9 - MDVSA-2015:069

Executive Summary

Informations
Name	MDVSA-2015:069	First vendor Publication	2015-03-27
Vendor	Mandriva	Last vendor Modification	2015-03-27
Severity (Vendor)	N/A	Revision	N/A

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score	NA
Base Score	NA	Environmental Score	NA
impact SubScore	NA	Temporal Score	NA
Exploitabality Sub Score	NA

Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:S/C:C/I:C/A:C)
Cvss Base Score	9	Attack Range	Network
Cvss Impact Score	10	Attack Complexity	Low
Cvss Expoit Score	8	Authentication	Requires single instance
Calculate full CVSS 2.0 Vectors scores

Detail

Multiple vulnerabilities has been discovered and corrected in krb5:

The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind (CVE-2014-5352).

MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c (CVE-2014-5355).

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind (CVE-2014-9421).

The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial kadmind substring, as demonstrated by a ka/x principal (CVE-2014-9422).

The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field (CVE-2014-9423).

The updated packages provides a solution for these security issues.

Original Source

Url : http://www.mandriva.com/security/advisories?name=MDVSA-2015:069

CWE : Common Weakness Enumeration

%	Id	Name
50 %	CWE-284	Access Control (Authorization) Issues
50 %	CWE-200	Information Exposure

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:28572

Oval ID:	oval:org.mitre.oval:def:28572
Title:	AIX NAS Denial of Service via malformed XDR data
Description:	The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2014-9421	Version:	4
Platform(s):	IBM AIX 6.1 IBM AIX 7.1	Product(s):
Definition Synopsis:
platforms IBM AIX 6.1 is installed AND IBM AIX 7.1 is installed AND filesets File Version Exists krb5.server.rte greater than or equal 1.4.0.8 AND krb5.server.rte less than or equal 1.6.0.2 OR File Version Exists krb5.client.rte greater than or equal 1.4.0.8 AND krb5.client.rte less than or equal 1.6.0.2

Definition Id: oval:org.mitre.oval:def:28597

Oval ID:	oval:org.mitre.oval:def:28597
Title:	AIX NAS allows remote users to obtain administrative access by leveraging access to a two-component principal
Description:	The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2014-9422	Version:	4
Platform(s):	IBM AIX 6.1 IBM AIX 7.1	Product(s):
Definition Synopsis:
platforms IBM AIX 6.1 is installed AND IBM AIX 7.1 is installed AND filesets File Version Exists krb5.server.rte greater than or equal 1.4.0.8 AND krb5.server.rte less than or equal 1.6.0.2 OR File Version Exists krb5.client.rte greater than or equal 1.4.0.8 AND krb5.client.rte less than or equal 1.6.0.2

Definition Id: oval:org.mitre.oval:def:28832

Oval ID:	oval:org.mitre.oval:def:28832
Title:	AIX NAS Denial of Service via a zero-byte version string or by omitting the '\0' character
Description:	MIT Kerberos 5 (aka krb5) through 1.13.1 incorrectly expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2014-5355	Version:	4
Platform(s):	IBM AIX 6.1 IBM AIX 7.1	Product(s):
Definition Synopsis:
platforms IBM AIX 6.1 is installed AND IBM AIX 7.1 is installed AND filesets File Version Exists krb5.server.rte greater than or equal 1.4.0.8 AND krb5.server.rte less than or equal 1.6.0.2 OR File Version Exists krb5.client.rte greater than or equal 1.4.0.8 AND krb5.client.rte less than or equal 1.6.0.2

Definition Id: oval:org.mitre.oval:def:29035

Oval ID:	oval:org.mitre.oval:def:29035
Title:	AIX NAS denial of service vulnerability
Description:	The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2014-5352	Version:	4
Platform(s):	IBM AIX 6.1 IBM AIX 7.1	Product(s):
Definition Synopsis:
platforms IBM AIX 6.1 is installed AND IBM AIX 7.1 is installed AND filesets File Version Exists krb5.server.rte greater than or equal 1.4.0.8 AND krb5.server.rte less than or equal 1.6.0.2 OR File Version Exists krb5.client.rte greater than or equal 1.4.0.8 AND krb5.client.rte less than or equal 1.6.0.2

Definition Id: oval:org.mitre.oval:def:29181

Oval ID:	oval:org.mitre.oval:def:29181
Title:	AIX NAS allows remote users to obtain sensitive information from process heap memory
Description:	The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
Family:	unix	Class:	vulnerability
Reference(s):	CVE-2014-9423	Version:	4
Platform(s):	IBM AIX 6.1 IBM AIX 7.1	Product(s):
Definition Synopsis:
platforms IBM AIX 6.1 is installed AND IBM AIX 7.1 is installed AND filesets File Version Exists krb5.server.rte greater than or equal 1.4.0.8 AND krb5.server.rte less than or equal 1.6.0.2 OR File Version Exists krb5.client.rte greater than or equal 1.4.0.8 AND krb5.client.rte less than or equal 1.6.0.2

CPE : Common Platform Enumeration

Type	Description	Count
Application	Mit Kerberos 5 cpe:2.3:a:mit:kerberos_5:1.9.4:::::::* cpe:2.3:a:mit:kerberos_5:1.9.3:::::::* cpe:2.3:a:mit:kerberos_5:1.9.2:::::::* cpe:2.3:a:mit:kerberos_5:1.9.1:::::::* cpe:2.3:a:mit:kerberos_5:1.9:::::::* cpe:2.3:a:mit:kerberos_5:1.8.6:::::::* cpe:2.3:a:mit:kerberos_5:1.8.5:::::::* cpe:2.3:a:mit:kerberos_5:1.8.4:::::::* cpe:2.3:a:mit:kerberos_5:1.8.3:::::::* cpe:2.3:a:mit:kerberos_5:1.8.2:::::::* cpe:2.3:a:mit:kerberos_5:1.8.1:::::::* cpe:2.3:a:mit:kerberos_5:1.8:::::::* cpe:2.3:a:mit:kerberos_5:1.7.1:::::::* cpe:2.3:a:mit:kerberos_5:1.7:::::::* cpe:2.3:a:mit:kerberos_5:1.6.2:::::::* cpe:2.3:a:mit:kerberos_5:1.6.1:::::::* cpe:2.3:a:mit:kerberos_5:1.6:::::::* cpe:2.3:a:mit:kerberos_5:1.5.3:::::::* cpe:2.3:a:mit:kerberos_5:1.5.2:::::::* cpe:2.3:a:mit:kerberos_5:1.5.1:::::::* cpe:2.3:a:mit:kerberos_5:1.5:::::::* cpe:2.3:a:mit:kerberos_5:1.4.4:::::::* cpe:2.3:a:mit:kerberos_5:1.4.3:::::::* cpe:2.3:a:mit:kerberos_5:1.4.2:::::::* cpe:2.3:a:mit:kerberos_5:1.4.1:::::::* cpe:2.3:a:mit:kerberos_5:1.4:::::::* cpe:2.3:a:mit:kerberos_5:1.3.6:::::::* cpe:2.3:a:mit:kerberos_5:1.3.5:::::::* cpe:2.3:a:mit:kerberos_5:1.3.4:::::::* cpe:2.3:a:mit:kerberos_5:1.3.3:::::::* cpe:2.3:a:mit:kerberos_5:1.3.2:::::::* cpe:2.3:a:mit:kerberos_5:1.3.1:::::::* cpe:2.3:a:mit:kerberos_5:1.3:-:::::: cpe:2.3:a:mit:kerberos_5:1.3:alpha1:::::: cpe:2.3:a:mit:kerberos_5:1.2.8:::::::* cpe:2.3:a:mit:kerberos_5:1.2.7:::::::* cpe:2.3:a:mit:kerberos_5:1.2.6:::::::* cpe:2.3:a:mit:kerberos_5:1.2.5:::::::* cpe:2.3:a:mit:kerberos_5:1.2.4:::::::* cpe:2.3:a:mit:kerberos_5:1.2.3:::::::* cpe:2.3:a:mit:kerberos_5:1.2.2:::::::* cpe:2.3:a:mit:kerberos_5:1.2.1:::::::* cpe:2.3:a:mit:kerberos_5:1.2:-:::::: cpe:2.3:a:mit:kerberos_5:1.13.1:::::::* cpe:2.3:a:mit:kerberos_5:1.13:::::::* cpe:2.3:a:mit:kerberos_5:1.12.2:::::::* cpe:2.3:a:mit:kerberos_5:1.12.1:::::::* cpe:2.3:a:mit:kerberos_5:1.12:::::::* cpe:2.3:a:mit:kerberos_5:1.11.5:::::::* cpe:2.3:a:mit:kerberos_5:1.11.4:::::::* cpe:2.3:a:mit:kerberos_5:1.11.3:::::::* cpe:2.3:a:mit:kerberos_5:1.11.2:::::::* cpe:2.3:a:mit:kerberos_5:1.11.1:::::::* cpe:2.3:a:mit:kerberos_5:1.11:::::::* cpe:2.3:a:mit:kerberos_5:1.10.4:::::::* cpe:2.3:a:mit:kerberos_5:1.10.3:::::::* cpe:2.3:a:mit:kerberos_5:1.10.2:::::::* cpe:2.3:a:mit:kerberos_5:1.10.1:::::::* cpe:2.3:a:mit:kerberos_5:1.10:::::::* cpe:2.3:a:mit:kerberos_5:1.1:::::::*	60

Information Assurance Vulnerability Management (IAVM)

Date	Description
2015-05-28	IAVM : 2015-B-0069 - Multiple Vulnerabilities in MIT Kerberos 5 Severity : Category I - VMSKEY : V0060811

Snort® IPS/IDS

Date	Description
2020-01-07	MIT Kerberos 5 krb5_read_message ksh protocol bad sendauth version length den... RuleID : 52392 - Revision : 1 - Type : SERVER-OTHER
2020-01-07	MIT Kerberos 5 krb5_read_message ksh protocol bad sendauth version length den... RuleID : 52391 - Revision : 1 - Type : SERVER-OTHER
2020-01-07	MIT Kerberos 5 krb5_read_message klogin ksh kprop protocols bad app version s... RuleID : 52390 - Revision : 1 - Type : SERVER-OTHER
2020-01-07	MIT Kerberos 5 krb5_read_message klogin ksh kprop protocols bad app version s... RuleID : 52389 - Revision : 1 - Type : SERVER-OTHER
2020-01-07	MIT Kerberos 5 krb5_read_message klogin ksh kprop protocols bad sendauth vers... RuleID : 52388 - Revision : 1 - Type : SERVER-OTHER
2020-01-07	MIT Kerberos 5 krb5_read_message kprop protocol bad sendauth version length d... RuleID : 52387 - Revision : 1 - Type : SERVER-OTHER
2020-01-07	MIT Kerberos 5 krb5_read_message klogin ksh kprop protocols bad app version l... RuleID : 52386 - Revision : 1 - Type : SERVER-OTHER
2020-01-07	MIT Kerberos 5 krb5_read_message klogin protocol bad sendauth or app version ... RuleID : 52385 - Revision : 1 - Type : SERVER-OTHER
2020-01-07	MIT Kerberos 5 krb5_read_message klogin ksh kprop protocols bad sendauth vers... RuleID : 52384 - Revision : 1 - Type : SERVER-OTHER
2015-07-08	MIT Kerberos 5 krb5_read_message denial of service attempt RuleID : 34709 - Revision : 4 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date	Description
2018-02-01	Name : The remote Debian host is missing a security update. File : debian_DLA-1265.nasl - Type : ACT_GATHER_INFO
2016-03-24	Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2016-0039.nasl - Type : ACT_GATHER_INFO
2015-12-22	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20151119_krb5_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2015-12-15	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-624.nasl - Type : ACT_GATHER_INFO
2015-12-02	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-2154.nasl - Type : ACT_GATHER_INFO
2015-11-24	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-2154.nasl - Type : ACT_GATHER_INFO
2015-11-19	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-2154.nasl - Type : ACT_GATHER_INFO
2015-11-13	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2810-1.nasl - Type : ACT_GATHER_INFO
2015-07-24	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-1282-1.nasl - Type : ACT_GATHER_INFO
2015-07-22	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-1276-1.nasl - Type : ACT_GATHER_INFO
2015-05-28	Name : The remote AIX host has a version of NAS installed that is affected by multip... File : aix_nas_advisory3.nasl - Type : ACT_GATHER_INFO
2015-05-20	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0290-2.nasl - Type : ACT_GATHER_INFO
2015-05-20	Name : The remote SUSE host is missing one or more security updates. File : suse_SU-2015-0290-1.nasl - Type : ACT_GATHER_INFO
2015-05-07	Name : The remote Amazon Linux AMI host is missing a security update. File : ala_ALAS-2015-518.nasl - Type : ACT_GATHER_INFO
2015-04-10	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-0794.nasl - Type : ACT_GATHER_INFO
2015-04-10	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150409_krb5_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2015-04-10	Name : The remote OracleVM host is missing a security update. File : oraclevm_OVMSA-2015-0054.nasl - Type : ACT_GATHER_INFO
2015-04-10	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-0794.nasl - Type : ACT_GATHER_INFO
2015-04-09	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-0794.nasl - Type : ACT_GATHER_INFO
2015-03-30	Name : The remote Mandriva Linux host is missing one or more security updates. File : mandriva_MDVSA-2015-069.nasl - Type : ACT_GATHER_INFO
2015-03-26	Name : The remote Scientific Linux host is missing one or more security updates. File : sl_20150305_krb5_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2015-03-26	Name : The remote Debian host is missing a security update. File : debian_DLA-146.nasl - Type : ACT_GATHER_INFO
2015-03-20	Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-246.nasl - Type : ACT_GATHER_INFO
2015-03-18	Name : The remote CentOS host is missing one or more security updates. File : centos_RHSA-2015-0439.nasl - Type : ACT_GATHER_INFO
2015-03-13	Name : The remote Fedora host is missing a security update. File : fedora_2015-2347.nasl - Type : ACT_GATHER_INFO
2015-03-13	Name : The remote Oracle Linux host is missing one or more security updates. File : oraclelinux_ELSA-2015-0439.nasl - Type : ACT_GATHER_INFO
2015-03-10	Name : The remote Fedora host is missing a security update. File : fedora_2015-2382.nasl - Type : ACT_GATHER_INFO
2015-03-05	Name : The remote Red Hat host is missing one or more security updates. File : redhat-RHSA-2015-0439.nasl - Type : ACT_GATHER_INFO
2015-02-26	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_dbf9e66cbd5011e4a7ba206a8a720317.nasl - Type : ACT_GATHER_INFO
2015-02-23	Name : The remote FreeBSD host is missing a security-related update. File : freebsd_pkg_63527d0db9de11e48a48206a8a720317.nasl - Type : ACT_GATHER_INFO
2015-02-12	Name : The remote SuSE 11 host is missing one or more security updates. File : suse_11_krb5-20150206-150206.nasl - Type : ACT_GATHER_INFO
2015-02-12	Name : The remote openSUSE host is missing a security update. File : openSUSE-2015-128.nasl - Type : ACT_GATHER_INFO
2015-02-11	Name : The remote Ubuntu host is missing one or more security-related patches. File : ubuntu_USN-2498-1.nasl - Type : ACT_GATHER_INFO
2015-02-05	Name : The remote FreeBSD host is missing one or more security-related updates. File : freebsd_pkg_24ce5597acab11e4a847206a8a720317.nasl - Type : ACT_GATHER_INFO
2015-02-04	Name : The remote Debian host is missing a security-related update. File : debian_DSA-3153.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.

Date	Informations
2015-03-31 13:29:27	Multiple Updates
2015-03-27 21:25:35	First insertion

Global Informations

Type	Count
CWE ID(s)	2
Oval ID(s)	5
CPE ID(s)	60
IAVM(s)	1
Snort® Rule(s)	10
Nessus® Exploit(s)	35

	Related
9	CVE-2014-9421
9	CVE-2014-5352
6.1	CVE-2014-9422
5	CVE-2014-9423
5	CVE-2014-5355
Info : listing not affected by your CVSS Env Score

Same Subject	Severity
Login to view 5 more Alert(s)

9 - MDVSA-2015:069

Executive Summary

Security-Database Scoring CVSS v3

Security-Database Scoring CVSS v2

Detail

Original Source

CWE : Common Weakness Enumeration

OVAL Definitions

CPE : Common Platform Enumeration

Information Assurance Vulnerability Management (IAVM)

Snort® IPS/IDS

Nessus® Vulnerability Scanner

Alert History

Global Informations

Open Standards

Other Databases

COMPANY

STANDARDS

RECENT POSTS

MENU