Vulnerabilities > CVE-2005-1689 - Double Free vulnerability in multiple products

047910
CVSS 9.8 - CRITICAL
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
HIGH
network
low complexity
mit
apple
debian
CWE-415
critical
nessus

Summary

Double free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.

Vulnerable Configurations

Part Description Count
Application
Mit
36
OS
Apple
81
OS
Debian
2

Common Weakness Enumeration (CWE)

Nessus

  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_33384.NASL
    descriptions700_800 11.11 KRB5-Client Version 1.0 cumulative patch : A potential security vulnerability has been identified with HP-UX running Kerberos. The vulnerability may be exploited by a remote unauthenticated user to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id22461
    published2006-09-27
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22461
    titleHP-UX PHSS_33384 : HP-UX Kerberos Client Remote Unauthenticated Execution of Arbitrary Code (HPSBUX02152 SSRT5973 rev.1)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and patch checks in this plugin were 
    # extracted from HP patch PHSS_33384. The text itself is
    # copyright (C) Hewlett-Packard Development Company, L.P.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(22461);
      script_version("1.15");
      script_cvs_date("Date: 2018/08/10 18:07:07");
    
      script_cve_id("CVE-2005-1689");
      script_xref(name:"HP", value:"emr_na-c00768776");
      script_xref(name:"HP", value:"HPSBUX02152");
      script_xref(name:"HP", value:"SSRT5973");
    
      script_name(english:"HP-UX PHSS_33384 : HP-UX Kerberos Client Remote Unauthenticated Execution of Arbitrary Code (HPSBUX02152 SSRT5973 rev.1)");
      script_summary(english:"Checks for the patch in the swlist output");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote HP-UX host is missing a security-related patch."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "s700_800 11.11 KRB5-Client Version 1.0 cumulative patch : 
    
    A potential security vulnerability has been identified with HP-UX
    running Kerberos. The vulnerability may be exploited by a remote
    unauthenticated user to execute arbitrary code."
      );
      # http://h20000.www2.hp.com/bizsupport/TechSupport/Document.jsp?objectID=c00768776
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.nessus.org/u?e1eaa8b1"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Install patch PHSS_33384 or subsequent."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:hp:hp-ux");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2006/09/20");
      script_set_attribute(attribute:"plugin_publication_date", value:"2006/09/27");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/07/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2006-2018 Tenable Network Security, Inc.");
      script_family(english:"HP-UX Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/HP-UX/version", "Host/HP-UX/swlist");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("hpux.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/HP-UX/version")) audit(AUDIT_OS_NOT, "HP-UX");
    if (!get_kb_item("Host/HP-UX/swlist")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    if (!hpux_check_ctx(ctx:"11.11"))
    {
      exit(0, "The host is not affected since PHSS_33384 applies to a different OS release.");
    }
    
    patches = make_list("PHSS_33384", "PHSS_34990", "PHSS_36286", "PHSS_39774", "PHSS_41166");
    foreach patch (patches)
    {
      if (hpux_installed(app:patch))
      {
        exit(0, "The host is not affected because patch "+patch+" is installed.");
      }
    }
    
    
    flag = 0;
    if (hpux_check_patch(app:"KRB5-Client.KRB5-64SLIB", version:"B.11.11")) flag++;
    if (hpux_check_patch(app:"KRB5-Client.KRB5-ENG-A-MAN", version:"B.11.11")) flag++;
    if (hpux_check_patch(app:"KRB5-Client.KRB5-PRG", version:"B.11.11")) flag++;
    if (hpux_check_patch(app:"KRB5-Client.KRB5-RUN", version:"B.11.11")) flag++;
    if (hpux_check_patch(app:"KRB5-Client.KRB5-SHLIB", version:"B.11.11")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:hpux_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-773.NASL
    descriptionThis advisory adds security support for the stable amd64 distribution. It covers all security updates since the release of sarge, which were missing updated packages for the not yet official amd64 port. Future security advisories will include updates for this port as well.
    last seen2020-06-01
    modified2020-06-02
    plugin id57528
    published2012-01-12
    reporterThis script is Copyright (C) 2012-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57528
    titleDebian DSA-773-1 : amd64 - several vulnerabilities
    code
    #%NASL_MIN_LEVEL 80502
    
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were  
    # extracted from Debian Security Advisory DSA-773. The text 
    # itself is copyright (C) Software in the Public Interest, Inc.
    #
    
    if (NASL_LEVEL < 3000) exit(0);
    
    include("compat.inc");
    
    if (description)
    {
      script_id(57528);
      script_version("1.6");
      script_cvs_date("Date: 2019/08/02 13:32:18");
    
      script_cve_id("CVE-2005-0392", "CVE-2005-0393", "CVE-2005-0469", "CVE-2005-0753", "CVE-2005-1151", "CVE-2005-1152", "CVE-2005-1174", "CVE-2005-1175", "CVE-2005-1266", "CVE-2005-1269", "CVE-2005-1545", "CVE-2005-1546", "CVE-2005-1686", "CVE-2005-1689", "CVE-2005-1796", "CVE-2005-1848", "CVE-2005-1849", "CVE-2005-1850", "CVE-2005-1851", "CVE-2005-1852", "CVE-2005-1853", "CVE-2005-1858", "CVE-2005-1914", "CVE-2005-1916", "CVE-2005-1922", "CVE-2005-1923", "CVE-2005-1934", "CVE-2005-1992", "CVE-2005-1993", "CVE-2005-2024", "CVE-2005-2040", "CVE-2005-2056", "CVE-2005-2070", "CVE-2005-2096", "CVE-2005-2231", "CVE-2005-2250", "CVE-2005-2277", "CVE-2005-2301", "CVE-2005-2302", "CVE-2005-2370");
      script_xref(name:"DSA", value:"773");
    
      script_name(english:"Debian DSA-773-1 : amd64 - several vulnerabilities");
      script_summary(english:"Checks dpkg output for the updated package");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Debian host is missing a security-related update."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "This advisory adds security support for the stable amd64 distribution.
    It covers all security updates since the release of sarge, which were
    missing updated packages for the not yet official amd64 port. Future
    security advisories will include updates for this port as well."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"http://www.debian.org/security/2005/dsa-773"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"Upgrade the affected several package."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(119);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:debian:debian_linux:several");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:debian:debian_linux:3.1");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2005/08/11");
      script_set_attribute(attribute:"plugin_publication_date", value:"2012/01/12");
      script_set_attribute(attribute:"vuln_publication_date", value:"2005/03/28");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2012-2019 Tenable Network Security, Inc.");
      script_family(english:"Debian Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Debian/release", "Host/Debian/dpkg-l");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("debian_package.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/Debian/release")) audit(AUDIT_OS_NOT, "Debian");
    if (!get_kb_item("Host/Debian/dpkg-l")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    
    flag = 0;
    if (deb_check(release:"3.1", prefix:"affix", reference:"2.1.1-2")) flag++;
    if (deb_check(release:"3.1", prefix:"centericq", reference:"4.20.0-1sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"centericq-common", reference:"4.20.0-1sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"centericq-fribidi", reference:"4.20.0-1sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"centericq-utf8", reference:"4.20.0-1sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"clamav", reference:"0.84-2.sarge.1")) flag++;
    if (deb_check(release:"3.1", prefix:"clamav-daemon", reference:"0.84-2.sarge.1")) flag++;
    if (deb_check(release:"3.1", prefix:"clamav-freshclam", reference:"0.84-2.sarge.1")) flag++;
    if (deb_check(release:"3.1", prefix:"clamav-milter", reference:"0.84-2.sarge.1")) flag++;
    if (deb_check(release:"3.1", prefix:"crip", reference:"3.5-1sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"cvs", reference:"1.11.1p1debian-11")) flag++;
    if (deb_check(release:"3.1", prefix:"dhcpcd", reference:"1.3.22pl4-21sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"ekg", reference:"1.5+20050411-5")) flag++;
    if (deb_check(release:"3.1", prefix:"ettercap", reference:"0.7.1-1sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"ettercap-common", reference:"0.7.1-1sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"ettercap-gtk", reference:"0.7.1-1sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"fuse-utils", reference:"2.2.1-4sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"gaim", reference:"1.2.1-1.4")) flag++;
    if (deb_check(release:"3.1", prefix:"gaim-dev", reference:"1.2.1-1.4")) flag++;
    if (deb_check(release:"3.1", prefix:"gedit", reference:"2.8.3-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"gopher", reference:"3.0.7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"heartbeat", reference:"1.2.3-9sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"heartbeat-dev", reference:"1.2.3-9sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"heimdal-clients", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"heimdal-clients-x", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"heimdal-dev", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"heimdal-kdc", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"heimdal-servers", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"heimdal-servers-x", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"ht", reference:"0.8.0-2sarge4")) flag++;
    if (deb_check(release:"3.1", prefix:"krb5-admin-server", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"krb5-clients", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"krb5-ftpd", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"krb5-kdc", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"krb5-rsh-server", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"krb5-telnetd", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"krb5-user", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libaffix-dev", reference:"2.1.1-2")) flag++;
    if (deb_check(release:"3.1", prefix:"libaffix2", reference:"2.1.1-2")) flag++;
    if (deb_check(release:"3.1", prefix:"libasn1-6-heimdal", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libclamav-dev", reference:"0.84-2.sarge.1")) flag++;
    if (deb_check(release:"3.1", prefix:"libclamav1", reference:"0.84-2.sarge.1")) flag++;
    if (deb_check(release:"3.1", prefix:"libdbm-ruby1.8", reference:"1.8.2-7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libfuse-dev", reference:"2.2.1-4sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libfuse2", reference:"2.2.1-4sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libgadu-dev", reference:"1.5+20050411-5")) flag++;
    if (deb_check(release:"3.1", prefix:"libgadu3", reference:"1.5+20050411-5")) flag++;
    if (deb_check(release:"3.1", prefix:"libgdbm-ruby1.8", reference:"1.8.2-7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libgssapi1-heimdal", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libhdb7-heimdal", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libkadm55", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libkadm5clnt4-heimdal", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libkadm5srv7-heimdal", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libkafs0-heimdal", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libkrb5-17-heimdal", reference:"0.6.3-10sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libkrb5-dev", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libkrb53", reference:"1.3.6-2sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libopenssl-ruby1.8", reference:"1.8.2-7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libpils-dev", reference:"1.2.3-9sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libpils0", reference:"1.2.3-9sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libreadline-ruby1.8", reference:"1.8.2-7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libruby1.8", reference:"1.8.2-7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libruby1.8-dbg", reference:"1.8.2-7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"libstonith-dev", reference:"1.2.3-9sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libstonith0", reference:"1.2.3-9sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"libtcltk-ruby1.8", reference:"1.8.2-7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns", reference:"2.9.17-13sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-geo", reference:"2.9.17-13sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-ldap", reference:"2.9.17-13sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-mysql", reference:"2.9.17-13sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-pgsql", reference:"2.9.17-13sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-pipe", reference:"2.9.17-13sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-backend-sqlite", reference:"2.9.17-13sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-recursor", reference:"2.9.17-13sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"pdns-server", reference:"2.9.17-13sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"ppxp", reference:"0.2001080415-10sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"ppxp-dev", reference:"0.2001080415-10sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"ppxp-tcltk", reference:"0.2001080415-10sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"ppxp-x11", reference:"0.2001080415-10sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"qpopper", reference:"4.0.5-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"qpopper-drac", reference:"4.0.5-4sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"razor", reference:"2.670-1sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"ruby1.8", reference:"1.8.2-7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"ruby1.8-dev", reference:"1.8.2-7sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"spamc", reference:"3.0.3-2")) flag++;
    if (deb_check(release:"3.1", prefix:"stonith", reference:"1.2.3-9sarge2")) flag++;
    if (deb_check(release:"3.1", prefix:"sudo", reference:"1.6.8p7-1.1sarge1")) flag++;
    if (deb_check(release:"3.1", prefix:"zlib-bin", reference:"1.2.2-4.sarge.2")) flag++;
    if (deb_check(release:"3.1", prefix:"zlib1g", reference:"1.2.2-4.sarge.2")) flag++;
    if (deb_check(release:"3.1", prefix:"zlib1g-dev", reference:"1.2.2-4.sarge.2")) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:deb_report_get());
      else security_hole(0);
      exit(0);
    }
    else audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familyMacOS X Local Security Checks
    NASL idMACOSX_SECUPD2005-007.NASL
    descriptionThe remote host is running a version of Mac OS X 10.4 or 10.3 that does not have Security Update 2005-007 applied. This security update contains fixes for the following products : - Apache 2 - AppKit - Bluetooth - CoreFoundation - CUPS - Directory Services - HItoolbox - Kerberos - loginwindow - Mail - MySQL - OpenSSL - QuartzComposerScreenSaver - ping - Safari - SecurityInterface - servermgrd - servermgr_ipfilter - SquirelMail - traceroute - WebKit - WebLog Server - X11 - zlib
    last seen2020-06-01
    modified2020-06-02
    plugin id19463
    published2005-08-18
    reporterThis script is Copyright (C) 2005-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19463
    titleMac OS X Multiple Vulnerabilities (Security Update 2005-007)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    
    if ( ! defined_func("bn_random") ) exit(0);
    if (NASL_LEVEL < 3004) exit(0);
    
    include("compat.inc");
    
    if(description)
    {
     script_id(19463);
     script_version ("1.15");
     script_cvs_date("Date: 2018/07/14  1:59:35");
    
     script_cve_id("CVE-2005-1344", "CVE-2004-0942", "CVE-2004-0885", "CVE-2004-1083", "CVE-2004-1084",
                   "CVE-2005-2501", "CVE-2005-2502", "CVE-2005-2503", "CVE-2005-2504", "CVE-2005-2505",
                   "CVE-2005-2506", "CVE-2005-2525", "CVE-2005-2526", "CVE-2005-2507", "CVE-2005-2508",
                   "CVE-2005-2519", "CVE-2005-2513", "CVE-2004-1189", "CVE-2005-1174", "CVE-2005-1175",
                   "CVE-2005-1689", "CVE-2005-2511", "CVE-2005-2509", "CVE-2005-2512", "CVE-2005-2745",
                   "CVE-2005-0709", "CVE-2005-0710", "CVE-2005-0711", "CVE-2004-0079", "CVE-2004-0112",
                   "CVE-2005-2514", "CVE-2005-2515", "CVE-2005-2516", "CVE-2005-2517", "CVE-2005-2524",
                   "CVE-2005-2520", "CVE-2005-2518", "CVE-2005-2510", "CVE-2005-1769", "CVE-2005-2095",
                   "CVE-2005-2521", "CVE-2005-2522", "CVE-2005-2523", "CVE-2005-0605", "CVE-2005-2096",
                   "CVE-2005-1849");
     script_bugtraq_id(14567, 14569);
    
     script_name(english:"Mac OS X Multiple Vulnerabilities (Security Update 2005-007)");
     script_summary(english:"Check for Security Update 2005-007");
     
     script_set_attribute(attribute:"synopsis", value:
    "The remote host is missing a Mac OS X update that fixes various
    security issues." );
     script_set_attribute(attribute:"description",  value:
    "The remote host is running a version of Mac OS X 10.4 or 10.3 that
    does not have Security Update 2005-007 applied.
    
    This security update contains fixes for the following products :
    
      - Apache 2
      - AppKit
      - Bluetooth
      - CoreFoundation
      - CUPS
      - Directory Services
      - HItoolbox
      - Kerberos
      - loginwindow
      - Mail
      - MySQL
      - OpenSSL
      - QuartzComposerScreenSaver
      - ping
      - Safari
      - SecurityInterface
      - servermgrd
      - servermgr_ipfilter
      - SquirelMail
      - traceroute
      - WebKit
      - WebLog Server
      - X11
      - zlib" );
      # http://web.archive.org/web/20060406190355/http://docs.info.apple.com/article.html?artnum=302163
      script_set_attribute(
        attribute:"see_also", 
        value:"http://www.nessus.org/u?74ffa359"
      );
     script_set_attribute(attribute:"solution", value:
    "!Install Security Update 2005-007." );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C");
      script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available");
      script_set_attribute(attribute:"exploit_available", value:"true");
      script_cwe_id(119);
     script_set_attribute(attribute:"plugin_publication_date", value: "2005/08/18");
     script_set_attribute(attribute:"vuln_publication_date", value: "2005/08/12");
     script_set_attribute(attribute:"patch_publication_date", value: "2005/08/12");
     script_set_attribute(attribute:"plugin_type", value:"local");
     script_set_attribute(attribute:"cpe", value:"cpe:/o:apple:mac_os_x");
     script_end_attributes();
    
     script_category(ACT_GATHER_INFO);
     script_copyright(english:"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.");
     script_family(english:"MacOS X Local Security Checks");
     script_dependencies("ssh_get_info.nasl");
     script_require_keys("Host/MacOSX/packages");
     exit(0);
    }
    
    #
    
    packages = get_kb_item("Host/MacOSX/packages");
    if ( ! packages ) exit(0);
    
    
    uname = get_kb_item("Host/uname");
    # MacOS X 10.4.2
    if ( egrep(pattern:"Darwin.* (7\.[0-9]\.|8\.2\.)", string:uname) )
    {
      if (!egrep(pattern:"^SecUpd(Srvr)?2005-007", string:packages)) security_hole(0);
    }
    
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS9_112908.NASL
    descriptionSunOS 5.9: krb5, gss patch. Date this patch was last updated by Sun : Sep/14/10
    last seen2020-06-01
    modified2020-06-02
    plugin id13520
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13520
    titleSolaris 9 (sparc) : 112908-38
    code
    #%NASL_MIN_LEVEL 80502
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text in this plugin was
    # extracted from the Oracle SunOS Patch Updates.
    #
    include("compat.inc");
    
    if (description)
    {
      script_id(13520);
      script_version("1.56");
      script_cvs_date("Date: 2019/10/25 13:36:26");
    
      script_cve_id("CVE-2004-0523", "CVE-2004-0653", "CVE-2005-1689", "CVE-2006-6144", "CVE-2008-5690", "CVE-2009-0360", "CVE-2009-0361", "CVE-2009-1933", "CVE-2012-1683");
    
      script_name(english:"Solaris 9 (sparc) : 112908-38");
      script_summary(english:"Check for patch 112908-38");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote host is missing Sun Security Patch number 112908-38"
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "SunOS 5.9: krb5, gss patch.
    Date this patch was last updated by Sun : Sep/14/10"
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://getupdates.oracle.com/readme/112908-38"
      );
      script_set_attribute(
        attribute:"solution", 
        value:"You should install this patch for your system to be up-to-date."
      );
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C");
      script_cwe_id(119, 255, 264, 287);
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:sun:solaris");
    
      script_set_attribute(attribute:"patch_publication_date", value:"2010/09/14");
      script_set_attribute(attribute:"plugin_publication_date", value:"2004/07/12");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2004-2019 Tenable Network Security, Inc.");
      script_family(english:"Solaris Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/Solaris/showrev");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("solaris.inc");
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWcstlx", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWhea", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWgssx", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWcstl", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWcar", version:"11.9.0,REV=2002.04.09.12.25") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWkrbr", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWcarx", version:"11.9.0,REV=2002.04.09.12.25") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWkrbux", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWkrbu", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWgss", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWgsskx", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWgssk", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    if (solaris_check_patch(release:"5.9", arch:"sparc", patch:"112908-38", obsoleted_by:"", package:"SUNWcsr", version:"11.9.0,REV=2002.04.06.15.27") < 0) flag++;
    
    if (flag)
    {
      if (report_verbosity > 0) security_hole(port:0, extra:solaris_get_report());
      else security_hole(0);
      exit(0);
    }
    audit(AUDIT_HOST_NOT, "affected");
    
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS8_X86_112238.NASL
    descriptionSunOS 5.8_x86: mech_krb5.so.1 and pam_krb5. Date this patch was last updated by Sun : Mar/24/09
    last seen2020-06-01
    modified2020-06-02
    plugin id13488
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13488
    titleSolaris 8 (x86) : 112238-15
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_X86_120470.NASL
    descriptionSunOS 5.10_x86: kerberos patch. Date this patch was last updated by Sun : Aug/26/05
    last seen2018-09-01
    modified2018-08-13
    plugin id19372
    published2005-08-02
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=19372
    titleSolaris 10 (x86) : 120470-02
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS8_112390.NASL
    descriptionSunOS 5.8: Supplemental Encryption Kerbero. Date this patch was last updated by Sun : Mar/24/09
    last seen2020-06-01
    modified2020-06-02
    plugin id13388
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13388
    titleSolaris 8 (sparc) : 112390-14
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS9_X86_115168.NASL
    descriptionSunOS 5.9_x86: krb5, gss patch. Date this patch was last updated by Sun : Sep/14/10
    last seen2020-06-01
    modified2020-06-02
    plugin id13620
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13620
    titleSolaris 9 (x86) : 115168-24
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-562.NASL
    descriptionUpdated krb5 packages which fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. [Updated 26 Sep 2005] krb5-server packages have been added to this advisory for Red Hat Enterprise Linux 3 WS and Red Hat Enterprise Linux 3 Desktop. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Although no exploit is currently known to exist, this issue could potentially be exploited to allow arbitrary code execution on a Key Distribution Center (KDC). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21840
    published2006-07-03
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21840
    titleCentOS 3 : krb5 (CESA-2005:562)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-224-1.NASL
    descriptionGael Delalleau discovered a buffer overflow in the env_opt_add() function of the Kerberos 4 and 5 telnet clients. By sending specially crafted replies, a malicious telnet server could exploit this to execute arbitrary code with the privileges of the user running the telnet client. (CVE-2005-0468) Gael Delalleau discovered a buffer overflow in the handling of the LINEMODE suboptions in the telnet clients of Kerberos 4 and 5. By sending a specially constructed reply containing a large number of SLC (Set Local Character) commands, a remote attacker (i. e. a malicious telnet server) could execute arbitrary commands with the privileges of the user running the telnet client. (CVE-2005-0469) Daniel Wachdorf discovered two remote vulnerabilities in the Key Distribution Center of Kerberos 5 (krb5-kdc). By sending certain TCP connection requests, a remote attacker could trigger a double-freeing of memory, which led to memory corruption and a crash of the KDC server. (CVE-2005-1174). Under rare circumstances the same type of TCP connection requests could also trigger a buffer overflow that could be exploited to run arbitrary code with the privileges of the KDC server. (CVE-2005-1175) Magnus Hagander discovered that the krb5_recvauth() function attempted to free previously freed memory in some situations. A remote attacker could possibly exploit this to run arbitrary code with the privileges of the program that called this function. Most imporantly, this affects the following daemons: kpropd (from the krb5-kdc package), klogind, and kshd (both from the krb5-rsh-server package). (CVE-2005-1689) Please note that these packages are not officially supported by Ubuntu (they are in the
    last seen2020-06-01
    modified2020-06-02
    plugin id20767
    published2006-01-21
    reporterUbuntu Security Notice (C) 2005-2019 Canonical, Inc. / NASL script (C) 2006-2016 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/20767
    titleUbuntu 4.10 / 5.04 : krb4, krb5 vulnerabilities (USN-224-1)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRAKE_MDKSA-2005-119.NASL
    descriptionA number of vulnerabilities have been corrected in this Kerberos update : The rcp protocol would allow a server to instruct a client to write to arbitrary files outside of the current directory. The Kerberos-aware rcp could be abused to copy files from a malicious server (CVE-2004-0175). Gael Delalleau discovered an information disclosure vulnerability in the way some telnet clients handled messages from a server. This could be abused by a malicious telnet server to collect information from the environment of any victim connecting to the server using the Kerberos- aware telnet client (CVE-2005-0488). Daniel Wachdorf disovered that in error conditions that could occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory, which could cause the KDC to crash resulting in a Denial of Service (CVE-2005-1174). Daniel Wachdorf also discovered a single-byte heap overflow in the krb5_unparse_name() function that could, if successfully exploited, lead to a crash, resulting in a DoS. To trigger this flaw, an attacker would need to have control of a Kerberos realm that shares a cross- realm key with the target (CVE-2005-1175). Finally, a double-free flaw was discovered in the krb5_recvauth() routine which could be triggered by a remote unauthenticated attacker. This issue could potentially be exploited to allow for the execution of arbitrary code on a KDC. No exploit is currently known to exist (CVE-2005-1689). The updated packages have been patched to address this issue and Mandriva urges all users to upgrade to these packages as quickly as possible.
    last seen2020-06-01
    modified2020-06-02
    plugin id19201
    published2005-07-14
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19201
    titleMandrake Linux Security Advisory : krb5 (MDKSA-2005:119)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2005-567.NASL
    descriptionUpdated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4 contains checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages, which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id21946
    published2006-07-05
    reporterThis script is Copyright (C) 2006-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/21946
    titleCentOS 4 : krb5 (CESA-2005:567)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS10_120469.NASL
    descriptionSunOS 5.10: kerberos patch. Date this patch was last updated by Sun : Apr/10/07
    last seen2018-09-02
    modified2018-08-13
    plugin id19369
    published2005-08-02
    reporterTenable
    sourcehttps://www.tenable.com/plugins/index.php?view=single&id=19369
    titleSolaris 10 (sparc) : 120469-07
  • NASL familyHP-UX Local Security Checks
    NASL idHPUX_PHSS_33389.NASL
    descriptions700_800 11.23 KRB5-Client Version 1.0 Cumulative patch : A potential security vulnerability has been identified with HP-UX running Kerberos. The vulnerability may be exploited by a remote unauthenticated user to execute arbitrary code.
    last seen2020-06-01
    modified2020-06-02
    plugin id22462
    published2006-09-27
    reporterThis script is Copyright (C) 2006-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/22462
    titleHP-UX PHSS_33389 : HP-UX Kerberos Client Remote Unauthenticated Execution of Arbitrary Code (HPSBUX02152 SSRT5973 rev.1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-553.NASL
    descriptionA double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Fedora Core 4 contains checks within glibc that detect double-free flaws. Therefore, on Fedora Core 4, successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Successful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw remotely, an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gaael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18685
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18685
    titleFedora Core 4 : krb5-1.4.1-5 (2005-553)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-562.NASL
    descriptionUpdated krb5 packages which fix multiple security issues are now available for Red Hat Enterprise Linux 2.1 and 3. This update has been rated as having critical security impact by the Red Hat Security Response Team. [Updated 26 Sep 2005] krb5-server packages have been added to this advisory for Red Hat Enterprise Linux 3 WS and Red Hat Enterprise Linux 3 Desktop. Kerberos is a networked authentication system which uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Although no exploit is currently known to exist, this issue could potentially be exploited to allow arbitrary code execution on a Key Distribution Center (KDC). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18687
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18687
    titleRHEL 2.1 / 3 : krb5 (RHSA-2005:562)
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS8_112237.NASL
    descriptionSunOS 5.8: mech_krb5.so.1 and pam_krb5.so.. Date this patch was last updated by Sun : Mar/24/09
    last seen2020-06-01
    modified2020-06-02
    plugin id13387
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13387
    titleSolaris 8 (sparc) : 112237-16
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2005-552.NASL
    descriptionA double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Fedora Core 3 contains checks within glibc that detect double-free flaws. Therefore, on Fedora Core 3, successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Successful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw remotely, an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gaael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18684
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18684
    titleFedora Core 3 : krb5-1.3.6-7 (2005-552)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2005-567.NASL
    descriptionUpdated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 4. This update has been rated as having important security impact by the Red Hat Security Response Team. Kerberos is a networked authentication system that uses a trusted third party (a KDC) to authenticate clients and servers to each other. A double-free flaw was found in the krb5_recvauth() routine which may be triggered by a remote unauthenticated attacker. Red Hat Enterprise Linux 4 contains checks within glibc that detect double-free flaws. Therefore, on Red Hat Enterprise Linux 4 successful exploitation of this issue can only lead to a denial of service (KDC crash). The Common Vulnerabilities and Exposures project assigned the name CVE-2005-1689 to this issue. Daniel Wachdorf discovered a single byte heap overflow in the krb5_unparse_name() function, part of krb5-libs. Sucessful exploitation of this flaw would lead to a denial of service (crash). To trigger this flaw an attacker would need to have control of a kerberos realm that shares a cross-realm key with the target, making exploitation of this flaw unlikely. (CVE-2005-1175). Daniel Wachdorf also discovered that in error conditions that may occur in response to correctly-formatted client requests, the Kerberos 5 KDC may attempt to free uninitialized memory. This could allow a remote attacker to cause a denial of service (KDC crash) (CVE-2005-1174). Gael Delalleau discovered an information disclosure issue in the way some telnet clients handle messages from a server. An attacker could construct a malicious telnet server that collects information from the environment of any victim who connects to it using the Kerberos-aware telnet client (CVE-2005-0488). The rcp protocol allows a server to instruct a client to write to arbitrary files outside of the current directory. This could potentially cause a security issue if a user uses the Kerberos-aware rcp to copy files from a malicious server (CVE-2004-0175). All users of krb5 should update to these erratum packages, which contain backported patches to correct these issues. Red Hat would like to thank the MIT Kerberos Development Team for their responsible disclosure of these issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id18688
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/18688
    titleRHEL 4 : krb5 (RHSA-2005:567)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-757.NASL
    descriptionDaniel Wachdorf reported two problems in the MIT krb5 distribution used for network authentication. First, the KDC program from the krb5-kdc package can corrupt the heap by trying to free memory which has already been freed on receipt of a certain TCP connection. This vulnerability can cause the KDC to crash, leading to a denial of service. [ CAN-2005-1174] Second, under certain rare circumstances this type of request can lead to a buffer overflow and remote code execution. [ CAN-2005-1175] Additionally, Magnus Hagander reported another problem in which the krb5_recvauth function can in certain circumstances free previously freed memory, potentially leading to the execution of remote code. [ CAN-2005-1689] All of these vulnerabilities are believed difficult to exploit, and no exploits have yet been discovered.
    last seen2020-06-01
    modified2020-06-02
    plugin id19219
    published2005-07-18
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/19219
    titleDebian DSA-757-1 : krb5 - buffer overflow, double-free memory
  • NASL familySolaris Local Security Checks
    NASL idSOLARIS8_X86_112240.NASL
    descriptionSunOS 5.8_x86: Supplemental Encryption Ker. Date this patch was last updated by Sun : Mar/24/09
    last seen2020-06-01
    modified2020-06-02
    plugin id13489
    published2004-07-12
    reporterThis script is Copyright (C) 2004-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/13489
    titleSolaris 8 (x86) : 112240-13
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-200507-11.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-200507-11 (MIT Kerberos 5: Multiple vulnerabilities) Daniel Wachdorf discovered that MIT Kerberos 5 could corrupt the heap by freeing unallocated memory when receiving a special TCP request (CAN-2005-1174). He also discovered that the same request could lead to a single-byte heap overflow (CAN-2005-1175). Magnus Hagander discovered that krb5_recvauth() function of MIT Kerberos 5 might try to double-free memory (CAN-2005-1689). Impact : Although exploitation is considered difficult, a remote attacker could exploit the single-byte heap overflow and the double-free vulnerability to execute arbitrary code, which could lead to the compromise of the whole Kerberos realm. A remote attacker could also use the heap corruption to cause a Denial of Service. Workaround : There are no known workarounds at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id18686
    published2005-07-13
    reporterThis script is Copyright (C) 2005-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/18686
    titleGLSA-200507-11 : MIT Kerberos 5: Multiple vulnerabilities

Oval

accepted2013-04-29T04:22:31.186-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 3
    ovaloval:org.mitre.oval:def:11782
  • commentCentOS Linux 3.x
    ovaloval:org.mitre.oval:def:16651
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 4
    ovaloval:org.mitre.oval:def:11831
  • commentCentOS Linux 4.x
    ovaloval:org.mitre.oval:def:16636
  • commentOracle Linux 4.x
    ovaloval:org.mitre.oval:def:15990
descriptionDouble free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.
familyunix
idoval:org.mitre.oval:def:9819
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleDouble free vulnerability in the krb5_recvauth function in MIT Kerberos 5 (krb5) 1.4.1 and earlier allows remote attackers to execute arbitrary code via certain error conditions.
version26

Redhat

advisories
  • rhsa
    idRHSA-2005:562
  • rhsa
    idRHSA-2005:567
rpms
  • krb5-debuginfo-0:1.2.7-47
  • krb5-devel-0:1.2.7-47
  • krb5-libs-0:1.2.7-47
  • krb5-server-0:1.2.7-47
  • krb5-workstation-0:1.2.7-47
  • krb5-debuginfo-0:1.3.4-17
  • krb5-devel-0:1.3.4-17
  • krb5-libs-0:1.3.4-17
  • krb5-server-0:1.3.4-17
  • krb5-workstation-0:1.3.4-17

References