Vulnerabilities > CVE-2011-0284 - Resource Management Errors vulnerability in MIT Kerberos 5
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
COMPLETE Integrity impact
COMPLETE Availability impact
COMPLETE Summary
Double free vulnerability in the prepare_error_as function in do_as_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 through 1.9, when the PKINIT feature is enabled, allows remote attackers to cause a denial of service (daemon crash) or possibly execute arbitrary code via an e_data field containing typed data.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 7 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2011-048.NASL description A vulnerability was discovered and corrected in krb5 : The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult) (CVE-2011-0284). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 52730 published 2011-03-21 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/52730 title Mandriva Linux Security Advisory : krb5 (MDVSA-2011:048) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2011:048. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(52730); script_version("1.16"); script_cvs_date("Date: 2019/08/02 13:32:54"); script_cve_id("CVE-2011-0284"); script_xref(name:"MDVSA", value:"2011:048"); script_name(english:"Mandriva Linux Security Advisory : krb5 (MDVSA-2011:048)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A vulnerability was discovered and corrected in krb5 : The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult) (CVE-2011-0284). The updated packages have been patched to correct this issue." ); script_set_attribute( attribute:"see_also", value:"http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2011-003.txt" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-pkinit-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-server-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64krb53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64krb53-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libkrb53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:libkrb53-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:linux:2010.1"); script_set_attribute(attribute:"patch_publication_date", value:"2011/03/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2011/03/21"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2011-2019 Tenable Network Security, Inc."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK2010.1", reference:"krb5-1.8.1-5.4mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"krb5-pkinit-openssl-1.8.1-5.4mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"krb5-server-1.8.1-5.4mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"krb5-server-ldap-1.8.1-5.4mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", reference:"krb5-workstation-1.8.1-5.4mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"x86_64", reference:"lib64krb53-1.8.1-5.4mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"x86_64", reference:"lib64krb53-devel-1.8.1-5.4mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"i386", reference:"libkrb53-1.8.1-5.4mdv2010.2", yank:"mdv")) flag++; if (rpm_check(release:"MDK2010.1", cpu:"i386", reference:"libkrb53-devel-1.8.1-5.4mdv2010.2", yank:"mdv")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-1088-1.NASL description Cameron Meadors discovered that the MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled. This could allow a remote attacker to cause a denial of service. Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 52682 published 2011-03-16 reporter Ubuntu Security Notice (C) 2011-2019 Canonical, Inc. / NASL script (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/52682 title Ubuntu 9.10 / 10.04 LTS / 10.10 : krb5 vulnerability (USN-1088-1) NASL family SuSE Local Security Checks NASL id SUSE_11_3_KRB5-110316.NASL description A double-free issue in kdc when PKINIT is enabled allowed remote attackers to crash the daemon or potentially execute arbitrary code (CVE-2011-0284). last seen 2020-06-01 modified 2020-06-02 plugin id 75561 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/75561 title openSUSE Security Update : krb5 (krb5-4163) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2011-0356.NASL description From Red Hat Security Advisory 2011:0356 : Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). The Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) capability provides support for using public-key authentication with Kerberos. A double-free flaw was found in the way the MIT Kerberos KDC handled initial authentication requests (AS-REQ), when the KDC was configured to provide the PKINIT capability. A remote attacker could use this flaw to cause the KDC daemon to abort by using a specially crafted AS-REQ request. (CVE-2011-0284) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 68230 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68230 title Oracle Linux 6 : krb5 (ELSA-2011-0356) NASL family SuSE Local Security Checks NASL id SUSE_11_4_KRB5-110316.NASL description A double-free issue in kdc when PKINIT is enabled allowed remote attackers to crash the daemon or potentially execute arbitrary code (CVE-2011-0284). last seen 2020-06-01 modified 2020-06-02 plugin id 75883 published 2014-06-13 reporter This script is Copyright (C) 2014-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/75883 title openSUSE Security Update : krb5 (krb5-4163) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_7EDAC52A66CD11E093985D45F3AA24F0.NASL description An advisory published by the MIT Kerberos team says : The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult). An unauthenticated remote attacker can induce a double-free event, causing the KDC daemon to crash (denial of service), or to execute arbitrary code. Exploiting a double-free event to execute arbitrary code is believed to be difficult. last seen 2020-06-01 modified 2020-06-02 plugin id 53443 published 2011-04-15 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/53443 title FreeBSD : krb5 -- MITKRB5-SA-2011-003, KDC vulnerable to double-free when PKINIT enabled (7edac52a-66cd-11e0-9398-5d45f3aa24f0) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2011-0356.NASL description Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). The Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) capability provides support for using public-key authentication with Kerberos. A double-free flaw was found in the way the MIT Kerberos KDC handled initial authentication requests (AS-REQ), when the KDC was configured to provide the PKINIT capability. A remote attacker could use this flaw to cause the KDC daemon to abort by using a specially crafted AS-REQ request. (CVE-2011-0284) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 52700 published 2011-03-17 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/52700 title RHEL 6 : krb5 (RHSA-2011:0356) NASL family Fedora Local Security Checks NASL id FEDORA_2011-3464.NASL description This update incorporates upstream fixes for a double-free in the KDC which could occur if the KDC needed to send back typed-data along with an error (MITKRB5-SA-2011-003, CVE-2011-0284). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 52965 published 2011-03-25 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/52965 title Fedora 13 : krb5-1.7.1-18.fc13 (2011-3464) NASL family SuSE Local Security Checks NASL id SUSE_11_2_KRB5-110316.NASL description A double-free issue in kdc when PKINIT is enabled allowed remote attackers to crash the daemon or potentially execute arbitrary code (CVE-2011-0284). last seen 2020-06-01 modified 2020-06-02 plugin id 53744 published 2011-05-05 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/53744 title openSUSE Security Update : krb5 (krb5-4163) NASL family Solaris Local Security Checks NASL id SOLARIS11_KERBEROS_20130924_2.NASL description The remote Solaris system is missing necessary patches to address security updates : - The merge_authdata function in kdc_authdata.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x before 1.8.4 does not properly manage an index into an authorization-data list, which allows remote attackers to cause a denial of service (daemon crash), or possibly obtain sensitive information, spoof authorization, or execute arbitrary code, via a TGS request that triggers an uninitialized pointer dereference, as demonstrated by a request from a Windows Active Directory client. (CVE-2010-1322) - MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x, 1.7.x, and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to modify user-visible prompt text, modify a response to a Key Distribution Center (KDC), or forge a KRB-SAFE message via certain checksums that (1) are unkeyed or (2) use RC4 keys. (CVE-2010-1323) - MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3 does not properly determine the acceptability of checksums, which might allow remote attackers to forge GSS tokens, gain privileges, or have unspecified other impact via (1) an unkeyed checksum, (2) an unkeyed PAC checksum, or (3) a KrbFastArmoredReq checksum based on an RC4 key. (CVE-2010-1324) - MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not reject RC4 key-derivation checksums, which might allow remote authenticated users to forge a (1) AD-SIGNEDPATH or (2) AD-KDC-ISSUED signature, and possibly gain privileges, by leveraging the small key space that results from certain one-byte stream-cipher operations. (CVE-2010-4020) - The Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7 does not properly restrict the use of TGT credentials for armoring TGS requests, which might allow remote authenticated users to impersonate a client by rewriting an inner request, aka a last seen 2020-06-01 modified 2020-06-02 plugin id 80653 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80653 title Oracle Solaris Third-Party Patch Update : kerberos (cve_2010_1322_improper_input) NASL family Fedora Local Security Checks NASL id FEDORA_2011-3462.NASL description This update incorporates upstream fixes for a double-free in the KDC which could occur if the KDC needed to send back typed-data along with an error (MITKRB5-SA-2011-003, CVE-2011-0284). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 52964 published 2011-03-25 reporter This script is Copyright (C) 2011-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/52964 title Fedora 14 : krb5-1.8.2-9.fc14 (2011-3462) NASL family Fedora Local Security Checks NASL id FEDORA_2011-3547.NASL description This update incorporates upstream fixes for a double-free in the KDC which could occur if the KDC needed to send back typed-data along with an error (MITKRB5-SA-2011-003, CVE-2011-0284). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 52746 published 2011-03-22 reporter This script is Copyright (C) 2011-2019 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/52746 title Fedora 15 : krb5-1.9-6.fc15 (2011-3547) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201201-13.NASL description The remote host is affected by the vulnerability described in GLSA-201201-13 (MIT Kerberos 5: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please review the CVE identifiers referenced below for details. Impact : A remote attacker may be able to execute arbitrary code with the privileges of the administration daemon or the Key Distribution Center (KDC) daemon, cause a Denial of Service condition, or possibly obtain sensitive information. Furthermore, a remote attacker may be able to spoof Kerberos authorization, modify KDC responses, forge user data messages, forge tokens, forge signatures, impersonate a client, modify user-visible prompt text, or have other unspecified impact. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 57655 published 2012-01-24 reporter This script is Copyright (C) 2012-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/57655 title GLSA-201201-13 : MIT Kerberos 5: Multiple vulnerabilities
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056413.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056573.html
- http://lists.fedoraproject.org/pipermail/package-announce/2011-March/056579.html
- http://lists.opensuse.org/opensuse-security-announce/2011-04/msg00000.html
- http://osvdb.org/71183
- http://secunia.com/advisories/43700
- http://secunia.com/advisories/43760
- http://secunia.com/advisories/43783
- http://secunia.com/advisories/43881
- http://securitytracker.com/id?1025216
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-003.txt
- http://www.kb.cert.org/vuls/id/943220
- http://www.mandriva.com/security/advisories?name=MDVSA-2011:048
- http://www.redhat.com/support/errata/RHSA-2011-0356.html
- http://www.securityfocus.com/archive/1/517029/100/0/threaded
- http://www.securityfocus.com/bid/46881
- http://www.ubuntu.com/usn/USN-1088-1
- http://www.vupen.com/english/advisories/2011/0672
- http://www.vupen.com/english/advisories/2011/0673
- http://www.vupen.com/english/advisories/2011/0680
- http://www.vupen.com/english/advisories/2011/0722
- http://www.vupen.com/english/advisories/2011/0763
- https://exchange.xforce.ibmcloud.com/vulnerabilities/66101