Executive Summary



This Alert is flagged as TOP 25 Common Weakness Enumeration from CWE/SANS. For more information, you can read this.
Summary
Titlekrb5 security update
Informations
NameRHSA-2005:567First vendor Publication2005-07-12
VendorRedHatLast vendor Modification2005-07-12
Severity (Vendor) ImportantRevision02

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:P/I:P/A:P)
Cvss Base Score7.5Attack RangeNetwork
Cvss Impact Score6.4Attack ComplexityLow
Cvss Expoit Score10AuthenticationNone Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4.

This update has been rated as having important security impact by the Red Hat Security Response Team.

2. Relevant releases/architectures:

Red Hat Enterprise Linux AS version 4 - i386, ia64, ppc, s390, s390x, x86_64 Red Hat Enterprise Linux Desktop version 4 - i386, x86_64 Red Hat Enterprise Linux ES version 4 - i386, ia64, x86_64 Red Hat Enterprise Linux WS version 4 - i386, ia64, x86_64

3. Problem description:

Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other.

A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4 contains checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CAN-2005-1689 to this issue.

Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CAN-2005-1175).

Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CAN-2005-1174).

GaŽl Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CAN-2005-0488).

The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CAN-2004-0175).

All users of krb5 should update to these erratum packages, which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via Red Hat Network. To use Red Hat Network, launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

157103 - CAN-2005-1174 krb5 buffer overflow, heap corruption in KDC (CAN-2005-1175) 159304 - CAN-2005-0488 telnet Information Disclosure Vulnerability 159756 - CAN-2005-1689 double-free in krb5_recvauth 161471 - krb5 krb5_principal_compare NULL pointer crash 161611 - CAN-2004-0175 malicious rsh server can cause rcp to write to arbitrary files

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2005-567.html

CWE : Common Weakness Enumeration

idName
CWE-213Intended Information Leak
CWE-415Double Free
CWE-119Failure to Constrain Operations within the Bounds of a Memory Buffer
CWE-22Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') (CWE/SANS Top 25)

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:10184
 
Oval ID: oval:org.mitre.oval:def:10184
Title: Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992.
Description: Directory traversal vulnerability in scp for OpenSSH before 3.4p1 allows remote malicious servers to overwrite arbitrary files. NOTE: this may be a rediscovery of CVE-2000-0992.
Family: unix Class: vulnerability
Reference(s): CVE-2004-0175
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:1139
 
Oval ID: oval:org.mitre.oval:def:1139
Title: Telnet Client Information Disclosure Vulnerability
Description: Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0488
Version: 1
Platform(s): Red Hat Enterprise Linux 3
Product(s): telnet
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:11373
 
Oval ID: oval:org.mitre.oval:def:11373
Title: Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
Description: Certain BSD-based Telnet clients, including those used on Solaris and SuSE Linux, allow remote malicious Telnet servers to read sensitive environment variables via the NEW-ENVIRON option with a SEND ENV_USERVAR command.
Family: unix Class: vulnerability
Reference(s): CVE-2005-0488
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:397
 
Oval ID: oval:org.mitre.oval:def:397
Title: MIT Kerberos 5 Key Distribution Center Remote Denial of Service Vulnerability
Description: MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.
Family: unix Class: vulnerability
Reference(s): CVE-2005-1174
Version: 2
Platform(s): Sun Solaris 7
Sun Solaris 8
Sun Solaris 9
Sun Solaris 10
Product(s): Kerberos
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:10229
 
Oval ID: oval:org.mitre.oval:def:10229
Title: MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.
Description: MIT Kerberos 5 (krb5) 1.3 through 1.4.1 Key Distribution Center (KDC) allows remote attackers to cause a denial of service (application crash) via a certain valid TCP connection that causes a free of unallocated memory.
Family: unix Class: vulnerability
Reference(s): CVE-2005-1174
Version: 5
Platform(s): Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9902
 
Oval ID: oval:org.mitre.oval:def:9902
Title: Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.
Description: Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.
Family: unix Class: vulnerability
Reference(s): CVE-2005-1175
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:736
 
Oval ID: oval:org.mitre.oval:def:736
Title: MIT Kerberos 5 Key Distribution Center Remote Denial of Service Vulnerability
Description: Heap-based buffer overflow in the Key Distribution Center (KDC) in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to cause a denial of service (apllication crash) and possibly execute arbitrary code via a certain valid TCP or UDP request.
Family: unix Class: vulnerability
Reference(s): CVE-2005-1175
Version: 2
Platform(s): Sun Solaris 7
Sun Solaris 8
Sun Solaris 9
Sun Solaris 10
Product(s): Kerberos
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:9819
 
Oval ID: oval:org.mitre.oval:def:9819
Title: Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.
Description: Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.
Family: unix Class: vulnerability
Reference(s): CVE-2005-1689
Version: 5
Platform(s): Red Hat Enterprise Linux 3
CentOS Linux 3
Red Hat Enterprise Linux 4
CentOS Linux 4
Oracle Linux 4
Product(s):
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application1
Application9
Application15
Os1

OpenVAS Exploits

DateDescription
2009-11-17Name : Mac OS X Version
File : nvt/macosx_version.nasl
2009-06-03Name : Solaris Update for telnet 119433-01
File : nvt/gb_solaris_119433_01.nasl
2009-06-03Name : Solaris Update for telnet 119434-01
File : nvt/gb_solaris_119434_01.nasl
2009-06-03Name : Solaris Update for telnet 110668-05
File : nvt/gb_solaris_110668_05.nasl
2009-06-03Name : Solaris Update for telnet 110669-05
File : nvt/gb_solaris_110669_05.nasl
2009-04-09Name : Mandriva Update for rsh MDVSA-2008:191 (rsh)
File : nvt/gb_mandriva_MDVSA_2008_191.nasl
2008-09-24Name : Gentoo Security Advisory GLSA 200507-11 (mit-krb5)
File : nvt/glsa_200507_11.nasl
2008-01-17Name : Debian Security Advisory DSA 757-1 (krb5)
File : nvt/deb_757_1.nasl

Open Source Vulnerability Database (OSVDB)

idDescription
17843MIT Kerberos 5 Key Distribution Center (KDC) krb5_unparse_name Overflow
17842MIT Kerberos 5 Key Distribution Center (KDC) Unallocated Memory Free DoS
17841MIT Kerberos kpropd krb5_recvauth Double-free Command Execution
17303Multiple Vendor Telnet Client NEW-ENVIRON Variable Information Disclosure
9550OpenSSH scp Traversal Arbitrary File Overwrite

Snort¬ģ IPS/IDS

DateDescription
2014-01-10MIT Kerberos V5 KDC krb5_unparse_name overflow attempt
RuleID : 17274 - Revision : 8 - Type : SERVER-OTHER
2014-01-10MIT Kerberos V5 KDC krb5_unparse_name overflow attempt
RuleID : 17273 - Revision : 8 - Type : SERVER-OTHER
2014-01-10MIT Kerberos V5 krb5_recvauth double free attempt
RuleID : 17243 - Revision : 4 - Type : SERVER-OTHER

Nessus¬ģ Vulnerability Scanner

DateDescription
2012-01-12Name : The remote Debian host is missing a security-related update.
File : debian_DSA-773.nasl - Type : ACT_GATHER_INFO
2011-11-18Name : A file transfer client on the remote host could be abused to overwrite arbitr...
File : openssh_34p1.nasl - Type : ACT_GATHER_INFO
2011-08-29Name : The SSH service running on the remote host has an information disclosure vuln...
File : sunssh_plaintext_recovery.nasl - Type : ACT_GATHER_INFO
2009-04-23Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2008-191.nasl - Type : ACT_GATHER_INFO
2006-09-27Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHSS_33384.nasl - Type : ACT_GATHER_INFO
2006-09-27Name : The remote HP-UX host is missing a security-related patch.
File : hpux_PHSS_33389.nasl - Type : ACT_GATHER_INFO
2006-08-01Name : The remote operating system is missing a vendor-supplied patch.
File : macosx_SecUpd2006-004.nasl - Type : ACT_GATHER_INFO
2006-07-05Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-567.nasl - Type : ACT_GATHER_INFO
2006-07-05Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-165.nasl - Type : ACT_GATHER_INFO
2006-07-03Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-504.nasl - Type : ACT_GATHER_INFO
2006-07-03Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-562.nasl - Type : ACT_GATHER_INFO
2006-07-03Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-074.nasl - Type : ACT_GATHER_INFO
2006-07-03Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2005-106.nasl - Type : ACT_GATHER_INFO
2006-01-21Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-224-1.nasl - Type : ACT_GATHER_INFO
2005-08-18Name : The remote host is missing a Mac OS X update that fixes various security issues.
File : macosx_SecUpd2005-007.nasl - Type : ACT_GATHER_INFO
2005-07-18Name : The remote Debian host is missing a security-related update.
File : debian_DSA-757.nasl - Type : ACT_GATHER_INFO
2005-07-14Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-119.nasl - Type : ACT_GATHER_INFO
2005-07-13Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-200507-11.nasl - Type : ACT_GATHER_INFO
2005-07-13Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-562.nasl - Type : ACT_GATHER_INFO
2005-07-13Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-567.nasl - Type : ACT_GATHER_INFO
2005-07-13Name : The remote Fedora Core host is missing a security update.
File : fedora_2005-552.nasl - Type : ACT_GATHER_INFO
2005-07-13Name : The remote Fedora Core host is missing a security update.
File : fedora_2005-553.nasl - Type : ACT_GATHER_INFO
2005-06-16Name : The remote Mandrake Linux host is missing one or more security updates.
File : mandrake_MDKSA-2005-100.nasl - Type : ACT_GATHER_INFO
2005-06-16Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-504.nasl - Type : ACT_GATHER_INFO
2005-06-14Name : It is possible to disclose user information.
File : smb_nt_ms05-033.nasl - Type : ACT_GATHER_INFO
2005-06-13Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-495.nasl - Type : ACT_GATHER_INFO
2005-06-10Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-165.nasl - Type : ACT_GATHER_INFO
2005-06-06Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-481.nasl - Type : ACT_GATHER_INFO
2005-05-19Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-106.nasl - Type : ACT_GATHER_INFO
2005-05-19Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2005-074.nasl - Type : ACT_GATHER_INFO
2004-09-08Name : The remote host is missing a Mac OS X update that fixes a security issue.
File : macosx_SecUpd20040907.nasl - Type : ACT_GATHER_INFO
2004-07-12Name : The remote host is missing Sun Security Patch number 112908-38
File : solaris9_112908.nasl - Type : ACT_GATHER_INFO
2004-07-12Name : The remote host is missing Sun Security Patch number 115168-24
File : solaris9_x86_115168.nasl - Type : ACT_GATHER_INFO
2004-07-12Name : The remote host is missing Sun Security Patch number 112237-16
File : solaris8_112237.nasl - Type : ACT_GATHER_INFO
2004-07-12Name : The remote host is missing Sun Security Patch number 112238-15
File : solaris8_x86_112238.nasl - Type : ACT_GATHER_INFO
2004-07-12Name : The remote host is missing Sun Security Patch number 112390-14
File : solaris8_112390.nasl - Type : ACT_GATHER_INFO
2004-07-12Name : The remote host is missing Sun Security Patch number 112240-13
File : solaris8_x86_112240.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
DateInformations
2014-02-17 11:49:30
  • Multiple Updates
2013-05-11 12:23:09
  • Multiple Updates