Vulnerabilities > CVE-2013-1415 - Null Pointer Dereference vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
NONE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Fedora Local Security Checks NASL id FEDORA_2013-3147.NASL description This update incorporates the upstream fix for possible NULL pointer dereferences which could occur if a client sent a malformed PKINIT request to a KDC (CVE-2013-1415), or if a client sent a draft9 PKINIT request to a KDC (CVE-2012-1016). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-03-23 plugin id 65657 published 2013-03-23 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65657 title Fedora 18 : krb5-1.10.3-14.fc18 (2013-3147) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-3147. # include("compat.inc"); if (description) { script_id(65657); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-1016", "CVE-2013-1415"); script_bugtraq_id(58144, 58532); script_xref(name:"FEDORA", value:"2013-3147"); script_name(english:"Fedora 18 : krb5-1.10.3-14.fc18 (2013-3147)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update incorporates the upstream fix for possible NULL pointer dereferences which could occur if a client sent a malformed PKINIT request to a KDC (CVE-2013-1415), or if a client sent a draft9 PKINIT request to a KDC (CVE-2012-1016). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=914749" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=917840" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/100867.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?005cf860" ); script_set_attribute(attribute:"solution", value:"Update the affected krb5 package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:18"); script_set_attribute(attribute:"patch_publication_date", value:"2013/02/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^18([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 18.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC18", reference:"krb5-1.10.3-14.fc18")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5"); }NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0656.NASL description Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC last seen 2020-06-01 modified 2020-06-02 plugin id 65618 published 2013-03-20 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65618 title CentOS 6 : krb5 (CESA-2013:0656) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2013:0656 and # CentOS Errata and Security Advisory 2013:0656 respectively. # include("compat.inc"); if (description) { script_id(65618); script_version("1.8"); script_cvs_date("Date: 2020/01/06"); script_cve_id("CVE-2012-1016", "CVE-2013-1415"); script_xref(name:"RHSA", value:"2013:0656"); script_name(english:"CentOS 6 : krb5 (CESA-2013:0656)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote CentOS host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC's possibly-many certificates the client has in its possession, as a hint to the KDC that it should use the corresponding key to sign its response. If that specification was malformed, the KDC could attempt to dereference a NULL pointer and crash. (CVE-2013-1415) When a client attempts to use PKINIT to obtain credentials from the KDC, the client will typically format its request to conform to the specification published in RFC 4556. For interoperability reasons, clients and servers also provide support for an older, draft version of that specification. If a client formatted its request to conform to this older version of the specification, with a non-default key agreement option, it could cause the KDC to attempt to dereference a NULL pointer and crash. (CVE-2012-1016) All krb5 users should upgrade to these updated packages, which contain backported patches to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically." ); # https://lists.centos.org/pipermail/centos-announce/2013-March/019654.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?78195426" ); script_set_attribute(attribute:"solution", value:"Update the affected krb5 packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2013-1415"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-pkinit-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-server-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:centos:centos:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"cpe:/o:centos:centos:6"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/03/05"); script_set_attribute(attribute:"patch_publication_date", value:"2013/03/18"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/20"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"CentOS Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/CentOS/release", "Host/CentOS/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/CentOS/release"); if (isnull(release) || "CentOS" >!< release) audit(AUDIT_OS_NOT, "CentOS"); os_ver = pregmatch(pattern: "CentOS(?: Linux)? release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "CentOS"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "CentOS 6.x", "CentOS " + os_ver); if (!get_kb_item("Host/CentOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "CentOS", cpu); flag = 0; if (rpm_check(release:"CentOS-6", reference:"krb5-devel-1.10.3-10.el6_4.1")) flag++; if (rpm_check(release:"CentOS-6", reference:"krb5-libs-1.10.3-10.el6_4.1")) flag++; if (rpm_check(release:"CentOS-6", reference:"krb5-pkinit-openssl-1.10.3-10.el6_4.1")) flag++; if (rpm_check(release:"CentOS-6", reference:"krb5-server-1.10.3-10.el6_4.1")) flag++; if (rpm_check(release:"CentOS-6", reference:"krb5-server-ldap-1.10.3-10.el6_4.1")) flag++; if (rpm_check(release:"CentOS-6", reference:"krb5-workstation-1.10.3-10.el6_4.1")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-pkinit-openssl / krb5-server / etc"); }NASL family Fedora Local Security Checks NASL id FEDORA_2013-3116.NASL description This update incorporates the upstream fix for possible NULL pointer dereferences which could occur if a client sent a malformed PKINIT request to a KDC (CVE-2013-1415), or if a client sent a draft9 PKINIT request to a KDC (CVE-2012-1016). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-03-17 plugin id 65589 published 2013-03-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65589 title Fedora 17 : krb5-1.10.2-9.fc17 (2013-3116) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Fedora Security Advisory 2013-3116. # include("compat.inc"); if (description) { script_id(65589); script_version("1.12"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/03/12"); script_cve_id("CVE-2012-1016", "CVE-2013-1415"); script_bugtraq_id(58144); script_xref(name:"FEDORA", value:"2013-3116"); script_name(english:"Fedora 17 : krb5-1.10.2-9.fc17 (2013-3116)"); script_summary(english:"Checks rpm output for the updated package."); script_set_attribute( attribute:"synopsis", value:"The remote Fedora host is missing a security update." ); script_set_attribute( attribute:"description", value: "This update incorporates the upstream fix for possible NULL pointer dereferences which could occur if a client sent a malformed PKINIT request to a KDC (CVE-2013-1415), or if a client sent a draft9 PKINIT request to a KDC (CVE-2012-1016). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues." ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=914749" ); script_set_attribute( attribute:"see_also", value:"https://bugzilla.redhat.com/show_bug.cgi?id=917840" ); # https://lists.fedoraproject.org/pipermail/package-announce/2013-March/100175.html script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?d7c622b4" ); script_set_attribute(attribute:"solution", value:"Update the affected krb5 package."); script_set_cvss_base_vector("CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fedoraproject:fedora:krb5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:fedoraproject:fedora:17"); script_set_attribute(attribute:"patch_publication_date", value:"2013/02/27"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/03/17"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Fedora Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Fedora" >!< release) audit(AUDIT_OS_NOT, "Fedora"); os_ver = eregmatch(pattern: "Fedora.*release ([0-9]+)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Fedora"); os_ver = os_ver[1]; if (! ereg(pattern:"^17([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Fedora 17.x", "Fedora " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Fedora", cpu); flag = 0; if (rpm_check(release:"FC17", reference:"krb5-1.10.2-9.fc17")) flag++; if (flag) { if (report_verbosity > 0) security_hole(port:0, extra:rpm_report_get()); else security_hole(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5"); }NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0656.NASL description Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC last seen 2020-06-01 modified 2020-06-02 plugin id 65605 published 2013-03-19 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65605 title RHEL 6 : krb5 (RHSA-2013:0656) NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2014-0034.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - actually apply that last patch - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345, #1128157) - ksu: when evaluating .k5users, don last seen 2020-06-01 modified 2020-06-02 plugin id 79549 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79549 title OracleVM 3.3 : krb5 (OVMSA-2014-0034) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0656.NASL description From Red Hat Security Advisory 2013:0656 : Updated krb5 packages that fix two security issues are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC last seen 2020-06-01 modified 2020-06-02 plugin id 68792 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68792 title Oracle Linux 6 : krb5 (ELSA-2013-0656) NASL family Scientific Linux Local Security Checks NASL id SL_20130318_KRB5_ON_SL6_X.NASL description When a client attempts to use PKINIT to obtain credentials from the KDC, the client can specify, using an issuer and serial number, which of the KDC last seen 2020-03-18 modified 2013-03-19 plugin id 65606 published 2013-03-19 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65606 title Scientific Linux Security Update : krb5 on SL6.x i386/x86_64 (20130318) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2310-1.NASL description It was discovered that Kerberos incorrectly handled certain crafted Draft 9 requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1016) It was discovered that Kerberos incorrectly handled certain malformed KRB5_PADATA_PK_AS_REQ AS-REQ requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1415) It was discovered that Kerberos incorrectly handled certain crafted TGS-REQ requests. A remote authenticated attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1416) It was discovered that Kerberos incorrectly handled certain crafted requests when multiple realms were configured. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1418, CVE-2013-6800) It was discovered that Kerberos incorrectly handled certain invalid tokens. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4341, CVE-2014-4342) It was discovered that Kerberos incorrectly handled certain mechanisms when used with SPNEGO. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause clients to crash, resulting in a denial of service. (CVE-2014-4343) It was discovered that Kerberos incorrectly handled certain continuation tokens during SPNEGO negotiations. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4344) Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon incorrectly handled buffers when used with the LDAP backend. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-4345). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 77147 published 2014-08-12 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77147 title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : krb5 vulnerabilities (USN-2310-1) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_F54584BC7D2B11E29BD1206A8A720317.NASL description No advisory has been released yet. Fix a NULL pointer dereference in the KDC PKINIT code [CVE-2013-1415]. last seen 2020-06-01 modified 2020-06-02 plugin id 64860 published 2013-02-24 reporter This script is Copyright (C) 2013-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/64860 title FreeBSD : krb5 -- NULL pointer dereference in the KDC PKINIT code [CVE-2013-1415] (f54584bc-7d2b-11e2-9bd1-206a8a720317) NASL family Solaris Local Security Checks NASL id SOLARIS11_KERBEROS_20130924.NASL description The remote Solaris system is missing necessary patches to address security updates : - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103. (CVE-2002-2443) - The pkinit_server_return_padata function in plugins/preauth/pkinit/pkinit_srv.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 attempts to find an agility KDF identifier in inappropriate circumstances, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted Draft 9 request. (CVE-2012-1016) - The pkinit_check_kdc_pkid function in plugins/preauth/pkinit/ pkinit_crypto_openssl.c in the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.4 and 1.11.x before 1.11.1 does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5_PADATA_PK_AS_REQ AS-REQ request. (CVE-2013-1415) last seen 2020-06-01 modified 2020-06-02 plugin id 80652 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80652 title Oracle Solaris Third-Party Patch Update : kerberos (cve_2002_2443_denial_of) NASL family SuSE Local Security Checks NASL id SUSE_11_KRB5-130306.NASL description This update for Kerberos 5 fixes one security issue : The KDC plugin for PKINIT can dereference a NULL pointer when processing malformed packets, leading to a crash of the KDC process. (bnc#806715, CVE-2013-1415) Additionally, it improves compatibility with processes that handle large numbers of open files. (bnc#787272) last seen 2020-06-05 modified 2013-03-28 plugin id 65717 published 2013-03-28 reporter This script is Copyright (C) 2013-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/65717 title SuSE 11.2 Security Update : Kerberos 5 (SAT Patch Number 7446) NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-224.NASL description krb5 was updated to fix security issues in PKINIT : - fix PKINIT NULL pointer deref in pkinit_check_kdc_pkid() (CVE-2012-1016 bnc#807556) - fix PKINIT NULL pointer deref (CVE-2013-1415 bnc#806715) Also package a missing file on 12.3 (bnc#794784). last seen 2020-06-05 modified 2014-06-13 plugin id 74931 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74931 title openSUSE Security Update : krb5 (openSUSE-SU-2013:0498-1) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-042.NASL description Multiple vulnerabilities has been discovered and corrected in krb5 : Fix a kadmind denial of service issue (NULL pointer dereference), which could only be triggered by an administrator with the create privilege (CVE-2012-1013). The MIT krb5 KDC (Key Distribution Center) daemon can free an uninitialized pointer while processing an unusual AS-REQ, corrupting the process heap and possibly causing the daemon to abnormally terminate. An attacker could use this vulnerability to execute malicious code, but exploiting frees of uninitialized pointers to execute code is believed to be difficult. It is possible that a legitimate client that is misconfigured in an unusual way could trigger this vulnerability (CVE-2012-1015). It was reported that the KDC plugin for PKINIT could dereference a NULL pointer when a malformed packet caused processing to terminate early, which led to a crash of the KDC process. An attacker would require a valid PKINIT certificate or have observed a successful PKINIT authentication to execute a successful attack. In addition, an unauthenticated attacker could execute the attack of anonymouse PKINIT was enabled (CVE-2013-1415). The updated packages have been patched to correct these issues. last seen 2020-06-01 modified 2020-06-02 plugin id 66056 published 2013-04-20 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66056 title Mandriva Linux Security Advisory : krb5 (MDVSA-2013:042)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7570
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7577
- http://lists.opensuse.org/opensuse-updates/2013-03/msg00090.html
- http://secunia.com/advisories/55040
- http://web.mit.edu/kerberos/www/krb5-1.10/
- http://web.mit.edu/kerberos/www/krb5-1.11/
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:157
- https://github.com/krb5/krb5/commit/f249555301940c6df3a2cdda13b56b5674eebc2e