry 2011-04-14 krb5
ge 1.7 lt 1.7.2
ge 1.8 le 1.8.4
eq 1.9
CVE-2011-0281
CVE-2011-0282
CVE-2011-0283
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-002.txt
|
64f24a1e-66cf-11e0-9deb-f345f3aa24f0 | krb5 -- MITKRB5-SA-2011-001, kpropd denial of service
An advisory published by the MIT Kerberos team says:
The MIT krb5 KDC database propagation daemon (kpropd) is
vulnerable to a denial-of-service attack triggered by invalid
network input. If a kpropd worker process receives invalid
input that causes it to exit with an abnormal status, it can
cause the termination of the listening process that spawned it,
preventing the slave KDC it was running on from receiving
database updates from the master KDC.
Exploit code is not known to exist, but the vulnerabilities are
easy to trigger manually.
An unauthenticated remote attacker can cause kpropd running in
standalone mode (the "-S" option) to terminate its listening
process, preventing database propagations to the KDC host on
which it was running. Configurations where kpropd runs in
incremental propagation mode ("iprop") or as an inetd server
are not affected.
Discovery 2011-02-08 Entry 2011-04-14 krb5
ge 1.7 lt 1.7.2
ge 1.8 lt 1.8.4
eq 1.9
CVE-2010-4022
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-001.txt
|
4ccbd40d-03f7-11e0-bf50-001a926c7637 | krb5 -- client impersonation vulnerability
The MIT Kerberos team reports:
MIT krb5 KDC may issue tickets not requested
by a client, based on an attacker-chosen KrbFastArmoredReq.
An authenticated remote attacker that controls a legitimate service
principal could obtain a valid service ticket to itself containing
valid KDC-generated authorization data for a client whose TGS-REQ it
has intercepted. The attacker could then use this ticket for
S4U2Proxy to impersonate the targeted client even if the client
never authenticated to the subverted service. The vulnerable
configuration is believed to be rare.
Discovery 2010-11-30 Entry 2010-12-09 krb5
ge 1.7.0 lt 1.7.2
45122
CVE-2010-4021
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt
http://osvdb.org/69607
|
9f971cea-03f5-11e0-bf50-001a926c7637 | krb5 -- unkeyed PAC checksum handling vulnerability
The MIT Kerberos team reports:
MIT krb5 incorrectly accepts an unkeyed checksum for PAC
signatures.
An authenticated remote attacker can forge PACs if using a KDC that
does not filter client-provided PAC data. This can result in
privilege escalation against a service that relies on PAC contents
to make authorization decisions.
Discovery 2010-11-30 Entry 2010-12-09 krb5
ge 1.7.0 lt 1.7.2
45116
CVE-2010-1324
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt
http://osvdb.org/69609
|
0d57c1d9-03f4-11e0-bf50-001a926c7637 | krb5 -- multiple checksum handling vulnerabilities
The MIT Kerberos team reports:
MIT krb incorrectly accepts an unkeyed
checksum with DES session keys for version 2 (RFC 4121)
of the GSS-API krb5 mechanism.
An unauthenticated remote attacker can forge GSS tokens that are
intended to be integrity-protected but unencrypted, if the targeted
pre-existing application session uses a DES session key.
MIT krb5 KDC incorrectly accepts RFC
3961 key-derivation checksums using RC4 keys when verifying the
req-checksum in a KrbFastArmoredReq.
An unauthenticated remote attacker has a 1/256 chance of swapping a
client-issued KrbFastReq into a different KDC-REQ, if the armor
key is RC4. The consequences are believed to be minor.
Discovery 2010-11-30 Entry 2010-12-09 krb5
ge 1.7.0 lt 1.7.2
ge 1.8.0 le 1.8.3
45116
CVE-2010-1324
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt
http://osvdb.org/69609
|
11bbccbc-03ee-11e0-bcdb-001fc61c2a55 | krb5 -- multiple checksum handling vulnerabilities
The MIT Kerberos team reports:
MIT krb5 clients incorrectly accept an unkeyed checksums
in the SAM-2 preauthentication challenge.
An unauthenticated remote attacker could alter a SAM-2 challenge,
affecting the prompt text seen by the user or the kind of response
sent to the KDC. Under some circumstances, this can negate the
incremental security benefit of using a single-use authentication
mechanism token.
MIT krb5 incorrectly accepts RFC 3961 key-derivation checksums
using RC4 keys when verifying KRB-SAFE messages.
An unauthenticated remote attacker has a 1/256 chance of forging
KRB-SAFE messages in an application protocol if the targeted
pre-existing session uses an RC4 session key. Few application
protocols use KRB-SAFE messages.
Discovery 2010-11-30 Entry 2010-12-09 krb5
ge 1.3.0 lt 1.7.2
ge 1.8.0 le 1.8.3
45118
CVE-2010-1323
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-007.txt
http://osvdb.org/69610
|
86b8b655-4d1a-11df-83fb-0015587e2cc1 | krb5 -- KDC double free vulnerability
The MIT Kerberos team reports:
An authenticated remote attacker can crash the KDC by
inducing the KDC to perform a double free. Under some
circumstances on some platforms, this could also allow
malicious code execution.
Discovery 2010-04-20 Entry 2010-04-21 krb5
ge 1.7 lt 1.7.2
ge 1.8 lt 1.8.2
CVE-2010-1320
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txt
|
9ac0f9c4-492b-11df-83fb-0015587e2cc1 | krb5 -- multiple denial of service vulnerabilities
Two vulnerabilities in krb5 can be used by remote
attackers in denial of service attacks. The MIT security
advisories report this as follows:
An unauthenticated remote attacker can send an invalid
request to a KDC process that will cause it to crash
due to an assertion failure, creating a denial of
service.
An unauthenticated remote attacker could cause a GSS-API
application, including the Kerberos administration
daemon (kadmind) to crash.
Discovery 2010-02-16 Entry 2010-04-19 Modified 2013-06-16 krb5
ge 1.7 le 1.7_2
38260
38904
CVE-2010-0283
CVE-2010-0628
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-001.txt
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-002.txt
|
094e4a5b-6511-11ed-8c5e-206a8a720317 | krb5 -- Integer overflow vulnerabilities in PAC parsing
MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing:
Due to an integer overflow vulnerabilities in PAC parsing
An authenticated attacker may be able to cause a KDC or kadmind
process to crash by reading beyond the bounds of allocated memory,
creating a denial of service.
On 32-bit platforms an authenticated attacker may be able to
cause heap corruption resulting in an RCE.
Discovery 2022-11-05 Entry 2022-11-15 krb5
< 1.19.3_1
gt 1.20 lt 1.20_1
krb5-120
< 1.20_1
krb5-119
< 1.19.3_1
krb5-devel
< 1.20.2022.11.03
CVE-2022-42898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42898
|
a6986f0f-3ac0-11ee-9a88-206a8a720317 | krb5 -- Double-free in KDC TGS processing
SO-AND-SO reports:
When issuing a ticket for a TGS renew or validate request, copy
only the server field from the outer part of the header ticket
to the new ticket. Copying the whole structure causes the
enc_part pointer to be aliased to the header ticket until
krb5_encrypt_tkt_part() is called, resulting in a double-free
if handle_authdata() fails..
Discovery 2023-08-07 Entry 2023-08-14 krb5
< 1.21.1_1
krb5-121
< 1.21.1_1
krb5-devel
< 1.22.2023.08.07
CVE-2023-39975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39975
|