Vulnerabilities > CVE-2010-0629 - Use After Free vulnerability in multiple products

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
HIGH

Summary

Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.

Common Weakness Enumeration (CWE)

Nessus

  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_KRB5-100401.NASL
    descriptionAuthenticated users could crash the kadmind process by referencing freed memory (CVE-2010-0629). This has been fixed.
    last seen2020-06-01
    modified2020-06-02
    plugin id50926
    published2010-12-02
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/50926
    titleSuSE 11 Security Update : krb5 (SAT Patch Number 2235)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2010-0343.NASL
    descriptionUpdated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client
    last seen2020-06-01
    modified2020-06-02
    plugin id46754
    published2010-06-01
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46754
    titleCentOS 5 : krb5 (CESA-2010:0343)
  • NASL familyMandriva Local Security Checks
    NASL idMANDRIVA_MDVSA-2010-071.NASL
    descriptionMultiple vulnerabilities has been found and corrected in mozilla-thunderbird : Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2009-0689). Integer overflow in a base64 decoding function in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2009-2463). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3072). Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3075). Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a dangling pointer vulnerability. (CVE-2009-3077) Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file (CVE-2009-3376). Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user (CVE-2009-3983). Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2010-0163). This update provides the latest version of Thunderbird which are not vulnerable to these issues. Packages for 2008.0 and 2009.0 are provided due to the Extended Maintenance Program for those products. Additionally, some packages which require so, have been rebuilt and are being provided as updates.
    last seen2020-06-01
    modified2020-06-02
    plugin id45521
    published2010-04-14
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/45521
    titleMandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2010:071)
  • NASL familyUbuntu Local Security Checks
    NASL idUBUNTU_USN-924-1.NASL
    descriptionSol Jerome discovered that the Kerberos kadmind service did not correctly free memory. An unauthenticated remote attacker could send specially crafted traffic to crash the kadmind process, leading to a denial of service. (CVE-2010-0629) It was discovered that Kerberos did not correctly free memory in the GSSAPI library. If a remote attacker were able to manipulate an application using GSSAPI carefully, the service could crash, leading to a denial of service. (Ubuntu 8.10 was not affected.) (CVE-2007-5901, CVE-2007-5971) It was discovered that Kerberos did not correctly free memory in the GSSAPI and kdb libraries. If a remote attacker were able to manipulate an application using these libraries carefully, the service could crash, leading to a denial of service. (Only Ubuntu 8.04 LTS was affected.) (CVE-2007-5902, CVE-2007-5972). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id65123
    published2013-03-09
    reporterUbuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/65123
    titleUbuntu 8.04 LTS / 8.10 / 9.04 : krb5 vulnerabilities (USN-924-1)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2010-6108.NASL
    descriptionSol Jerome noticed that the kadmind server daemon could be made to dereference freed memory and crash. This update backports the changeset which contains the fix for this bug (CVE-2010-0629). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id47416
    published2010-07-01
    reporterThis script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/47416
    titleFedora 11 : krb5-1.6.3-29.fc11 (2010-6108)
  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2010-0343.NASL
    descriptionFrom Red Hat Security Advisory 2010:0343 : Updated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client
    last seen2020-06-01
    modified2020-06-02
    plugin id68029
    published2013-07-12
    reporterThis script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/68029
    titleOracle Linux 5 : krb5 (ELSA-2010-0343)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_1_KRB5-100401.NASL
    descriptionAuthenticated users could crash the kadmind process by referencing freed memory (CVE-2010-0629).
    last seen2020-06-01
    modified2020-06-02
    plugin id45493
    published2010-04-13
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/45493
    titleopenSUSE Security Update : krb5 (openSUSE-SU-2010:0099-1)
  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-2031.NASL
    descriptionSol Jerome discovered that kadmind service in krb5, a system for authenticating users and services on a network, allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.
    last seen2020-06-01
    modified2020-06-02
    plugin id45479
    published2010-04-12
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/45479
    titleDebian DSA-2031-1 : krb5 - use-after-free
  • NASL familyFreeBSD Local Security Checks
    NASL idFREEBSD_PKG_A30573DC489311DFA5F9001641AEABDF.NASL
    descriptionAn authenticated remote attacker can causing a denial of service by using a newer version of the kadmin protocol than the server supports. The MIT Kerberos team also reports the cause : The Kerberos administration daemon (kadmind) can crash due to referencing freed memory.
    last seen2020-06-01
    modified2020-06-02
    plugin id45573
    published2010-04-20
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/45573
    titleFreeBSD : krb5 -- remote denial of service vulnerability (a30573dc-4893-11df-a5f9-001641aeabdf)
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20100406_KRB5_ON_SL5_X.NASL
    descriptionA use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : - when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client
    last seen2020-06-01
    modified2020-06-02
    plugin id60779
    published2012-08-01
    reporterThis script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/60779
    titleScientific Linux Security Update : krb5 on SL5.x i386/x86_64
  • NASL familyOracleVM Local Security Checks
    NASL idORACLEVM_OVMSA-2011-0015.NASL
    descriptionThe remote OracleVM system is missing necessary patches to address critical security updates : - Fix for (CVE-2011-4862) - incorporate a fix to teach the file labeling bits about when replay caches are expunged (#712453) - rebuild - ftp: handle larger command inputs (#665833) - don
    last seen2020-06-01
    modified2020-06-02
    plugin id79475
    published2014-11-26
    reporterThis script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/79475
    titleOracleVM 2.2 : krb5 (OVMSA-2011-0015)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_11_0_KRB5-100401.NASL
    descriptionAuthenticated users could crash the kadmind process by referencing freed memory (CVE-2010-0629).
    last seen2020-06-01
    modified2020-06-02
    plugin id45491
    published2010-04-13
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/45491
    titleopenSUSE Security Update : krb5 (openSUSE-SU-2010:0099-1)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2010-0343.NASL
    descriptionUpdated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client
    last seen2020-06-01
    modified2020-06-02
    plugin id46296
    published2010-05-11
    reporterThis script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/46296
    titleRHEL 5 : krb5 (RHSA-2010:0343)
  • NASL familyGentoo Local Security Checks
    NASL idGENTOO_GLSA-201201-13.NASL
    descriptionThe remote host is affected by the vulnerability described in GLSA-201201-13 (MIT Kerberos 5: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to execute arbitrary code with the privileges of the administration daemon or the Key Distribution Center (KDC) daemon, cause a Denial of Service condition, or possibly obtain sensitive information. Furthermore, a remote attacker may be able to spoof Kerberos authorization, modify KDC responses, forge user data messages, forge tokens, forge signatures, impersonate a client, modify user-visible prompt text, or have other unspecified impact. Workaround : There is no known workaround at this time.
    last seen2020-06-01
    modified2020-06-02
    plugin id57655
    published2012-01-24
    reporterThis script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
    sourcehttps://www.tenable.com/plugins/nessus/57655
    titleGLSA-201201-13 : MIT Kerberos 5: Multiple vulnerabilities

Oval

accepted2013-04-29T04:19:43.822-04:00
classvulnerability
contributors
  • nameAharon Chernin
    organizationSCAP.com, LLC
  • nameDragos Prisaca
    organizationG2, Inc.
definition_extensions
  • commentThe operating system installed on the system is Red Hat Enterprise Linux 5
    ovaloval:org.mitre.oval:def:11414
  • commentThe operating system installed on the system is CentOS Linux 5.x
    ovaloval:org.mitre.oval:def:15802
  • commentOracle Linux 5.x
    ovaloval:org.mitre.oval:def:15459
descriptionUse-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.
familyunix
idoval:org.mitre.oval:def:9489
statusaccepted
submitted2010-07-09T03:56:16-04:00
titleUse-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.
version18

Redhat

advisories
bugzilla
id578540
title[RFE] Backport referral-chasing code within krb5-1.7 to RHEL5
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 5 is installed
      ovaloval:com.redhat.rhba:tst:20070331005
    • OR
      • AND
        • commentkrb5-libs is earlier than 0:1.6.1-36.el5_5.2
          ovaloval:com.redhat.rhsa:tst:20100343001
        • commentkrb5-libs is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070095013
      • AND
        • commentkrb5-devel is earlier than 0:1.6.1-36.el5_5.2
          ovaloval:com.redhat.rhsa:tst:20100343003
        • commentkrb5-devel is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070095015
      • AND
        • commentkrb5-server is earlier than 0:1.6.1-36.el5_5.2
          ovaloval:com.redhat.rhsa:tst:20100343005
        • commentkrb5-server is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070095017
      • AND
        • commentkrb5-workstation is earlier than 0:1.6.1-36.el5_5.2
          ovaloval:com.redhat.rhsa:tst:20100343007
        • commentkrb5-workstation is signed with Red Hat redhatrelease key
          ovaloval:com.redhat.rhsa:tst:20070095011
rhsa
idRHSA-2010:0343
released2010-04-06
severityImportant
titleRHSA-2010:0343: krb5 security and bug fix update (Important)
rpms
  • krb5-debuginfo-0:1.6.1-36.el5_5.2
  • krb5-devel-0:1.6.1-36.el5_5.2
  • krb5-libs-0:1.6.1-36.el5_5.2
  • krb5-server-0:1.6.1-36.el5_5.2
  • krb5-workstation-0:1.6.1-36.el5_5.2

References