Vulnerabilities > CVE-2010-0629 - Use After Free vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number.
Vulnerable Configurations
Part | Description | Count |
---|---|---|
Application | 9 | |
OS | 1 | |
OS | 2 | |
OS | 1 | |
OS | 3 |
Common Weakness Enumeration (CWE)
Nessus
NASL family SuSE Local Security Checks NASL id SUSE_11_KRB5-100401.NASL description Authenticated users could crash the kadmind process by referencing freed memory (CVE-2010-0629). This has been fixed. last seen 2020-06-01 modified 2020-06-02 plugin id 50926 published 2010-12-02 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/50926 title SuSE 11 Security Update : krb5 (SAT Patch Number 2235) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2010-0343.NASL description Updated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client last seen 2020-06-01 modified 2020-06-02 plugin id 46754 published 2010-06-01 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46754 title CentOS 5 : krb5 (CESA-2010:0343) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2010-071.NASL description Multiple vulnerabilities has been found and corrected in mozilla-thunderbird : Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2009-0689). Integer overflow in a base64 decoding function in Mozilla Firefox before 3.0.12 and Thunderbird allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unspecified vectors (CVE-2009-2463). Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3072). Multiple unspecified vulnerabilities in the JavaScript engine in Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.2, allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors (CVE-2009-3075). Mozilla Firefox before 3.0.14, and 3.5.x before 3.5.3, does not properly manage pointers for the columns (aka TreeColumns) of a XUL tree element, which allows remote attackers to execute arbitrary code via a crafted HTML document, related to a dangling pointer vulnerability. (CVE-2009-3077) Mozilla Firefox before 3.0.15 and 3.5.x before 3.5.4, and SeaMonkey before 2.0, does not properly handle a right-to-left override (aka RLO or U+202E) Unicode character in a download filename, which allows remote attackers to spoof file extensions via a crafted filename, as demonstrated by displaying a non-executable extension for an executable file (CVE-2009-3376). Mozilla Firefox before 3.0.16 and 3.5.x before 3.5.6, and SeaMonkey before 2.0.1, allows remote attackers to send authenticated requests to arbitrary applications by replaying the NTLM credentials of a browser user (CVE-2009-3983). Mozilla Thunderbird before 2.0.0.24 and SeaMonkey before 1.1.19 process e-mail attachments with a parser that performs casts and line termination incorrectly, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted message, related to message indexing (CVE-2010-0163). This update provides the latest version of Thunderbird which are not vulnerable to these issues. Packages for 2008.0 and 2009.0 are provided due to the Extended Maintenance Program for those products. Additionally, some packages which require so, have been rebuilt and are being provided as updates. last seen 2020-06-01 modified 2020-06-02 plugin id 45521 published 2010-04-14 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45521 title Mandriva Linux Security Advisory : mozilla-thunderbird (MDVSA-2010:071) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-924-1.NASL description Sol Jerome discovered that the Kerberos kadmind service did not correctly free memory. An unauthenticated remote attacker could send specially crafted traffic to crash the kadmind process, leading to a denial of service. (CVE-2010-0629) It was discovered that Kerberos did not correctly free memory in the GSSAPI library. If a remote attacker were able to manipulate an application using GSSAPI carefully, the service could crash, leading to a denial of service. (Ubuntu 8.10 was not affected.) (CVE-2007-5901, CVE-2007-5971) It was discovered that Kerberos did not correctly free memory in the GSSAPI and kdb libraries. If a remote attacker were able to manipulate an application using these libraries carefully, the service could crash, leading to a denial of service. (Only Ubuntu 8.04 LTS was affected.) (CVE-2007-5902, CVE-2007-5972). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 65123 published 2013-03-09 reporter Ubuntu Security Notice (C) 2010-2019 Canonical, Inc. / NASL script (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65123 title Ubuntu 8.04 LTS / 8.10 / 9.04 : krb5 vulnerabilities (USN-924-1) NASL family Fedora Local Security Checks NASL id FEDORA_2010-6108.NASL description Sol Jerome noticed that the kadmind server daemon could be made to dereference freed memory and crash. This update backports the changeset which contains the fix for this bug (CVE-2010-0629). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 47416 published 2010-07-01 reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/47416 title Fedora 11 : krb5-1.6.3-29.fc11 (2010-6108) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2010-0343.NASL description From Red Hat Security Advisory 2010:0343 : Updated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client last seen 2020-06-01 modified 2020-06-02 plugin id 68029 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68029 title Oracle Linux 5 : krb5 (ELSA-2010-0343) NASL family SuSE Local Security Checks NASL id SUSE_11_1_KRB5-100401.NASL description Authenticated users could crash the kadmind process by referencing freed memory (CVE-2010-0629). last seen 2020-06-01 modified 2020-06-02 plugin id 45493 published 2010-04-13 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45493 title openSUSE Security Update : krb5 (openSUSE-SU-2010:0099-1) NASL family Debian Local Security Checks NASL id DEBIAN_DSA-2031.NASL description Sol Jerome discovered that kadmind service in krb5, a system for authenticating users and services on a network, allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number. last seen 2020-06-01 modified 2020-06-02 plugin id 45479 published 2010-04-12 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45479 title Debian DSA-2031-1 : krb5 - use-after-free NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_A30573DC489311DFA5F9001641AEABDF.NASL description An authenticated remote attacker can causing a denial of service by using a newer version of the kadmin protocol than the server supports. The MIT Kerberos team also reports the cause : The Kerberos administration daemon (kadmind) can crash due to referencing freed memory. last seen 2020-06-01 modified 2020-06-02 plugin id 45573 published 2010-04-20 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45573 title FreeBSD : krb5 -- remote denial of service vulnerability (a30573dc-4893-11df-a5f9-001641aeabdf) NASL family Scientific Linux Local Security Checks NASL id SL_20100406_KRB5_ON_SL5_X.NASL description A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : - when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client last seen 2020-06-01 modified 2020-06-02 plugin id 60779 published 2012-08-01 reporter This script is Copyright (C) 2012-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/60779 title Scientific Linux Security Update : krb5 on SL5.x i386/x86_64 NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2011-0015.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - Fix for (CVE-2011-4862) - incorporate a fix to teach the file labeling bits about when replay caches are expunged (#712453) - rebuild - ftp: handle larger command inputs (#665833) - don last seen 2020-06-01 modified 2020-06-02 plugin id 79475 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79475 title OracleVM 2.2 : krb5 (OVMSA-2011-0015) NASL family SuSE Local Security Checks NASL id SUSE_11_0_KRB5-100401.NASL description Authenticated users could crash the kadmind process by referencing freed memory (CVE-2010-0629). last seen 2020-06-01 modified 2020-06-02 plugin id 45491 published 2010-04-13 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/45491 title openSUSE Security Update : krb5 (openSUSE-SU-2010:0099-1) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2010-0343.NASL description Updated krb5 packages that fix one security issue and one bug are now available for Red Hat Enterprise Linux 5. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third party, the Key Distribution Center (KDC). A use-after-free flaw was discovered in the MIT Kerberos administration daemon, kadmind. A remote, authenticated attacker could use this flaw to crash the kadmind daemon. Administrative privileges are not required to trigger this flaw, as any realm user can request information about their own principal from kadmind. (CVE-2010-0629) This update also fixes the following bug : * when a Kerberos client seeks tickets for use with a service, it must contact the Key Distribution Center (KDC) to obtain them. The client must also determine which realm the service belongs to and it typically does this with a combination of client configuration detail, DNS information and guesswork. If the service belongs to a realm other than the client last seen 2020-06-01 modified 2020-06-02 plugin id 46296 published 2010-05-11 reporter This script is Copyright (C) 2010-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/46296 title RHEL 5 : krb5 (RHSA-2010:0343) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201201-13.NASL description The remote host is affected by the vulnerability described in GLSA-201201-13 (MIT Kerberos 5: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to execute arbitrary code with the privileges of the administration daemon or the Key Distribution Center (KDC) daemon, cause a Denial of Service condition, or possibly obtain sensitive information. Furthermore, a remote attacker may be able to spoof Kerberos authorization, modify KDC responses, forge user data messages, forge tokens, forge signatures, impersonate a client, modify user-visible prompt text, or have other unspecified impact. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 57655 published 2012-01-24 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57655 title GLSA-201201-13 : MIT Kerberos 5: Multiple vulnerabilities
Oval
accepted | 2013-04-29T04:19:43.822-04:00 | ||||||||||||
class | vulnerability | ||||||||||||
contributors |
| ||||||||||||
definition_extensions |
| ||||||||||||
description | Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number. | ||||||||||||
family | unix | ||||||||||||
id | oval:org.mitre.oval:def:9489 | ||||||||||||
status | accepted | ||||||||||||
submitted | 2010-07-09T03:56:16-04:00 | ||||||||||||
title | Use-after-free vulnerability in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3 allows remote authenticated users to cause a denial of service (daemon crash) via a request from a kadmin client that sends an invalid API version number. | ||||||||||||
version | 18 |
Redhat
advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
rpms |
|
References
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567052
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=567052
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=5998
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=5998
- http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038556.html
- http://lists.fedoraproject.org/pipermail/package-announce/2010-April/038556.html
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2010-04/msg00002.html
- http://secunia.com/advisories/39264
- http://secunia.com/advisories/39264
- http://secunia.com/advisories/39290
- http://secunia.com/advisories/39290
- http://secunia.com/advisories/39315
- http://secunia.com/advisories/39315
- http://secunia.com/advisories/39324
- http://secunia.com/advisories/39324
- http://secunia.com/advisories/39367
- http://secunia.com/advisories/39367
- http://securitytracker.com/id?1023821
- http://securitytracker.com/id?1023821
- http://ubuntu.com/usn/usn-924-1
- http://ubuntu.com/usn/usn-924-1
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt
- http://www.debian.org/security/2010/dsa-2031
- http://www.debian.org/security/2010/dsa-2031
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:071
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:071
- http://www.redhat.com/support/errata/RHSA-2010-0343.html
- http://www.redhat.com/support/errata/RHSA-2010-0343.html
- http://www.securityfocus.com/archive/1/510566/100/0/threaded
- http://www.securityfocus.com/archive/1/510566/100/0/threaded
- http://www.securityfocus.com/bid/39247
- http://www.securityfocus.com/bid/39247
- http://www.vupen.com/english/advisories/2010/0876
- http://www.vupen.com/english/advisories/2010/0876
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9489
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A9489