Vulnerabilities > CVE-2010-0629 - Use After Free vulnerability in multiple products

Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.

Vulnerable Configurations

Part	Description	Count
Application	Mit MIT Kerberos 5 1.5 MIT Kerberos 5 1.5.1 MIT Kerberos 5 1.5.2 MIT Kerberos 5 1.5.3 MIT Kerberos 5 1.5.4 MIT Kerberos 5 1.6 MIT Kerberos 5 1.6.1 MIT Kerberos 5 1.6.2 MIT Kerberos 5 1.6.3	9
OS	Fedoraproject Fedoraproject Fedora 11	1
OS	Opensuse Opensuse Opensuse 11.1 Opensuse Opensuse 11.0	2
OS	Suse Suse Linux Enterprise 11.0	1
OS	Canonical Canonical Ubuntu Linux 9.04 Canonical Ubuntu Linux 8.10 Canonical Ubuntu Linux 8.04	3

Common Weakness Enumeration (CWE)

CWE-416 - Use After Free

Nessus

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_KRB5-100401.NASL
description	Authenticated users could crash the kadmind process by referencing freed memory (CVE-2010-0629). This has been fixed.
last seen	2020-06-01
modified	2020-06-02
plugin id	50926
published	2010-12-02
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/50926
title	SuSE 11 Security Update : krb5 (SAT Patch Number 2235)

NASL family	CentOS Local Security Checks
NASL id	CENTOS_RHSA-2010-0343.NASL
description	Updated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client
last seen	2020-06-01
modified	2020-06-02
plugin id	46754
published	2010-06-01
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/46754
title	CentOS 5 : krb5 (CESA-2010:0343)

NASL family	Mandriva Local Security Checks
NASL id	MANDRIVA_MDVSA-2010-071.NASL
description	Multiple vulnerabilities has been found and corrected in mozilla-thunderbird : Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2009-0689). Integer overflow in a base64 decoding function in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2009-2463). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3072). Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3075). Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a dangling pointer vulnerability. (CVE-2009-3077) Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file (CVE-2009-3376). Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user (CVE-2009-3983). Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2010-0163). This update provides the latest version of Thunderbird which are not vulnerable to these issues. Packages for 2008.0 and 2009.0 are provided due to the Extended Maintenance Program for those products. Additionally, some packages which require so, have been rebuilt and are being provided as updates.
last seen	2020-06-01
modified	2020-06-02
plugin id	45521
published	2010-04-14
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/45521
title	Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2010:071)

NASL family	Ubuntu Local Security Checks
NASL id	UBUNTU_USN-924-1.NASL
description	Sol Jerome discovered that the Kerberos kadmind service did not correctly free memory. An unauthenticated remote attacker could send specially crafted traffic to crash the kadmind process, leading to a denial of service. (CVE-2010-0629) It was discovered that Kerberos did not correctly free memory in the GSSAPI library. If a remote attacker were able to manipulate an application using GSSAPI carefully, the service could crash, leading to a denial of service. (Ubuntu 8.10 was not affected.) (CVE-2007-5901, CVE-2007-5971) It was discovered that Kerberos did not correctly free memory in the GSSAPI and kdb libraries. If a remote attacker were able to manipulate an application using these libraries carefully, the service could crash, leading to a denial of service. (Only Ubuntu 8.04 LTS was affected.) (CVE-2007-5902, CVE-2007-5972). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	65123
published	2013-03-09
reporter	Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/65123
title	Ubuntu 8.04 LTS / 8.10 / 9.04 : krb5 vulnerabilities (USN-924-1)

NASL family	Fedora Local Security Checks
NASL id	FEDORA_2010-6108.NASL
description	Sol Jerome noticed that the kadmind server daemon could be made to dereference freed memory and crash. This update backports the changeset which contains the fix for this bug (CVE-2010-0629). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
last seen	2020-06-01
modified	2020-06-02
plugin id	47416
published	2010-07-01
reporter	This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/47416
title	Fedora 11 : krb5-1.6.3-29.fc11 (2010-6108)

NASL family	Oracle Linux Local Security Checks
NASL id	ORACLELINUX_ELSA-2010-0343.NASL
description	From Red Hat Security Advisory 2010:0343 : Updated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client
last seen	2020-06-01
modified	2020-06-02
plugin id	68029
published	2013-07-12
reporter	This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/68029
title	Oracle Linux 5 : krb5 (ELSA-2010-0343)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_1_KRB5-100401.NASL
description	Authenticated users could crash the kadmind process by referencing freed memory (CVE-2010-0629).
last seen	2020-06-01
modified	2020-06-02
plugin id	45493
published	2010-04-13
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/45493
title	openSUSE Security Update : krb5 (openSUSE-SU-2010:0099-1)

NASL family	Debian Local Security Checks
NASL id	DEBIAN_DSA-2031.NASL
description	Sol Jerome discovered that kadmind service in krb5, a system for authenticating users and services on a network, allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.
last seen	2020-06-01
modified	2020-06-02
plugin id	45479
published	2010-04-12
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/45479
title	Debian DSA-2031-1 : krb5 - use-after-free

NASL family	FreeBSD Local Security Checks
NASL id	FREEBSD_PKG_A30573DC489311DFA5F9001641AEABDF.NASL
description	An authenticated remote attacker can causing a denial of service by using a newer version of the kadmin protocol than the server supports. The MIT Kerberos team also reports the cause : The Kerberos administration daemon (kadmind) can crash due to referencing freed memory.
last seen	2020-06-01
modified	2020-06-02
plugin id	45573
published	2010-04-20
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/45573
title	FreeBSD : krb5 -- remote denial of service vulnerability (a30573dc-4893-11df-a5f9-001641aeabdf)

NASL family	Scientific Linux Local Security Checks
NASL id	SL_20100406_KRB5_ON_SL5_X.NASL
description	A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : - when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client
last seen	2020-06-01
modified	2020-06-02
plugin id	60779
published	2012-08-01
reporter	This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/60779
title	Scientific Linux Security Update : krb5 on SL5.x i386/x86_64

NASL family	OracleVM Local Security Checks
NASL id	ORACLEVM_OVMSA-2011-0015.NASL
description	The remote OracleVM system is missing necessary patches to address critical security updates : - Fix for (CVE-2011-4862) - incorporate a fix to teach the file labeling bits about when replay caches are expunged (#712453) - rebuild - ftp: handle larger command inputs (#665833) - don
last seen	2020-06-01
modified	2020-06-02
plugin id	79475
published	2014-11-26
reporter	This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/79475
title	OracleVM 2.2 : krb5 (OVMSA-2011-0015)

NASL family	SuSE Local Security Checks
NASL id	SUSE_11_0_KRB5-100401.NASL
description	Authenticated users could crash the kadmind process by referencing freed memory (CVE-2010-0629).
last seen	2020-06-01
modified	2020-06-02
plugin id	45491
published	2010-04-13
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/45491
title	openSUSE Security Update : krb5 (openSUSE-SU-2010:0099-1)

NASL family	Red Hat Local Security Checks
NASL id	REDHAT-RHSA-2010-0343.NASL
description	Updated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client
last seen	2020-06-01
modified	2020-06-02
plugin id	46296
published	2010-05-11
reporter	This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
source	https://www.tenable.com/plugins/nessus/46296
title	RHEL 5 : krb5 (RHSA-2010:0343)

NASL family	Gentoo Local Security Checks
NASL id	GENTOO_GLSA-201201-13.NASL
description	The remote host is affected by the vulnerability described in GLSA-201201-13 (MIT Kerberos 5: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to execute arbitrary code with the privileges of the administration daemon or the Key Distribution Center (KDC) daemon, cause a Denial of Service condition, or possibly obtain sensitive information. Furthermore, a remote attacker may be able to spoof Kerberos authorization, modify KDC responses, forge user data messages, forge tokens, forge signatures, impersonate a client, modify user-visible prompt text, or have other unspecified impact. Workaround : There is no known workaround at this time.
last seen	2020-06-01
modified	2020-06-02
plugin id	57655
published	2012-01-24
reporter	This script is Copyright (C) 2012-2018 Tenable Network Security, Inc.
source	https://www.tenable.com/plugins/nessus/57655
title	GLSA-201201-13 : MIT Kerberos 5: Multiple vulnerabilities

Oval

accepted

2013-04-29T04:19:43.822-04:00

class

vulnerability

contributors

name Aharon Chernin
organization SCAP.com, LLC
name Dragos Prisaca
organization G2, Inc.

definition_extensions

comment The operating system installed on the system is Red Hat Enterprise Linux 5
oval oval:org.mitre.oval:def:11414
comment The operating system installed on the system is CentOS Linux 5.x
oval oval:org.mitre.oval:def:15802
comment Oracle Linux 5.x
oval oval:org.mitre.oval:def:15459

description

family

unix

oval:org.mitre.oval:def:9489

status

accepted

submitted

2010-07-09T03:56:16-04:00

title

version

Redhat

advisories

bugzilla

id	578540
title	[RFE] Backport referral-chasing code within krb5-1.7 to RHEL5

oval

comment Red Hat Enterprise Linux must be installed
oval oval:com.redhat.rhba:tst:20070304026

AND

comment Red Hat Enterprise Linux 5 is installed
oval oval:com.redhat.rhba:tst:20070331005

AND
comment krb5-libs is earlier than 0:1.6.1-36.el5_5.2
oval oval:com.redhat.rhsa:tst:20100343001
comment krb5-libs is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070095013
AND
comment krb5-devel is earlier than 0:1.6.1-36.el5_5.2
oval oval:com.redhat.rhsa:tst:20100343003
comment krb5-devel is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070095015
AND
comment krb5-server is earlier than 0:1.6.1-36.el5_5.2
oval oval:com.redhat.rhsa:tst:20100343005
comment krb5-server is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070095017

AND

comment krb5-workstation is earlier than 0:1.6.1-36.el5_5.2
oval oval:com.redhat.rhsa:tst:20100343007
comment krb5-workstation is signed with Red Hat redhatrelease key
oval oval:com.redhat.rhsa:tst:20070095011

rhsa

id	RHSA-2010:0343
released	2010-04-06
severity	Important
title	RHSA-2010:0343: krb5 security and bug fix update (Important)

rpms

krb5-debuginfo-0:1.6.1-36.el5_5.2
krb5-devel-0:1.6.1-36.el5_5.2
krb5-libs-0:1.6.1-36.el5_5.2
krb5-server-0:1.6.1-36.el5_5.2
krb5-workstation-0:1.6.1-36.el5_5.2

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

Nessus

Oval

Redhat

References