Vulnerabilities > CVE-2004-0772 - Double Free vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
HIGH Summary
Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | Mit
| 25 |
| Application | 2 | |
| OS | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-543.NASL description The MIT Kerberos Development Team has discovered a number of vulnerabilities in the MIT Kerberos Version 5 software. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CAN-2004-0642 [VU#795632] A double-free error may allow unauthenticated remote attackers to execute arbitrary code on KDC or clients. - CAN-2004-0643 [VU#866472] Several double-free errors may allow authenticated attackers to execute arbitrary code on Kerberos application servers. - CAN-2004-0644 [VU#550464] A remotely exploitable denial of service vulnerability has been found in the KDC and libraries. - CAN-2004-0772 [VU#350792] Several double-free errors may allow remote attackers to execute arbitrary code on the server. This does not affect the version in woody. last seen 2020-06-01 modified 2020-06-02 plugin id 15380 published 2004-09-29 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15380 title Debian DSA-543-1 : krb5 - several vulnerabilities code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Debian Security Advisory DSA-543. The text # itself is copyright (C) Software in the Public Interest, Inc. # include("compat.inc"); if (description) { script_id(15380); script_version("1.25"); script_cvs_date("Date: 2019/08/02 13:32:18"); script_cve_id("CVE-2004-0642", "CVE-2004-0643", "CVE-2004-0644", "CVE-2004-0772"); script_xref(name:"CERT", value:"350792"); script_xref(name:"CERT", value:"550464"); script_xref(name:"CERT", value:"795632"); script_xref(name:"CERT", value:"866472"); script_xref(name:"DSA", value:"543"); script_name(english:"Debian DSA-543-1 : krb5 - several vulnerabilities"); script_summary(english:"Checks dpkg output for the updated package"); script_set_attribute( attribute:"synopsis", value:"The remote Debian host is missing a security-related update." ); script_set_attribute( attribute:"description", value: "The MIT Kerberos Development Team has discovered a number of vulnerabilities in the MIT Kerberos Version 5 software. The Common Vulnerabilities and Exposures project identifies the following vulnerabilities : - CAN-2004-0642 [VU#795632] A double-free error may allow unauthenticated remote attackers to execute arbitrary code on KDC or clients. - CAN-2004-0643 [VU#866472] Several double-free errors may allow authenticated attackers to execute arbitrary code on Kerberos application servers. - CAN-2004-0644 [VU#550464] A remotely exploitable denial of service vulnerability has been found in the KDC and libraries. - CAN-2004-0772 [VU#350792] Several double-free errors may allow remote attackers to execute arbitrary code on the server. This does not affect the version in woody." ); script_set_attribute( attribute:"see_also", value:"http://www.debian.org/security/2004/dsa-543" ); script_set_attribute( attribute:"solution", value: "Upgrade the krb5 packages. For the stable distribution (woody) these problems have been fixed in version 1.2.4-5woody6." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.0"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/29"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Debian Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l"); exit(0); } include("audit.inc"); include("debian_package.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian"); if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING); flag = 0; if (deb_check(release:"3.0", prefix:"krb5-admin-server", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"krb5-clients", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"krb5-doc", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"krb5-ftpd", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"krb5-kdc", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"krb5-rsh-server", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"krb5-telnetd", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"krb5-user", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"libkadm55", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"libkrb5-dev", reference:"1.2.4-5woody6")) flag++; if (deb_check(release:"3.0", prefix:"libkrb53", reference:"1.2.4-5woody6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-448.NASL description Updated Kerberos (krb5) packages that correct double-free and ASN.1 parsing bugs are now available for Red Hat Enterprise Linux. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue was fixed for Red Hat Enterprise Linux 2.1 users by a previous erratum, RHSA-2003:052. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14596 published 2004-09-01 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14596 title RHEL 2.1 : krb5 (RHSA-2004:448) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2004:448. The text # itself is copyright (C) Red Hat, Inc. # include("compat.inc"); if (description) { script_id(14596); script_version ("1.29"); script_cvs_date("Date: 2019/10/25 13:36:10"); script_cve_id("CVE-2004-0642", "CVE-2004-0643", "CVE-2004-0644"); script_xref(name:"RHSA", value:"2004:448"); script_name(english:"RHEL 2.1 : krb5 (RHSA-2004:448)"); script_summary(english:"Checks the rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Red Hat host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated Kerberos (krb5) packages that correct double-free and ASN.1 parsing bugs are now available for Red Hat Enterprise Linux. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue was fixed for Red Hat Enterprise Linux 2.1 users by a previous erratum, RHSA-2003:052. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues." ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0642" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0643" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/security/cve/cve-2004-0644" ); script_set_attribute( attribute:"see_also", value:"http://web.mit.edu/kerberos/advisories/" ); script_set_attribute( attribute:"see_also", value:"https://access.redhat.com/errata/RHSA-2004:448" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:redhat:enterprise_linux:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:redhat:enterprise_linux:2.1"); script_set_attribute(attribute:"vuln_publication_date", value:"2004/09/28"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/01"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Red Hat Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list", "Host/cpu"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Red Hat" >!< release) audit(AUDIT_OS_NOT, "Red Hat"); os_ver = pregmatch(pattern: "Red Hat Enterprise Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Red Hat"); os_ver = os_ver[1]; if (! preg(pattern:"^2\.1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Red Hat 2.1", "Red Hat " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$" && "s390" >!< cpu) audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Red Hat", cpu); if (cpu !~ "^i[3-6]86$") audit(AUDIT_ARCH_NOT, "i386", cpu); yum_updateinfo = get_kb_item("Host/RedHat/yum-updateinfo"); if (!empty_or_null(yum_updateinfo)) { rhsa = "RHSA-2004:448"; yum_report = redhat_generate_yum_updateinfo_report(rhsa:rhsa); if (!empty_or_null(yum_report)) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : yum_report ); exit(0); } else { audit_message = "affected by Red Hat security advisory " + rhsa; audit(AUDIT_OS_NOT, audit_message); } } else { flag = 0; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-devel-1.2.2-31")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-libs-1.2.2-31")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-server-1.2.2-31")) flag++; if (rpm_check(release:"RHEL2.1", cpu:"i386", reference:"krb5-workstation-1.2.2-31")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() + redhat_report_package_caveat() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-server / krb5-workstation"); } }NASL family Mandriva Local Security Checks NASL id MANDRAKE_MDKSA-2004-088.NASL description A double-free vulnerability exists in the MIT Kerberos 5 last seen 2020-06-01 modified 2020-06-02 plugin id 14673 published 2004-09-07 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14673 title Mandrake Linux Security Advisory : krb5 (MDKSA-2004:088) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandrake Linux Security Advisory MDKSA-2004:088. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(14673); script_version ("1.19"); script_cvs_date("Date: 2019/08/02 13:32:47"); script_cve_id("CVE-2004-0642", "CVE-2004-0643", "CVE-2004-0644", "CVE-2004-0772"); script_xref(name:"CERT", value:"350792"); script_xref(name:"CERT", value:"550464"); script_xref(name:"CERT", value:"795632"); script_xref(name:"CERT", value:"866472"); script_xref(name:"MDKSA", value:"2004:088"); script_name(english:"Mandrake Linux Security Advisory : krb5 (MDKSA-2004:088)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandrake Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A double-free vulnerability exists in the MIT Kerberos 5's KDC program that could potentially allow a remote attacker to execute arbitrary code on the KDC host. As well, multiple double-free vulnerabilities exist in the krb5 library code, which makes client programs and application servers vulnerable. The MIT Kerberos 5 development team believes that exploitation of these bugs would be difficult and no known vulnerabilities are believed to exist. The vulnerability in krb524d was discovered by Marc Horowitz; the other double-free vulnerabilities were discovered by Will Fiveash and Nico Williams at Sun. Will Fiveash and Nico Williams also found another vulnerability in the ASN.1 decoder library. This makes krb5 vulnerable to a DoS (Denial of Service) attack causing an infinite loop in the decoder. The KDC is vulnerable to this attack. The MIT Kerberos 5 team has provided patches which have been applied to the updated software to fix these issues. Mandrakesoft encourages all users to upgrade immediately." ); script_set_attribute( attribute:"see_also", value:"http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt" ); script_set_attribute( attribute:"see_also", value:"http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ftp-client-krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:ftp-server-krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64krb51"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64krb51-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libkrb51"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libkrb51-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:telnet-client-krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:telnet-server-krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:10.0"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.1"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandrakesoft:mandrake_linux:9.2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/09/07"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK10.0", reference:"ftp-client-krb5-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"ftp-server-krb5-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"krb5-server-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"krb5-workstation-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64krb51-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"amd64", reference:"lib64krb51-devel-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libkrb51-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", cpu:"i386", reference:"libkrb51-devel-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"telnet-client-krb5-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK10.0", reference:"telnet-server-krb5-1.3-6.3.100mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"ftp-client-krb5-1.2.7-1.4.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"ftp-server-krb5-1.2.7-1.4.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"krb5-devel-1.2.7-1.4.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"krb5-libs-1.2.7-1.4.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"krb5-server-1.2.7-1.4.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"krb5-workstation-1.2.7-1.4.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"telnet-client-krb5-1.2.7-1.4.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.1", cpu:"i386", reference:"telnet-server-krb5-1.2.7-1.4.91mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"ftp-client-krb5-1.3-3.3.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"ftp-server-krb5-1.3-3.3.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"krb5-server-1.3-3.3.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"krb5-workstation-1.3-3.3.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64krb51-1.3-3.3.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"amd64", reference:"lib64krb51-devel-1.3-3.3.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libkrb51-1.3-3.3.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", cpu:"i386", reference:"libkrb51-devel-1.3-3.3.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"telnet-client-krb5-1.3-3.3.92mdk", yank:"mdk")) flag++; if (rpm_check(release:"MDK9.2", reference:"telnet-server-krb5-1.3-3.3.92mdk", yank:"mdk")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Fedora Local Security Checks NASL id FEDORA_2004-277.NASL description Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue does not affect Fedora Core. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14593 published 2004-08-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14593 title Fedora Core 2 : krb5-1.3.4-6 (2004-277) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-277. # include("compat.inc"); if (description) { script_id(14593); script_version ("1.21"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0642", "CVE-2004-0643"); script_xref(name:"FEDORA", value:"2004-277"); script_name(english:"Fedora Core 2 : krb5-1.3.4-6 (2004-277)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue does not affect Fedora Core. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-August/000273.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?15b57fbe" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:2"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^2([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 2.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC2", reference:"krb5-debuginfo-1.3.4-6")) flag++; if (rpm_check(release:"FC2", reference:"krb5-devel-1.3.4-6")) flag++; if (rpm_check(release:"FC2", reference:"krb5-libs-1.3.4-6")) flag++; if (rpm_check(release:"FC2", reference:"krb5-server-1.3.4-6")) flag++; if (rpm_check(release:"FC2", reference:"krb5-workstation-1.3.4-6")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-debuginfo / krb5-devel / krb5-libs / krb5-server / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2004-276.NASL description Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue does not affect Fedora Core. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14592 published 2004-08-31 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14592 title Fedora Core 1 : krb5-1.3.4-5 (2004-276) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2004-276. # include("compat.inc"); if (description) { script_id(14592); script_version ("1.21"); script_cvs_date("Date: 2019/08/02 13:32:23"); script_cve_id("CVE-2004-0642", "CVE-2004-0643"); script_xref(name:"FEDORA", value:"2004-276"); script_name(english:"Fedora Core 1 : krb5-1.3.4-5 (2004-276)"); script_summary(english:"Checks rpm output for the updated packages."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora Core host is missing a security update." ); script_set_attribute( attribute:"description", value: "Kerberos is a networked authentication system which uses a trusted third-party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue does not affect Fedora Core. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); # https://lists.fedoraproject.org/pipermail/announce/2004-August/000272.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?fb8d8599" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_cwe_id(119); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora_core:1"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/08/31"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^1([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 1.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC1", reference:"krb5-debuginfo-1.3.4-5")) flag++; if (rpm_check(release:"FC1", reference:"krb5-devel-1.3.4-5")) flag++; if (rpm_check(release:"FC1", reference:"krb5-libs-1.3.4-5")) flag++; if (rpm_check(release:"FC1", reference:"krb5-server-1.3.4-5")) flag++; if (rpm_check(release:"FC1", reference:"krb5-workstation-1.3.4-5")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-debuginfo / krb5-devel / krb5-libs / krb5-server / etc"); }NASL family Misc. NASL id KERBEROS5_ISSUES.NASL description The remote host is running Kerberos 5. There are multiple flaws that affect this product. Make sure you are running the latest version with the latest patches. Note that Nessus could not check for any of the flaws and solely relied on the presence of the service to issue an alert, so this might be a false positive. last seen 2020-06-01 modified 2020-06-02 plugin id 11512 published 2003-04-03 reporter This script is Copyright (C) 2003-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/11512 title Kerberos 5 < 1.3.5 Multiple Vulnerabilities code # # (C) Tenable Network Security, Inc. # # This script simply attempts to log into the realm FR.NESSUS.ORG # with a username of "whatever". It does not check for any flaw (which # is bad), but that may change in the future. # include("compat.inc"); if (description) { script_id(11512); script_version("1.26"); script_cvs_date("Date: 2018/07/12 19:01:16"); script_cve_id( "CVE-2002-0036", "CVE-2003-0059", "CVE-2003-0060", "CVE-2003-0072", "CVE-2003-0082", "CVE-2003-0138", "CVE-2003-0139", "CVE-2004-0642", "CVE-2004-0643", "CVE-2004-0644", "CVE-2004-0772" ); script_bugtraq_id( 6712, 6713, 6714, 7184, 7185, 11078, 11079 ); script_xref(name:"RHSA", value:"2003:091-01"); script_name(english:"Kerberos 5 < 1.3.5 Multiple Vulnerabilities"); script_summary(english:"Check for kerberos"); script_set_attribute(attribute:"synopsis", value: "It may be possible to execute arbitrary code on the remote Kerberos server."); script_set_attribute(attribute:"description", value: "The remote host is running Kerberos 5. There are multiple flaws that affect this product. Make sure you are running the latest version with the latest patches. Note that Nessus could not check for any of the flaws and solely relied on the presence of the service to issue an alert, so this might be a false positive."); script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?34bb0fc8"); script_set_attribute(attribute:"solution", value:"Upgrade to Kerberos 5 (krb5) 1.3.5 or later."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_cwe_id(119); script_set_attribute(attribute:"vuln_publication_date", value:"2004/08/31"); script_set_attribute(attribute:"patch_publication_date", value:"2004/08/31"); script_set_attribute(attribute:"plugin_publication_date", value:"2003/04/03"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2003-2018 Tenable Network Security, Inc."); script_family(english:"Misc."); script_require_keys("Settings/ParanoidReport"); exit(0); } include("audit.inc"); include("global_settings.inc"); if (report_paranoia < 2) audit(AUDIT_PARANOID); name = "whatever"; len = strlen(name); #len = 1024; if(len > 256) { len = raw_string(0x82, len / 256, len % 256); #len = raw_string(0x84, 0x7F, 0xFF, 0xFF, 0xFF); } else len = raw_string(len % 256); pk_lenE = 12 + strlen(name); if(strlen(name) > 256) pk_lenE = raw_string(0x82, pk_lenE / 256, pk_lenE % 256); else pk_lenE = raw_string( pk_lenE % 256); pk_lenD = 186 + strlen(name); if(strlen(name) > 256)pk_lenD += 14; if(pk_lenD > 256) pk_lenD = raw_string(0x82, pk_lenD / 256, pk_lenD % 256); else pk_lenD = raw_string(0x81, pk_lenD % 256); pk_lenC = 183 + strlen(name); if(strlen(name) > 256)pk_lenC += 12; if(pk_lenC > 256) pk_lenC = raw_string(0x82, pk_lenC / 256, pk_lenC % 256); else pk_lenC = raw_string(0x81, pk_lenC % 256); pk_lenB = 170 + strlen(name); if(strlen(name) > 256)pk_lenB += 10; if(pk_lenB > 256) pk_lenB = raw_string(0x82, pk_lenB / 256, pk_lenB % 256); else pk_lenB = raw_string(0x81, pk_lenB % 256); pk_lenA = 167 + strlen(name); if(strlen(name) > 256)pk_lenA += 8; if(pk_lenA > 256) pk_lenA = raw_string(0x82, pk_lenA / 256, pk_lenA % 256); else pk_lenA = raw_string(0x81, pk_lenA % 256); pk_len0 = 11 + strlen(name); if(strlen(name) > 256) pk_len0 += 6; if(pk_len0 > 256) { pk_len0 = raw_string(0x82, pk_len0 / 256, pk_len0 % 256); } else pk_len0 = raw_string(pk_len0 % 256); pk_len1 = 4 + strlen(name); if(strlen(name) > 256) pk_len1 += 4; if(pk_len1 > 256) { pk_len1 = raw_string(0x82, pk_len1 / 256, pk_len1 % 256); } else pk_len1 = raw_string(pk_len1 % 256); pk_len2 = 2 + strlen(name); if(strlen(name) > 256) pk_len2 += 2; if(pk_len2 > 256) { pk_len2 = raw_string(0x82, pk_len2 / 256, pk_len2 % 256); } else pk_len2 = raw_string(pk_len2 % 256); req = raw_string( 0x6A) + pk_lenD + raw_string(0x30)+ pk_lenC + raw_string(0xA1, 0x03, 0x02, 0x01, 0x05, 0xA2, 0x03, 0x02, 0x01, 0x0A, 0xA4) + pk_lenB + raw_string(0x30) + pk_lenA + raw_string( 0xA0, 0x07, 0x03, 0x05, # ?? 0x00, 0x00, 0x00, 0x00, 0x00, 0xA1)+ pk_lenE + raw_string( 0x30) + pk_len0 + raw_string(0xA0, 0x03, 0x02, 0x01, 0x01, 0xA1) + pk_len1 + raw_string( 0x30) + pk_len2 + raw_string(0x1B) + len + name + raw_string( 0xA2, 0x0F, 0x1B, 0x0D, 0x46, 0x52, 0x2E, 0x4E, 0x45, 0x53, 0x53, 0x55, 0x53, 0x2E, 0x4F, 0x52, 0x47, 0xA3, 0x22, 0x30, 0x20, 0xA0, 0x03, 0x02, 0x01, 0x00, 0xA1, 0x19, 0x30, 0x17, 0x1B, 0x06, 0x6B, 0x72, 0x62, 0x74, 0x67, 0x74, 0x1B, 0x0D, 0x46, 0x52, 0x2E, 0x4E, 0x45, 0x53, 0x53, 0x55, 0x53, 0x2E, 0x4F, 0x52, 0x47, 0xA4, 0x11, 0x18, 0x0F, 0x32, 0x30, 0x30, 0x33, 0x30, 0x34, 0x30, 0x33, 0x31, 0x32, 0x35, 0x37, 0x33, 0x38, 0x5A, 0xA5, 0x11, 0x18, 0x0F, 0x32, 0x30, 0x30, 0x33, 0x30, 0x34, 0x30, 0x33, 0x32, 0x32, 0x35, 0x37, 0x33, 0x38, 0x5A, 0xA7, 0x06, 0x02, 0x04, 0x3E, 0x8c, 0x2f, 0xC2, 0xA8, 0x08, 0x30, 0x06, 0x02, 0x01, 0x10, 0x02, 0x01, 0x01, 0xA9, 0x20, 0x30, 0x1E, 0x30, 0x0D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0xA1, 0x06, 0x04, 0x04, 0x0A, 0xA3, 0x9c, 0x12, 0x30, 0x0D, 0xA0, 0x03, 0x02, 0x01, 0x02, 0xA1, 0x06, 0x04, 0x04, 0x0A, 0xA3, 0x9F, 0x01); foreach port (make_list(88, 750)) if (get_udp_port_state(port)) { soc = open_sock_udp(port); send(socket:soc, data:req); r = recv(socket:soc, length:4096); close(soc); if(strlen(r) > 10 && ord(r[10]) == 5) { security_hole(port:port, proto:"udp"); } }NASL family MacOS X Local Security Checks NASL id MACOSX_SECUPD20041202.NASL description The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs : - Apache - Apache2 - AppKit - Cyrus IMAP - HIToolbox - Kerberos - Postfix - PSNormalizer - QuickTime Streaming Server - Safari - Terminal These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code. last seen 2020-06-01 modified 2020-06-02 plugin id 15898 published 2004-12-02 reporter This script is Copyright (C) 2004-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/15898 title Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02) code # # (C) Tenable Network Security, Inc. # if (NASL_LEVEL < 3004) exit(0); # a large number of xrefs. if ( ! defined_func("bn_random") ) exit(0); include("compat.inc"); if(description) { script_id(15898); script_version ("1.24"); script_cvs_date("Date: 2018/07/14 1:59:35"); script_cve_id("CVE-2004-1082", "CVE-2003-0020", "CVE-2003-0987", "CVE-2004-0174", "CVE-2004-0488", "CVE-2004-0492", "CVE-2004-0885", "CVE-2004-0940", "CVE-2004-1083", "CVE-2004-1084", "CVE-2004-0747", "CVE-2004-0786", "CVE-2004-0751", "CVE-2004-0748", "CVE-2004-1081", "CVE-2004-0803", "CVE-2004-0804", "CVE-2004-0886", "CVE-2004-1089", "CVE-2004-1085", "CVE-2004-0642", "CVE-2004-0643", "CVE-2004-0644", "CVE-2004-0772", "CVE-2004-1088", "CVE-2004-1086", "CVE-2004-1123", "CVE-2004-1121", "CVE-2004-1122", "CVE-2004-1087"); script_bugtraq_id(9921, 9930, 9571, 11471, 11360, 11469, 10508, 11802); script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2004-12-02)"); script_summary(english:"Check for Security Update 2004-12-02"); script_set_attribute( attribute:"synopsis", value: "The remote host is missing a Mac OS X update that fixes a security issue." ); script_set_attribute( attribute:"description", value: "The remote host is missing Security Update 2004-12-02. This security update contains a number of fixes for the following programs : - Apache - Apache2 - AppKit - Cyrus IMAP - HIToolbox - Kerberos - Postfix - PSNormalizer - QuickTime Streaming Server - Safari - Terminal These programs contain multiple vulnerabilities that could allow a remote attacker to execute arbitrary code." ); # http://web.archive.org/web/20080915104713/http://support.apple.com/kb/HT1646? script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?210abeb5" ); script_set_attribute( attribute:"solution", value:"Install Security Update 2004-12-02." ); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_cwe_id(119); script_set_attribute(attribute:"plugin_publication_date", value: "2004/12/02"); script_set_attribute(attribute:"vuln_publication_date", value: "2003/02/24"); script_set_attribute(attribute:"patch_publication_date", value: "2004/12/02"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"MacOS X Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2004-2018 Tenable Network Security, Inc."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/MacOSX/packages"); exit(0); } packages = get_kb_item("Host/MacOSX/packages"); if ( ! packages ) exit(0); uname = get_kb_item("Host/uname"); # MacOS X 10.2.8, 10.3.6 only if ( egrep(pattern:"Darwin.* (6\.8\.|7\.6\.)", string:uname) ) { if ( ! egrep(pattern:"^SecUpd(Srvr)?2004-12-02", string:packages) ) security_hole(0); else non_vuln = 1; } else if ( egrep(pattern:"Darwin.* (6\.9|[0-9][0-9]\.|7\.([7-9]|[0-9][0-9]\.|[8-9]\.))", string:uname) ) non_vuln = 1; if ( non_vuln ) { set_kb_item(name:"CVE-2004-1082", value:TRUE); set_kb_item(name:"CVE-2003-0020", value:TRUE); set_kb_item(name:"CVE-2003-0987", value:TRUE); set_kb_item(name:"CVE-2004-0174", value:TRUE); set_kb_item(name:"CVE-2004-0488", value:TRUE); set_kb_item(name:"CVE-2004-0492", value:TRUE); set_kb_item(name:"CVE-2004-0885", value:TRUE); set_kb_item(name:"CVE-2004-0940", value:TRUE); set_kb_item(name:"CVE-2004-1083", value:TRUE); set_kb_item(name:"CVE-2004-1084", value:TRUE); set_kb_item(name:"CVE-2004-0747", value:TRUE); set_kb_item(name:"CVE-2004-0786", value:TRUE); set_kb_item(name:"CVE-2004-0751", value:TRUE); set_kb_item(name:"CVE-2004-0748", value:TRUE); set_kb_item(name:"CVE-2004-1081", value:TRUE); set_kb_item(name:"CVE-2004-0803", value:TRUE); set_kb_item(name:"CVE-2004-0804", value:TRUE); set_kb_item(name:"CVE-2004-0886", value:TRUE); set_kb_item(name:"CVE-2004-1089", value:TRUE); set_kb_item(name:"CVE-2004-1085", value:TRUE); set_kb_item(name:"CVE-2004-0642", value:TRUE); set_kb_item(name:"CVE-2004-0643", value:TRUE); set_kb_item(name:"CVE-2004-0644", value:TRUE); set_kb_item(name:"CVE-2004-0772", value:TRUE); set_kb_item(name:"CVE-2004-1088", value:TRUE); set_kb_item(name:"CVE-2004-1086", value:TRUE); set_kb_item(name:"CVE-2004-1123", value:TRUE); set_kb_item(name:"CVE-2004-1121", value:TRUE); set_kb_item(name:"CVE-2004-1122", value:TRUE); set_kb_item(name:"CVE-2004-1087", value:TRUE); }NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_86A98B57FB8E11D89343000A95BC6FAE.NASL description An advisory published by the MIT Kerberos team says : The MIT Kerberos 5 implementation last seen 2020-06-01 modified 2020-06-02 plugin id 37617 published 2009-04-23 reporter This script is Copyright (C) 2009-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/37617 title FreeBSD : krb5 -- double-free vulnerabilities (86a98b57-fb8e-11d8-9343-000a95bc6fae) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-200409-09.NASL description The remote host is affected by the vulnerability described in GLSA-200409-09 (MIT krb5: Multiple vulnerabilities) The implementation of the Key Distribution Center (KDC) and the MIT krb5 library contain double-free vulnerabilities, making client programs as well as application servers vulnerable. The ASN.1 decoder library is vulnerable to a denial of service attack, including the KDC. Impact : The double-free vulnerabilities could allow an attacker to execute arbitrary code on a KDC host and hosts running krb524d or vulnerable services. In the case of a KDC host, this can lead to a compromise of the entire Kerberos realm. Furthermore, an attacker impersonating a legitimate KDC or application server can potentially execute arbitrary code on authenticating clients. An attacker can cause a denial of service for a KDC or application server and clients, the latter if impersonating a legitimate KDC or application server. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 14666 published 2004-09-06 reporter This script is Copyright (C) 2004-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/14666 title GLSA-200409-09 : MIT krb5: Multiple vulnerabilities NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2004-350.NASL description Updated krb5 packages that improve client responsiveness and fix several security issues are now available for Red Hat Enterprise Linux 3. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. Several double-free bugs were found in the Kerberos 5 KDC and libraries. A remote attacker could potentially exploit these flaws to execute arbitrary code. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the names CVE-2004-0642 and CVE-2004-0643 to these issues. A double-free bug was also found in the krb524 server (CVE-2004-0772), however this issue does not affect Red Hat Enterprise Linux 3 Kerberos packages. An infinite loop bug was found in the Kerberos 5 ASN.1 decoder library. A remote attacker may be able to trigger this flaw and cause a denial of service. The Common Vulnerabilities and Exposures project (cve.mitre.org) has assigned the name CVE-2004-0644 to this issue. When attempting to contact a KDC, the Kerberos libraries will iterate through the list of configured servers, attempting to contact each in turn. If one of the servers becomes unresponsive, the client will time out and contact the next configured server. When the library attempts to contact the next KDC, the entire process is repeated. For applications which must contact a KDC several times, the accumulated time spent waiting can become significant. This update modifies the libraries, notes which server for a given realm last responded to a request, and attempts to contact that server first before contacting any of the other configured servers. All users of krb5 should upgrade to these updated packages, which contain backported security patches to resolve these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 14595 published 2004-09-01 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/14595 title RHEL 3 : krb5 (RHSA-2004:350) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2003-052.NASL description Updated kerberos packages fix a number of vulnerabilities found in MIT Kerberos. Kerberos is a network authentication system. The MIT Kerberos team released an advisory describing a number of vulnerabilities that affect the kerberos packages shipped by Red Hat. An integer signedness error in the ASN.1 decoder before version 1.2.5 allows remote attackers to cause a denial of service via a large unsigned data element length, which is later used as a negative value. The Common Vulnerabilities and Exposures project has assigned the name CVE-2002-0036 to this issue. The Key Distribution Center (KDC) before version 1.2.5 allows remote, authenticated, attackers to cause a denial of service (crash) on KDCs within the same realm via a certain protocol request that : - causes a NULL pointer dereference (CVE-2003-0058). - causes the KDC to corrupt its heap (CVE-2003-0082). A vulnerability in Kerberos before version 1.2.3 allows users from one realm to impersonate users in other realms that have the same inter-realm keys (CVE-2003-0059). The MIT advisory for these issues also mentions format string vulnerabilities in the logging routines (CVE-2003-0060). Previous versions of the kerberos packages from Red Hat already contain fixes for this issue. Vulnerabilities have been found in the implementation of support for triple-DES keys in the implementation of the Kerberos IV authentication protocol included in MIT Kerberos (CVE-2003-0139). Vulnerabilities have been found in the Kerberos IV authentication protocol which allow an attacker with knowledge of a cross-realm key that is shared with another realm to impersonate any principal in that realm to any service in that realm. This vulnerability can only be closed by disabling cross-realm authentication in Kerberos IV (CVE-2003-0138). Vulnerabilities have been found in the RPC library used by the kadmin service in Kerberos 5. A faulty length check in the RPC library exposes kadmind to an integer overflow which can be used to crash kadmind (CVE-2003-0028). All users of Kerberos are advised to upgrade to these errata packages, which disable cross-realm authentication by default for Kerberos IV and which contain backported patches to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 12364 published 2004-07-06 reporter This script is Copyright (C) 2004-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/12364 title RHEL 2.1 : krb5 (RHSA-2003:052)
Oval
| accepted | 2004-11-17T10:00:00.000-04:00 | ||||
| class | vulnerability | ||||
| contributors |
| ||||
| description | Double free vulnerabilities in error handling code in krb524d for MIT Kerberos 5 (krb5) 1.2.8 and earlier may allow remote attackers to execute arbitrary code. | ||||
| family | unix | ||||
| id | oval:org.mitre.oval:def:4661 | ||||
| status | accepted | ||||
| submitted | 2004-10-12T03:18:00.000-04:00 | ||||
| title | MIT Kerberos 5 Multiple Double-Free Vulnerabilities | ||||
| version | 35 |
References
- http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txt
- http://www.us-cert.gov/cas/techalerts/TA04-247A.html
- http://www.kb.cert.org/vuls/id/350792
- http://www.debian.org/security/2004/dsa-543
- http://www.gentoo.org/security/en/glsa/glsa-200409-09.xml
- http://www.trustix.net/errata/2004/0045/
- http://www.securityfocus.com/bid/11078
- http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000860
- http://www.mandriva.com/security/advisories?name=MDKSA-2004:088
- http://marc.info/?l=bugtraq&m=109508872524753&w=2
- https://exchange.xforce.ibmcloud.com/vulnerabilities/17158
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4661