Vulnerabilities > CVE-2003-0139 - Unspecified vulnerability in MIT Kerberos 4
Attack vector
UNKNOWN Attack complexity
UNKNOWN Privileges required
UNKNOWN Confidentiality impact
UNKNOWN Integrity impact
UNKNOWN Availability impact
UNKNOWN mit
nessus
Summary
Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing."
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 1 |
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-273.NASL description A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site last seen 2020-06-01 modified 2020-06-02 plugin id 15110 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15110 title Debian DSA-273-1 : krb4 - Cryptographic weakness code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-273. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15110); script_version("1.21"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0138", "CVE-2003-0139"); script_xref(name:"CERT", value:"442569"); script_xref(name:"CERT", value:"623217"); script_xref(name:"DSA", value:"273"); script_name(english:"Debian DSA-273-1 : krb4 - Cryptographic weakness"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site's entire Kerberos authentication infrastructure." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-273" ); script_set_attribute( attribute:"solution", value: "Upgrade the krb4 packages immediately. For the stable distribution (woody) this problem has been fixed in version 1.1-8-2.3. For the old stable distribution (potato) this problem has been fixed in version 1.0-2.3." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb4"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:2.2"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/28"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"2.2", prefix:"kerberos4kth-clients", reference:"1.0-2.3")) flag++; if (deb_check(release:"2.2", prefix:"kerberos4kth-dev", reference:"1.0-2.3")) flag++; if (deb_check(release:"2.2", prefix:"kerberos4kth-kdc", reference:"1.0-2.3")) flag++; if (deb_check(release:"2.2", prefix:"kerberos4kth-services", reference:"1.0-2.3")) flag++; if (deb_check(release:"2.2", prefix:"kerberos4kth-user", reference:"1.0-2.3")) flag++; if (deb_check(release:"2.2", prefix:"kerberos4kth-x11", reference:"1.0-2.3")) flag++; if (deb_check(release:"2.2", prefix:"kerberos4kth1", reference:"1.0-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-clients", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-clients-x", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-dev", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-dev-common", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-docs", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-kdc", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-kip", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-servers", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-servers-x", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-services", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-user", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth-x11", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"kerberos4kth1", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"libacl1-kerberos4kth", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"libkadm1-kerberos4kth", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"libkdb-1-kerberos4kth", reference:"1.1-8-2.3")) flag++; if (deb_check(release:"3.0", prefix:"libkrb-1-kerberos4kth", reference:"1.1-8-2.3")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-266.NASL description Several vulnerabilities have been discovered in krb5, an implementation of MIT Kerberos. - A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation included in the MIT krb5 distribution permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site last seen 2020-06-01 modified 2020-06-02 plugin id 15103 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15103 title Debian DSA-266-1 : krb5 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-266. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15103); script_version("1.22"); script_cvs_date("Date: 2019/08/02 13:32:17"); script_cve_id("CVE-2003-0028", "CVE-2003-0072", "CVE-2003-0082", "CVE-2003-0138", "CVE-2003-0139"); script_xref(name:"CERT", value:"442569"); script_xref(name:"CERT", value:"516825"); script_xref(name:"CERT", value:"623217"); script_xref(name:"DSA", value:"266"); script_name(english:"Debian DSA-266-1 : krb5 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "Several vulnerabilities have been discovered in krb5, an implementation of MIT Kerberos. - A cryptographic weakness in version 4 of the Kerberos protocol allows an attacker to use a chosen-plaintext attack to impersonate any principal in a realm. Additional cryptographic weaknesses in the krb4 implementation included in the MIT krb5 distribution permit the use of cut-and-paste attacks to fabricate krb4 tickets for unauthorized client principals if triple-DES keys are used to key krb4 services. These attacks can subvert a site's entire Kerberos authentication infrastructure. Kerberos version 5 does not contain this cryptographic vulnerability. Sites are not vulnerable if they have Kerberos v4 completely disabled, including the disabling of any krb5 to krb4 translation services. - The MIT Kerberos 5 implementation includes an RPC library derived from SUNRPC. The implementation contains length checks, that are vulnerable to an integer overflow, which may be exploitable to create denials of service or to gain unauthorized access to sensitive information. - Buffer overrun and underrun problems exist in Kerberos principal name handling in unusual cases, such as names with zero components, names with one empty component, or host-based service principal names with no host name component. This version of the krb5 package changes the default behavior and disallows cross-realm authentication for Kerberos version 4. Because of the fundamental nature of the problem, cross-realm authentication in Kerberos version 4 cannot be made secure and sites should avoid its use. A new option (-X) is provided to the krb5kdc and krb524d commands to re-enable version 4 cross-realm authentication for those sites that must use this functionality but desire the other security fixes." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2003/dsa-266" ); script_set_attribute( attribute:"solution", value: "Upgrade the krb5 package. For the stable distribution (woody) this problem has been fixed in version 1.2.4-5woody4. The old stable distribution (potato) does not contain krb5 packages." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/24"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/03/19"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"krb5-admin-server", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"krb5-clients", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"krb5-doc", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"krb5-ftpd", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"krb5-kdc", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"krb5-rsh-server", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"krb5-telnetd", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"krb5-user", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"libkadm55", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"libkrb5-dev", reference:"1.2.4-5woody4")) flag++; if (deb_check(release:"3.0", prefix:"libkrb53", reference:"1.2.4-5woody4")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2003-043.NASL description Multiple vulnerabilties have been found in the Kerberos network authentication system. The MIT Kerberos team have released an advisory detailing these vulnerabilties, a description of which follows. An integer signedness error in the ASN.1 decoder before version 1.2.5 allows remote attackers to cause a crash of the server via a large unsigned data element length, which is later used as a negative value (CVE-2002-0036). Mandrake Linux 9.0+ is not affected by this problem. Vulnerabilties have been found in the RPC library used by the kadmin service. A faulty length check in the RPC library exposes kadmind to an integer overflow which can be used to crash kadmind (CVE-2003-0028). The KDC (Key Distribution Center) before version 1.2.5 allows remote, authenticated attackers to cause a crash on KDCs within the same realm using a certain protocol that causes a null dereference (CVE-2003-0058). Mandrake Linux 9.0+ is not affected by this problem. Users from one realm can impersonate users in other realms that have the same inter-realm keys due to a vulnerability in Kerberos 1.2.3 and earlier (CVE-2003-0059). Mandrake Linux 9.0+ is not affected by this problem. The KDC allows remote, authenticated users to cause a crash on KDCs within the same realm using a certain protocol request that causes an out-of-bounds read of an array (CVE-2003-0072). The KDC allows remote, authenticated users to cause a crash on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (CVE-2003-0082). Vulnerabilities have been discovered in the Kerberos IV authentication protocol which allow an attacker with knowledge of a cross-realm key, which is shared in another realm, to impersonate a principle in that realm to any service in that realm. This vulnerability can only be closed by disabling cross-realm authentication in Kerberos IV (CVE-2003-0138). Vulnerabilities have been discovered in the support for triple-DES keys in the Kerberos IV authentication protocol which is included in MIT Kerberos (CVE-2003-0139). MandrakeSoft encourages all users to upgrade to these updated packages immediately which contain patches to correct all of the previously noted vulnerabilities. These packages also disable Kerberos IV cross-realm authentication by default. Update : The packages for Mandrake Linux 9.1 and 9.1/PPC were not GPG-signed. This has been fixed and as a result the md5sums have changed. Thanks to Mark Lyda for pointing this out. last seen 2020-06-01 modified 2020-06-02 plugin id 14027 published 2004-07-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14027 title Mandrake Linux Security Advisory : krb5 (MDKSA-2003:043-1) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2003:043. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14027); script_version ("1.21"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/06/26"); script_cve_id("CVE-2002-0036", "CVE-2003-0028", "CVE-2003-0058", "CVE-2003-0059", "CVE-2003-0072", "CVE-2003-0082", "CVE-2003-0138", "CVE-2003-0139"); script_xref(name:"MDKSA", value:"2003:043-1"); script_name(english:"Mandrake Linux Security Advisory : krb5 (MDKSA-2003:043-1)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Multiple vulnerabilities have been found in the Kerberos network authentication system. The MIT Kerberos team have released an advisory detailing these vulnerabilities, a description of which follows. An integer signedness error in the ASN.1 decoder before version 1.2.5 allows remote attackers to cause a crash of the server via a large unsigned data element length, which is later used as a negative value (CVE-2002-0036). Mandrake Linux 9.0+ is not affected by this problem. Vulnerabilities have been found in the RPC library used by the kadmin service. A faulty length check in the RPC library exposes kadmind to an integer overflow which can be used to crash kadmind (CVE-2003-0028). The KDC (Key Distribution Center) before version 1.2.5 allows remote, authenticated attackers to cause a crash on KDCs within the same realm using a certain protocol that causes a null dereference (CVE-2003-0058). Mandrake Linux 9.0+ is not affected by this problem. Users from one realm can impersonate users in other realms that have the same inter-realm keys due to a vulnerability in Kerberos 1.2.3 and earlier (CVE-2003-0059). Mandrake Linux 9.0+ is not affected by this problem. The KDC allows remote, authenticated users to cause a crash on KDCs within the same realm using a certain protocol request that causes an out-of-bounds read of an array (CVE-2003-0072). The KDC allows remote, authenticated users to cause a crash on KDCs within the same realm using a certain protocol request that causes the KDC to corrupt its heap (CVE-2003-0082). Vulnerabilities have been discovered in the Kerberos IV authentication protocol which allow an attacker with knowledge of a cross-realm key, which is shared in another realm, to impersonate a principle in that realm to any service in that realm. This vulnerability can only be closed by disabling cross-realm authentication in Kerberos IV (CVE-2003-0138). Vulnerabilities have been discovered in the support for triple-DES keys in the Kerberos IV authentication protocol which is included in MIT Kerberos (CVE-2003-0139). MandrakeSoft encourages all users to upgrade to these updated packages immediately which contain patches to correct all of the previously noted vulnerabilities. These packages also disable Kerberos IV cross-realm authentication by default. Update : The packages for Mandrake Linux 9.1 and 9.1/PPC were not GPG-signed. This has been fixed and as a result the md5sums have changed. Thanks to Mark Lyda for pointing this out." ); # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d4ced782" ); script_set_attribute( attribute:"see_also", value:"http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt" ); # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?49b852e4" ); script_set_attribute( attribute:"see_also", value:"http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ftp-client-krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ftp-server-krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:telnet-client-krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:telnet-server-krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"patch_publication_date", value:"2003/04/03"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2020 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"ftp-client-krb5-1.2.7-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"ftp-server-krb5-1.2.7-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"krb5-devel-1.2.7-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"krb5-libs-1.2.7-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"krb5-server-1.2.7-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"krb5-workstation-1.2.7-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"telnet-client-krb5-1.2.7-1.1mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"telnet-server-krb5-1.2.7-1.1mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");
NASL family Misc. NASL id KERBEROS5_ISSUES.NASL description The remote host is running Kerberos 5. There are multiple flaws that affect this product. Make sure you are running the latest version with the latest patches. Note that Nessus could not check for any of the flaws and solely relied on the presence of the service to issue an alert, so this might be a false positive. last seen 2020-06-01 modified 2020-06-02 plugin id 11512 published 2003-04-03 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11512 title Kerberos 5 < 1.3.5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # # This script simply attempts to log into the realm FR.NESSUS.ORG # with a username of "whatever". It does not check for any flaw (which # is bad), but that may change in the future. # include("compat.inc"); if (description) { script_id(11512); script_version("1.26"); script_cvs_date("Date: 2018/07/12 19:01:16"); script_cve_id( "CVE-2002-0036", "CVE-2003-0059", "CVE-2003-0060", "CVE-2003-0072", "CVE-2003-0082", "CVE-2003-0138", "CVE-2003-0139", "CVE-2004-0642", "CVE-2004-0643", "CVE-2004-0644", "CVE-2004-0772" ); script_bugtraq_id( 6712, 6713, 6714, 7184, 7185, 11078, 11079 ); script_xref(name:"RHSA", value:"2003:091-01"); script_name(english:"Kerberos 5 < 1.3.5 Multiple Vulnerabilities"); script_summary(english:"Check for kerberos"); script_set_attribute(attribute:"synopsis", value: "It may be possible to execute arbitrary code on the remote Kerberos server."); script_set_attribute(attribute:"description", value: "The remote host is running Kerberos 5. There are multiple flaws that affect this product. Make sure you are running the latest version with the latest patches. Note that Nessus could not check for any of the flaws and solely relied on the presence of the service to issue an alert, so this might be a false positive."); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?34bb0fc8"); script_set_attribute(attribute:"solution", value:"Upgrade to Kerberos 5 (krb5) 1.3.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/31"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/04/03"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_require_keys("Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); name = "whatever"; len = strlen(name); #len = 1024; if(len > 256) { len = raw_string(0x82, len / 256, len % 256); #len = raw_string(0x84, 0x7F, 0xFF, 0xFF, 0xFF); } else len = raw_string(len % 256); pk_lenE = 12 + strlen(name); if(strlen(name) > 256) pk_lenE = raw_string(0x82, pk_lenE / 256, pk_lenE % 256); else pk_lenE = raw_string( pk_lenE % 256); pk_lenD = 186 + strlen(name); if(strlen(name) > 256)pk_lenD += 14; if(pk_lenD > 256) pk_lenD = raw_string(0x82, pk_lenD / 256, pk_lenD % 256); else pk_lenD = raw_string(0x81, pk_lenD % 256); pk_lenC = 183 + strlen(name); if(strlen(name) > 256)pk_lenC += 12; if(pk_lenC > 256) pk_lenC = raw_string(0x82, pk_lenC / 256, pk_lenC % 256); else pk_lenC = raw_string(0x81, pk_lenC % 256); pk_lenB = 170 + strlen(name); if(strlen(name) > 256)pk_lenB += 10; if(pk_lenB > 256) pk_lenB = raw_string(0x82, pk_lenB / 256, pk_lenB % 256); else pk_lenB = raw_string(0x81, pk_lenB % 256); pk_lenA = 167 + strlen(name); if(strlen(name) > 256)pk_lenA += 8; if(pk_lenA > 256) pk_lenA = raw_string(0x82, pk_lenA / 256, pk_lenA % 256); else pk_lenA = raw_string(0x81, pk_lenA % 256); pk_len0 = 11 + strlen(name); if(strlen(name) > 256) pk_len0 += 6; if(pk_len0 > 256) { pk_len0 = raw_string(0x82, pk_len0 / 256, pk_len0 % 256); } else pk_len0 = raw_string(pk_len0 % 256); pk_len1 = 4 + strlen(name); if(strlen(name) > 256) pk_len1 += 4; if(pk_len1 > 256) { pk_len1 = raw_string(0x82, pk_len1 / 256, pk_len1 % 256); } else pk_len1 = raw_string(pk_len1 % 256); pk_len2 = 2 + strlen(name); if(strlen(name) > 256) pk_len2 += 2; if(pk_len2 > 256) { pk_len2 = raw_string(0x82, pk_len2 / 256, pk_len2 % 256); } else pk_len2 = raw_string(pk_len2 % 256); req = raw_string( 0x6A) + pk_lenD + raw_string(0x30)+ pk_lenC + raw_string(0xA1, 0x03, 0x02, 0x01, 0x05, 0xA2, 0x03, 0x02, 0x01, 0x0A, 0xA4) + pk_lenB + raw_string(0x30) + pk_lenA + raw_string( 0xA0, 0x07, 0x03, 0x05, # ?? 0x00, 0x00, 0x00, 0x00, 0x00, 0xA1)+ pk_lenE + raw_string( 0x30) + pk_len0 + raw_string(0xA0, 0x03, 0x02, 0x01, 0x01, 0xA1) + pk_len1 + raw_string( 0x30) + pk_len2 + raw_string(0x1B) + len + name + raw_string( 0xA2, 0x0F, 0x1B, 0x0D, 0x46, 0x52, 0x2E, 0x4E, 0x45, 0x53, 0x53, 0x55, 0x53, 0x2E, 0x4F, 0x52, 0x47, 0xA3, 0x22, 0x30, 0x20, 0xA0, 0x03, 0x02, 0x01, 0x00, 0xA1, 0x19, 0x30, 0x17, 0x1B, 0x06, 0x6B, 0x72, 0x62, 0x74, 0x67, 0x74, 0x1B, 0x0D, 0x46, 0x52, 0x2E, 0x4E, 0x45, 0x53, 0x53, 0x55, 0x53, 0x2E, 0x4F, 0x52, 0x47, 0xA4, 0x11, 0x18, 0x0F, 0x32, 0x30, 0x30, 0x33, 0x30, 0x34, 0x30, 0x33, 0x31, 0x32, 0x35, 0x37, 0x33, 0x38, 0x5A, 0xA5, 0x11, 0x18, 0x0F, 0x32, 0x30, 0x30, 0x33, 0x30, 0x34, 0x30, 0x33, 0x32, 0x32, 0x35, 0x37, 0x33, 0x38, 0x5A, 0xA7, 0x06, 0x02, 0x04, 0x3E, 0x8c, 0x2f, 0xC2, 0xA8, 0x08, 0x30, 0x06, 0x02, 0x01, 0x10, 0x02, 0x01, 0x01, 0xA9, 0x20, 0x30, 0x1E, 0x30, 0x0D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0xA1, 0x06, 0x04, 0x04, 0x0A, 0xA3, 0x9c, 0x12, 0x30, 0x0D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0xA1, 0x06, 0x04, 0x04, 0x0A, 0xA3, 0x9F, 0x01); foreach port (make_list(88, 750)) if (get_udp_port_state(port)) { soc = open_sock_udp(port); send(socket:soc, data:req); r = recv(socket:soc, length:4096); close(soc); if(strlen(r) > 10 && ord(r[10]) == 5) { security_hole(port:port, proto:"udp"); } }
NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-052.NASL description Updated kerberos packages fix a number of vulnerabilities found in MIT Kerberos. Kerberos is a network authentication system. The MIT Kerberos team released an advisory describing a number of vulnerabilities that affect the kerberos packages shipped by Red Hat. An integer signedness error in the ASN.1 decoder before version 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value. The Common Vulnerabilities and Exposures project has assigned the name CVE-2002-0036 to this issue. The Key Distribution Center (KDC) before version 1.2.5 allows remote, authenticated, attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that : - causes a NULL pointer dereference (CVE-2003-0058). - causes the KDC to corrupt its heap (CVE-2003-0082). A vulnerability in Kerberos before version 1.2.3 allows users from one realm to impersonate users in other realms that have the same inter-realm keys (CVE-2003-0059). The MIT advisory for these issues also mentions format string vulnerabilities in the logging routines (CVE-2003-0060). Previous versions of the kerberos packages from Red Hat already contain fixes for this issue. Vulnerabilities have been found in the implementation of support for triple-DES keys in the implementation of the Kerberos IV authentication protocol included in MIT Kerberos (CVE-2003-0139). Vulnerabilities have been found in the Kerberos IV authentication protocol which allow an attacker with knowledge of a cross-realm key that is shared with another realm to impersonate any principal in that realm to any service in that realm. This vulnerability can only be closed by disabling cross-realm authentication in Kerberos IV (CVE-2003-0138). Vulnerabilities have been found in the RPC library used by the kadmin service in Kerberos 5. A faulty length check in the RPC library exposes kadmind to an integer overflow which can be used to crash kadmind (CVE-2003-0028). All users of Kerberos are advised to upgrade to these errata packages, which disable cross-realm authentication by default for Kerberos IV and which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 12364 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12364 title RHEL 2.1 : krb5 (RHSA-2003:052) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2003:052. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(12364); script_version ("1.32"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2002-0036", "CVE-2003-0028", "CVE-2003-0058", "CVE-2003-0059", "CVE-2003-0072", "CVE-2003-0082", "CVE-2003-0138", "CVE-2003-0139", "CVE-2004-0772"); script_xref(name:"RHSA", value:"2003:052"); script_name(english:"RHEL 2.1 : krb5 (RHSA-2003:052)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated kerberos packages fix a number of vulnerabilities found in MIT Kerberos. Kerberos is a network authentication system. The MIT Kerberos team released an advisory describing a number of vulnerabilities that affect the kerberos packages shipped by Red Hat. An integer signedness error in the ASN.1 decoder before version 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value. The Common Vulnerabilities and Exposures project has assigned the name CVE-2002-0036 to this issue. The Key Distribution Center (KDC) before version 1.2.5 allows remote, authenticated, attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that : - causes a NULL pointer dereference (CVE-2003-0058). - causes the KDC to corrupt its heap (CVE-2003-0082). A vulnerability in Kerberos before version 1.2.3 allows users from one realm to impersonate users in other realms that have the same inter-realm keys (CVE-2003-0059). The MIT advisory for these issues also mentions format string vulnerabilities in the logging routines (CVE-2003-0060). Previous versions of the kerberos packages from Red Hat already contain fixes for this issue. Vulnerabilities have been found in the implementation of support for triple-DES keys in the implementation of the Kerberos IV authentication protocol included in MIT Kerberos (CVE-2003-0139). Vulnerabilities have been found in the Kerberos IV authentication protocol which allow an attacker with knowledge of a cross-realm key that is shared with another realm to impersonate any principal in that realm to any service in that realm. This vulnerability can only be closed by disabling cross-realm authentication in Kerberos IV (CVE-2003-0138). Vulnerabilities have been found in the RPC library used by the kadmin service in Kerberos 5. A faulty length check in the RPC library exposes kadmind to an integer overflow which can be used to crash kadmind (CVE-2003-0028). All users of Kerberos are advised to upgrade to these errata packages, which disable cross-realm authentication by default for Kerberos IV and which contain backported patches to correct these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2002-0036" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0028" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0058" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0059" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0072" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0082" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0138" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2003-0139" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0772" ); script_set_attribute( attribute:"see_also", value:"http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-005-buf.txt" ); # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?49b852e4" ); script_set_attribute( attribute:"see_also", value:"http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-003-xdr.txt" ); # http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-001-multiple.txt script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d4ced782" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2003:052" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2003/02/19"); script_set_attribute(attribute:"patch_publication_date", value:"2003/03/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/06"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2003:052"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-devel-1.2.2-24")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-libs-1.2.2-24")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-server-1.2.2-24")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-workstation-1.2.2-24")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-server / krb5-workstation"); } }
Oval
accepted | 2007-04-25T19:52:23.823-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
description | Certain weaknesses in the implementation of version 4 of the Kerberos protocol (krb4) in the krb5 distribution, when triple-DES keys are used to key krb4 services, allow an attacker to create krb4 tickets for unauthorized principals using a cut-and-paste attack and "ticket splicing." | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:250 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2003-08-14T12:00:00.000-04:00 | ||||||||||||
title | Kerberos krb4 Ticket Splicing Vulnerability | ||||||||||||
version | 38 |
Redhat
advisories |
|
References
- http://marc.info/?l=bugtraq&m=104791775804776&w=2
- http://marc.info/?l=bugtraq&m=104791775804776&w=2
- http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt
- http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-004-krb4.txt
- http://www.debian.org/security/2003/dsa-266
- http://www.debian.org/security/2003/dsa-266
- http://www.debian.org/security/2003/dsa-273
- http://www.debian.org/security/2003/dsa-273
- http://www.kb.cert.org/vuls/id/442569
- http://www.kb.cert.org/vuls/id/442569
- http://www.redhat.com/support/errata/RHSA-2003-051.html
- http://www.redhat.com/support/errata/RHSA-2003-051.html
- http://www.redhat.com/support/errata/RHSA-2003-052.html
- http://www.redhat.com/support/errata/RHSA-2003-052.html
- http://www.redhat.com/support/errata/RHSA-2003-091.html
- http://www.redhat.com/support/errata/RHSA-2003-091.html
- http://www.securityfocus.com/archive/1/316960/30/25250/threaded
- http://www.securityfocus.com/archive/1/316960/30/25250/threaded
- http://www.securityfocus.com/archive/1/317130/30/25250/threaded
- http://www.securityfocus.com/archive/1/317130/30/25250/threaded
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A250
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A250