Executive Summary

Summary
Title krb5 security and bug fix update
Informations
Name RHSA-2014:1245 First vendor Publication 2014-09-16
Vendor RedHat Last vendor Modification 2014-09-16
Severity (Vendor) Moderate Revision 01

Security-Database Scoring CVSS v3

Cvss vector : N/A
Overall CVSS Score NA
Base Score NA Environmental Score NA
impact SubScore NA Temporal Score NA
Exploitabality Sub Score NA
 
Calculate full CVSS 3.0 Vectors scores

Security-Database Scoring CVSS v2

Cvss vector : (AV:N/AC:L/Au:N/C:N/I:N/A:C)
Cvss Base Score 7.8 Attack Range Network
Cvss Impact Score 6.9 Attack Complexity Low
Cvss Expoit Score 10 Authentication None Required
Calculate full CVSS 2.0 Vectors scores

Detail

Problem Description:

Updated krb5 packages that fix multiple security issues and two bugs are now available for Red Hat Enterprise Linux 5.

Red Hat Product Security has rated this update as having Moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux (v. 5 server) - i386, ia64, ppc, s390x, x86_64 Red Hat Enterprise Linux Desktop (v. 5 client) - i386, x86_64 Red Hat Enterprise Linux Desktop Workstation (v. 5 client) - i386, x86_64

3. Description:

Kerberos is an authentication system which allows clients and services to authenticate to each other with the help of a trusted third party, a Kerberos Key Distribution Center (KDC).

It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. (CVE-2013-1418, CVE-2013-6800)

A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344)

A buffer over-read flaw was found in the way MIT Kerberos handled certain requests. A man-in-the-middle attacker with a valid Kerberos ticket who is able to inject packets into a client or server application's GSSAPI session could use this flaw to crash the application. (CVE-2014-4341)

This update also fixes the following bugs:

* Prior to this update, the libkrb5 library occasionally attempted to free already freed memory when encrypting credentials. As a consequence, the calling process terminated unexpectedly with a segmentation fault. With this update, libkrb5 frees memory correctly, which allows the credentials to be encrypted appropriately and thus prevents the mentioned crash. (BZ#1004632)

* Previously, when the krb5 client library was waiting for a response from a server, the timeout variable in certain cases became a negative number. Consequently, the client could enter a loop while checking for responses. With this update, the client logic has been modified and the described error no longer occurs. (BZ#1089732)

All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.

4. Solution:

Before applying this update, make sure all previously released errata relevant to your system have been applied.

This update is available via the Red Hat Network. Details on how to use the Red Hat Network to apply this update are available at https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1026942 - CVE-2013-1418 krb5: multi-realm KDC null dereference leads to crash 1031499 - CVE-2013-6800 krb5: KDC remote DoS (NULL pointer dereference and daemon crash) 1116180 - CVE-2014-4341 krb5: denial of service flaws when handling padding length longer than the plaintext 1121877 - CVE-2014-4344 krb5: NULL pointer dereference flaw in SPNEGO acceptor for continuation tokens

Original Source

Url : https://rhn.redhat.com/errata/RHSA-2014-1245.html

CWE : Common Weakness Enumeration

% Id Name
67 % CWE-476 NULL Pointer Dereference
33 % CWE-125 Out-of-bounds Read

OVAL Definitions

Definition Id: oval:org.mitre.oval:def:25702
 
Oval ID: oval:org.mitre.oval:def:25702
Title: SUSE-SU-2013:1875-1 -- Security update for krb5
Description: This update for krb5 fixes the following security issue: * If a KDC serves multiple realms, certain requests could cause setup_server_realm() to dereference a null pointer, crashing the KDC. (CVE-2013-1418) Security Issues: * CVE-2013-1418 <http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1418 >
Family: unix Class: patch
Reference(s): SUSE-SU-2013:1875-1
CVE-2013-1418
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26536
 
Oval ID: oval:org.mitre.oval:def:26536
Title: ELSA-2014-1245 -- krb5 security and bug fix update (Moderate)
Description: Kerberos is an authentication system which allows clients and services to authenticate to each other with the help of a trusted third party, a Kerberos Key Distribution Center (KDC). It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. (CVE-2013-1418, CVE-2013-6800) A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344) A buffer over-read flaw was found in the way MIT Kerberos handled certain requests. A man-in-the-middle attacker with a valid Kerberos ticket who is able to inject packets into a client or server application&#39;s GSSAPI session could use this flaw to crash the application. (CVE-2014-4341) This update also fixes the following bugs: * Prior to this update, the libkrb5 library occasionally attempted to free already freed memory when encrypting credentials. As a consequence, the calling process terminated unexpectedly with a segmentation fault. With this update, libkrb5 frees memory correctly, which allows the credentials to be encrypted appropriately and thus prevents the mentioned crash. (BZ#1004632) * Previously, when the krb5 client library was waiting for a response from a server, the timeout variable in certain cases became a negative number. Consequently, the client could enter a loop while checking for responses. With this update, the client logic has been modified and the described error no longer occurs. (BZ#1089732) All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.
Family: unix Class: patch
Reference(s): ELSA-2014-1245
CVE-2014-4344
CVE-2014-4341
CVE-2013-1418
CVE-2013-6800
Version: 3
Platform(s): Oracle Linux 5
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26722
 
Oval ID: oval:org.mitre.oval:def:26722
Title: AIX NAS null deref in SPNEGO acceptor
Description: The acc_ctx_cont function in the SPNEGO acceptor in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5.x through 1.12.x before 1.12.2 allows remote attackers to cause a denial of service (NULL pointer dereference and application crash) via an empty continuation token at a certain point during a SPNEGO negotiation.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4344
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26777
 
Oval ID: oval:org.mitre.oval:def:26777
Title: RHSA-2014:1245: krb5 security and bug fix update (Moderate)
Description: Kerberos is an authentication system which allows clients and services to authenticate to each other with the help of a trusted third party, a Kerberos Key Distribution Center (KDC). It was found that if a KDC served multiple realms, certain requests could cause the setup_server_realm() function to dereference a NULL pointer. A remote, unauthenticated attacker could use this flaw to crash the KDC using a specially crafted request. (CVE-2013-1418, CVE-2013-6800) A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. A remote, unauthenticated attacker could use this flaw to crash a GSSAPI-enabled server application. (CVE-2014-4344) A buffer over-read flaw was found in the way MIT Kerberos handled certain requests. A man-in-the-middle attacker with a valid Kerberos ticket who is able to inject packets into a client or server application's GSSAPI session could use this flaw to crash the application. (CVE-2014-4341) This update also fixes the following bugs: * Prior to this update, the libkrb5 library occasionally attempted to free already freed memory when encrypting credentials. As a consequence, the calling process terminated unexpectedly with a segmentation fault. With this update, libkrb5 frees memory correctly, which allows the credentials to be encrypted appropriately and thus prevents the mentioned crash. (BZ#1004632) * Previously, when the krb5 client library was waiting for a response from a server, the timeout variable in certain cases became a negative number. Consequently, the client could enter a loop while checking for responses. With this update, the client logic has been modified and the described error no longer occurs. (BZ#1089732) All krb5 users are advised to upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.
Family: unix Class: patch
Reference(s): RHSA-2014:1245-00
CVE-2013-1418
CVE-2013-6800
CVE-2014-4341
CVE-2014-4344
CESA-2014:1245
Version: 5
Platform(s): Red Hat Enterprise Linux 5
CentOS Linux 5
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26809
 
Oval ID: oval:org.mitre.oval:def:26809
Title: SUSE-SU-2014:0989-1 -- Security update for krb5
Description: The several security issues have been fixed in kerberos 5.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0989-1
CVE-2014-4341
CVE-2014-4342
CVE-2014-4343
CVE-2014-4344
Version: 3
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): krb5
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:26912
 
Oval ID: oval:org.mitre.oval:def:26912
Title: AIX NAS denial of service vulnerability
Description: MIT Kerberos 5 (aka krb5) before 1.12.2 allows remote attackers to cause a denial of service (buffer over-read and application crash) by injecting invalid tokens into a GSSAPI application session.
Family: unix Class: vulnerability
Reference(s): CVE-2014-4341
Version: 4
Platform(s): IBM AIX 6.1
IBM AIX 7.1
Product(s):
Definition Synopsis:
Definition Id: oval:org.mitre.oval:def:27019
 
Oval ID: oval:org.mitre.oval:def:27019
Title: DEPRECATED: SUSE-SU-2014:0989-1 -- Security update for krb5
Description: The several security issues have been fixed in kerberos 5.
Family: unix Class: patch
Reference(s): SUSE-SU-2014:0989-1
CVE-2014-4341
CVE-2014-4342
CVE-2014-4343
CVE-2014-4344
Version: 4
Platform(s): SUSE Linux Enterprise Server 11
SUSE Linux Enterprise Desktop 11
Product(s): krb5
Definition Synopsis:

CPE : Common Platform Enumeration

TypeDescriptionCount
Application 3
Application 66
Os 1
Os 1
Os 4
Os 1
Os 5
Os 1
Os 1
Os 4
Os 4
Os 3
Os 1

Information Assurance Vulnerability Management (IAVM)

Date Description
2013-11-14 IAVM : 2013-B-0130 - MIT Kerberos Denial of Service Vulnerabilities
Severity : Category I - VMSKEY : V0042308

Snort® IPS/IDS

Date Description
2015-03-27 MIT Kerberos KDC as-req sname null pointer dereference attempt
RuleID : 8888889 - Revision : 1 - Type : SERVER-OTHER
2015-03-27 MIT Kerberos KDC as-req sname null pointer dereference attempt
RuleID : 8888888 - Revision : 1 - Type : SERVER-OTHER
2016-03-14 MIT Kerberos 5 IAKERB outbound token detected
RuleID : 36816 - Revision : 5 - Type : SERVER-OTHER
2016-03-14 MIT Kerberos 5 SPNEGO incoming token detected
RuleID : 36815 - Revision : 5 - Type : SERVER-OTHER
2016-03-14 MIT Kerberos 5 SPNEGO acceptor acc_ctx_cont denial of service attempt
RuleID : 36814 - Revision : 5 - Type : SERVER-OTHER
2015-06-23 MIT Kerberos KDC as-req sname null pointer dereference attempt
RuleID : 34972 - Revision : 2 - Type : SERVER-OTHER
2015-06-23 MIT Kerberos KDC as-req sname null pointer dereference attempt
RuleID : 34971 - Revision : 2 - Type : SERVER-OTHER

Nessus® Vulnerability Scanner

Date Description
2018-02-01 Name : The remote Debian host is missing a security update.
File : debian_DLA-1265.nasl - Type : ACT_GATHER_INFO
2018-01-11 Name : The remote device is missing a vendor-supplied security patch.
File : f5_bigip_SOL15552.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20150305_krb5_on_SL7_x.nasl - Type : ACT_GATHER_INFO
2015-03-26 Name : The remote Debian host is missing a security update.
File : debian_DLA-37.nasl - Type : ACT_GATHER_INFO
2015-03-18 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2015-0439.nasl - Type : ACT_GATHER_INFO
2015-03-13 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2015-0439.nasl - Type : ACT_GATHER_INFO
2015-03-05 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2015-0439.nasl - Type : ACT_GATHER_INFO
2015-02-26 Name : The remote FreeBSD host is missing a security-related update.
File : freebsd_pkg_dbf9e66cbd5011e4a7ba206a8a720317.nasl - Type : ACT_GATHER_INFO
2015-01-19 Name : The remote Solaris system is missing a security patch for third-party software.
File : solaris11_kerberos_20141216.nasl - Type : ACT_GATHER_INFO
2015-01-02 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201412-53.nasl - Type : ACT_GATHER_INFO
2014-11-26 Name : The remote OracleVM host is missing a security update.
File : oraclevm_OVMSA-2014-0034.nasl - Type : ACT_GATHER_INFO
2014-11-18 Name : The remote Amazon Linux AMI host is missing a security update.
File : ala_ALAS-2014-443.nasl - Type : ACT_GATHER_INFO
2014-11-12 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1389.nasl - Type : ACT_GATHER_INFO
2014-11-04 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20141014_krb5_on_SL6_x.nasl - Type : ACT_GATHER_INFO
2014-10-17 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1389.nasl - Type : ACT_GATHER_INFO
2014-10-14 Name : The remote Scientific Linux host is missing one or more security updates.
File : sl_20140916_krb5_on_SL5_x.nasl - Type : ACT_GATHER_INFO
2014-10-14 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1389.nasl - Type : ACT_GATHER_INFO
2014-10-01 Name : The remote CentOS host is missing one or more security updates.
File : centos_RHSA-2014-1245.nasl - Type : ACT_GATHER_INFO
2014-09-18 Name : The remote Oracle Linux host is missing one or more security updates.
File : oraclelinux_ELSA-2014-1245.nasl - Type : ACT_GATHER_INFO
2014-09-16 Name : The remote Red Hat host is missing one or more security updates.
File : redhat-RHSA-2014-1245.nasl - Type : ACT_GATHER_INFO
2014-09-12 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2014-165.nasl - Type : ACT_GATHER_INFO
2014-09-04 Name : The remote AIX host has a version of NAS installed that is affected by multip...
File : aix_nas_advisory1.nasl - Type : ACT_GATHER_INFO
2014-08-12 Name : The remote Ubuntu host is missing one or more security-related patches.
File : ubuntu_USN-2310-1.nasl - Type : ACT_GATHER_INFO
2014-08-12 Name : The remote SuSE 11 host is missing one or more security updates.
File : suse_11_krb5-140729.nasl - Type : ACT_GATHER_INFO
2014-08-12 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2014-486.nasl - Type : ACT_GATHER_INFO
2014-08-10 Name : The remote Debian host is missing a security-related update.
File : debian_DSA-3000.nasl - Type : ACT_GATHER_INFO
2014-08-08 Name : The remote Fedora host is missing a security update.
File : fedora_2014-8189.nasl - Type : ACT_GATHER_INFO
2014-08-08 Name : The remote Fedora host is missing a security update.
File : fedora_2014-8176.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-941.nasl - Type : ACT_GATHER_INFO
2014-06-13 Name : The remote openSUSE host is missing a security update.
File : openSUSE-2013-880.nasl - Type : ACT_GATHER_INFO
2013-12-17 Name : The remote Gentoo host is missing one or more security-related patches.
File : gentoo_GLSA-201312-12.nasl - Type : ACT_GATHER_INFO
2013-12-04 Name : The remote Fedora host is missing a security update.
File : fedora_2013-21786.nasl - Type : ACT_GATHER_INFO
2013-11-22 Name : The remote Mandriva Linux host is missing one or more security updates.
File : mandriva_MDVSA-2013-275.nasl - Type : ACT_GATHER_INFO
2013-11-18 Name : A single sign-on service is affected by a denial of service vulnerability.
File : mit_kerberos_cve-2013-1418.nasl - Type : ACT_DESTRUCTIVE_ATTACK
2013-11-12 Name : The remote Fedora host is missing a security update.
File : fedora_2013-20687.nasl - Type : ACT_GATHER_INFO

Alert History

If you want to see full details history, please login or register.
0
1
2
3
Date Informations
2014-10-02 13:27:19
  • Multiple Updates
2014-09-19 13:27:41
  • Multiple Updates
2014-09-17 13:25:50
  • Multiple Updates
2014-09-16 09:23:11
  • First insertion