Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2023-36054: Kerberos Security Advisories

lib/kadm5/kadm_rpc_xdr.c in MIT Kerberos 5 (aka krb5) before 1.20.2 and 1.21.x before 1.21.1 frees an uninitialized pointer. A remote authenticated user can trigger a kadmind crash. This occurs because _xdr_kadm5_principal_ent_rec does not validate the relationship between n_key_data and the key_data array count.

CVE
#vulnerability#dos#ldap#buffer_overflow#auth#telnet

MITKRB5-SA-2015-001

Vulnerabilities in kadmind, libgssrpc, gss_process_context_token

MITKRB5-SA-2014-001

Buffer overrun in kadmind with LDAP backend

MITKRB5-SA-2012-001

KDC heap corruption and crash vulnerabilities

MITKRB5-SA-2011-008

buffer overflow in telnet daemon and client

MITKRB5-SA-2011-007

KDC null pointer dereference in TGS handling

MITKRB5-SA-2011-006

KDC denial of service vulnerabilities

MITKRB5-SA-2011-005

FTP daemon fails to set effective group ID

MITKRB5-SA-2011-004

kadmind invalid pointer free()

MITKRB5-SA-2011-003

KDC vulnerable to double-free when PKINIT enabled

MITKRB5-SA-2011-002

KDC denial of service attacks

MITKRB5-SA-2011-001

kpropd denial of service

MITKRB5-SA-2010-007

Multiple checksum handling vulnerabilities

MITKRB5-SA-2010-006

KDC uninitialized pointer crash in authorization data handling

MITKRB5-SA-2010-005

GSS-API library null pointer dereference

MITKRB5-SA-2010-004

double free in KDC

MITKRB5-SA-2010-003

denial of service in kadmind in older krb5 releases

MITKRB5-SA-2010-002

denial of service in SPNEGO

MITKRB5-SA-2010-001

krb5-1.7 KDC denial of service

MITKRB5-SA-2009-004

integer underflow in AES and RC4 decryption

MITKRB5-SA-2009-003

KDC denial of service in cross-realm referral processing

MITKRB5-SA-2009-002

ASN.1 decoder frees uninitialized pointer

MITKRB5-SA-2009-001

multiple vulnerabilities in SPNEGO, ASN.1 decoder

MITKRB5-SA-2008-002

array overrun in RPC library used by kadmind

MITKRB5-SA-2008-001

double-free, uninitialized data vulnerabilities in krb5kdc

MITKRB5-SA-2007-006

kadmind RPC library buffer overflow, uninitialized pointer

MITKRB5-SA-2007-005

kadmind vulnerable to buffer overflow

MITKRB5-SA-2007-004

kadmind affected by multiple RPC library vulnerabilities

MITKRB5-SA-2007-003

double-free vulnerability in kadmind (via GSS-API library)

MITKRB5-SA-2007-002

KDC, kadmind stack overflow in krb5_klog_syslog

MITKRB5-SA-2007-001

telnetd allows login as arbitrary user

MITKRB5-SA-2006-003

kadmind (via GSS-API mechglue) frees uninitialized pointers

MITKRB5-SA-2006-002

kadmind (via RPC library) calls uninitialized function pointer

MITKRB5-SA-2006-001

multiple local privilege escalation vulnerabilities

MITKRB5-SA-2005-003

double-free in krb5_recvauth

MITKRB5-SA-2005-002

buffer overflow, heap corruption in KDC

MITKRB5-SA-2005-001

Buffer overflows in telnet client

MITKRB5-SA-2004-004

Heap buffer overflow in libkadm5srv

MITKRB5-SA-2004-003

ASN.1 decoder denial-of-service

MITKRB5-SA-2004-002

Double-free vulnerabilities in KDC and libraries

MITKRB5-SA-2004-001

Buffer overrun in aname_to_localname

MITKRB5-SA-2003-005:

Buffer overrun and underrun in principal name handling

MITKRB5-SA-2003-004:

Cryptographic weaknesses in Kerberos v4 protocol; KDC and realm compromise possible.

MITKRB5-SA-2003-003:

Faulty length checks in xdrmem_getbytes may allow kadmind DoS.

MITKRB5-SA-2003-001:

Multiple vulnerabilities, including possible KDC compromise, in older releases (prior to 1.2.5).

MITKRB5-SA-2002-002: [updated 2002-10-25] Buffer overflow in kadmind4

Remote user can gain root access to KDC host.

MITKRB5-SA-2002-001: Remote root vulnerability in MIT krb5 admin system

Remote user may be able to gain root access to a KDC host.

Buffer overflows in telnetd

Buffer overflows in ftpd

Unsafe temporary file handling in krb4 code

A local user may overwrite arbitrary files as root

Remote root vulnerability in GSSFTPD

An attacker with access to a local account may gain unauthorized root access via a krb5-1.1.x ftpd.

Multiple denial of service vulnerabilities in krb4 KDC

A buffer overrun capable of causing a denial of service in the krb4 KDC compat code was discovered. Additionally, krb5-1.1.x KDCs with krb4 code enabled are vulnerable to a separate denial of service.

Buffer Overrun Vulnerabilities in Kerberos 4 code

Serious buffer overruns exist in krb4 compatibility code. Also, these vulnerabilities likely exist in almost all implementations derived from MIT krb4.

Login bug when compiling using --without-krb4 in 1.1.1

Compiling remote login programs using the --without-krb4 option has disastrous side effects under 1.1 and 1.1.1 releases.

MITKRB5-SA-2002-002-kadm4 attack signature

  • Note describing attack signature associated with possible attacks on kadmind4.

Patches for MITKRB5-SA-2002-002-kadm4

  • patch for krb5-1.2.6, with detached PGP signature

Patches for MITKRB5-SA-2002-001-xdr

  • patch for krb5-1.2.5, with detached PGP signature

Patches for telnetd buffer overflow vulnerability

  • Patch for krb5-1.2.2, with detached PGP signature

Patches for ftpd buffer overflow vulnerability

  • Patch for krb5-1.2.2

Patches for krb4 temporary file vulnerability

  • Patch for krb5-1.2.1

Patches for gssftpd vulnerability

  • Patch for krb5-1.1.x ftpd

Patches for KDC vulnerabilities

  • Patch for krb5-1.0.x KDCs
  • Patch for krb5-1.1.1 KDC
  • Patch for CNS KDC
  • Untested patch for krb4 Patch 10

Patches for krb_rd_req() overruns:

The patches in some of the krb4 overrun original advisories have been untabified, which causes some people to have trouble applying them with the patch program. You may use “patch -l” if your version of patch supports it, or you may apply one of the patches below.

  • Patch for krb4 buffer overruns in 1.0.x
  • Patch for krb4 buffer overruns in 1.1.1 (includes patch for login.c)
  • Patch for bug in login.c.

$Id: index.html,v 1.46 2016/07/01 17:34:45 ghudson Exp $
MIT Kerberos [ home ] [ contact ]

Related news

Gentoo Linux Security Advisory 202405-11

Gentoo Linux Security Advisory 202405-11 - Multiple vulnerabilities have been discovered in MIT krb5, the worst of which could lead to remote code execution. Versions greater than or equal to 1.21.2 are affected.

CVE-2023-48660: DSA-2023-443: Dell PowerMaxOS 5978, Dell Unisphere 360, Dell Unisphere for PowerMax, Dell Unisphere for PowerMax Virtual Appliance, Dell Solutions Enabler Virtual Appliance, and Dell PowerMax EEM Secu

Dell vApp Manger, versions prior to 9.2.4.x contain an arbitrary file read vulnerability. A remote attacker could potentially exploit this vulnerability to read arbitrary files from the target system.

Ubuntu Security Notice USN-6467-2

Ubuntu Security Notice 6467-2 - USN-6467-1 fixed a vulnerability in Kerberos. This update provides the corresponding update for Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.04. Robert Morris discovered that Kerberos did not properly handle memory access when processing RPC data through kadmind, which could lead to the freeing of uninitialized memory. An authenticated remote attacker could possibly use this issue to cause kadmind to crash, resulting in a denial of service.

Ubuntu Security Notice USN-6467-1

Ubuntu Security Notice 6467-1 - Robert Morris discovered that Kerberos did not properly handle memory access when processing RPC data through kadmind, which could lead to the freeing of uninitialized memory. An authenticated remote attacker could possibly use this issue to cause kadmind to crash, resulting in a denial of service.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907