Vulnerabilities > CVE-2013-1416 - Null Pointer Dereference vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
SINGLE Confidentiality impact
NONE Integrity impact
NONE Availability impact
PARTIAL Summary
The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Nessus
NASL family Scientific Linux Local Security Checks NASL id SL_20130416_KRB5_ON_SL6_X.NASL description A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2013-1416) After installing the updated packages, the krb5kdc daemon will be restarted automatically. last seen 2020-03-18 modified 2013-04-17 plugin id 65993 published 2013-04-17 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65993 title Scientific Linux Security Update : krb5 on SL6.x i386/x86_64 (20130416) code # # (C) Tenable Network Security, Inc. # # The descriptive text is (C) Scientific Linux. # include("compat.inc"); if (description) { script_id(65993); script_version("1.9"); script_set_attribute(attribute:"plugin_modification_date", value:"2020/02/27"); script_cve_id("CVE-2013-1416"); script_name(english:"Scientific Linux Security Update : krb5 on SL6.x i386/x86_64 (20130416)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Scientific Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2013-1416) After installing the updated packages, the krb5kdc daemon will be restarted automatically." ); # https://listserv.fnal.gov/scripts/wa.exe?A2=ind1304&L=scientific-linux-errata&T=0&P=1313 script_set_attribute( attribute:"see_also", value:"http://www.nessus.org/u?5a834154" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:krb5-debuginfo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:krb5-pkinit-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:krb5-server-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:fermilab:scientific_linux:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"x-cpe:/o:fermilab:scientific_linux"); script_set_attribute(attribute:"vuln_publication_date", value:"2013/04/19"); script_set_attribute(attribute:"patch_publication_date", value:"2013/04/16"); script_set_attribute(attribute:"plugin_publication_date", value:"2013/04/17"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Scientific Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("misc_func.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || "Scientific Linux " >!< release) audit(AUDIT_HOST_NOT, "running Scientific Linux"); os_ver = pregmatch(pattern: "Scientific Linux.*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Scientific Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^6([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Scientific Linux 6.x", "Scientific Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu >!< "x86_64" && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Scientific Linux", cpu); flag = 0; if (rpm_check(release:"SL6", reference:"krb5-debuginfo-1.10.3-10.el6_4.2")) flag++; if (rpm_check(release:"SL6", reference:"krb5-devel-1.10.3-10.el6_4.2")) flag++; if (rpm_check(release:"SL6", reference:"krb5-libs-1.10.3-10.el6_4.2")) flag++; if (rpm_check(release:"SL6", reference:"krb5-pkinit-openssl-1.10.3-10.el6_4.2")) flag++; if (rpm_check(release:"SL6", reference:"krb5-server-1.10.3-10.el6_4.2")) flag++; if (rpm_check(release:"SL6", reference:"krb5-server-ldap-1.10.3-10.el6_4.2")) flag++; if (rpm_check(release:"SL6", reference:"krb5-workstation-1.10.3-10.el6_4.2")) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_WARNING, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-debuginfo / krb5-devel / krb5-libs / krb5-pkinit-openssl / etc"); }NASL family OracleVM Local Security Checks NASL id ORACLEVM_OVMSA-2014-0034.NASL description The remote OracleVM system is missing necessary patches to address critical security updates : - actually apply that last patch - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345, #1128157) - ksu: when evaluating .k5users, don last seen 2020-06-01 modified 2020-06-02 plugin id 79549 published 2014-11-26 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79549 title OracleVM 3.3 : krb5 (OVMSA-2014-0034) NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2310-1.NASL description It was discovered that Kerberos incorrectly handled certain crafted Draft 9 requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1016) It was discovered that Kerberos incorrectly handled certain malformed KRB5_PADATA_PK_AS_REQ AS-REQ requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1415) It was discovered that Kerberos incorrectly handled certain crafted TGS-REQ requests. A remote authenticated attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1416) It was discovered that Kerberos incorrectly handled certain crafted requests when multiple realms were configured. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1418, CVE-2013-6800) It was discovered that Kerberos incorrectly handled certain invalid tokens. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4341, CVE-2014-4342) It was discovered that Kerberos incorrectly handled certain mechanisms when used with SPNEGO. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be used to cause clients to crash, resulting in a denial of service. (CVE-2014-4343) It was discovered that Kerberos incorrectly handled certain continuation tokens during SPNEGO negotiations. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4344) Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon incorrectly handled buffers when used with the LDAP backend. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-4345). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 77147 published 2014-08-12 reporter Ubuntu Security Notice (C) 2014-2019 Canonical, Inc. / NASL script (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/77147 title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS : krb5 vulnerabilities (USN-2310-1) NASL family Fedora Local Security Checks NASL id FEDORA_2013-5286.NASL description These updates incorporate the upstream patch for a NULL pointer dereference in the KDC which could occur while processing certain TGS requests (CVE-2013-1416). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-18 plugin id 66008 published 2013-04-18 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66008 title Fedora 17 : krb5-1.10.2-10.fc17 (2013-5286) NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2013-158.NASL description A vulnerability has been discovered and corrected in krb5 : The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request (CVE-2013-1416). The updated packages have been patched to correct this issue. last seen 2020-06-01 modified 2020-06-02 plugin id 66285 published 2013-05-01 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66285 title Mandriva Linux Security Advisory : krb5 (MDVSA-2013:158) NASL family Solaris Local Security Checks NASL id SOLARIS11_KERBEROS_20130716.NASL description The remote Solaris system is missing necessary patches to address security updates : - The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request. (CVE-2013-1416) last seen 2020-06-01 modified 2020-06-02 plugin id 80651 published 2015-01-19 reporter This script is Copyright (C) 2015-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80651 title Oracle Solaris Third-Party Patch Update : kerberos (cve_2013_1416_denial_of) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2013-0748.NASL description Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2013-1416) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 65992 published 2013-04-17 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/65992 title RHEL 6 : krb5 (RHSA-2013:0748) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201312-12.NASL description The remote host is affected by the vulnerability described in GLSA-201312-12 (MIT Kerberos 5: Multiple vulnerabilities) Multiple vulnerabilities have been discovered in the Key Distribution Center in MIT Kerberos 5. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could send a specially crafted request, possibly resulting in execution of arbitrary code with the privileges of the process or a Denial of Service condition. Additionally, a remote attacker could impersonate a kadmind server and send a specially crafted packet to the password change port, which can result in a ping-pong condition and a Denial of Service condition. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 71487 published 2013-12-17 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/71487 title GLSA-201312-12 : MIT Kerberos 5: Multiple vulnerabilities NASL family SuSE Local Security Checks NASL id OPENSUSE-2013-401.NASL description - fix prep_reprocess_req NULL pointer deref CVE-2013-1416 (bnc#816413) bug-816413-CVE-2013-1416-prep_reprocess_req-NULL-ptr-der ef.dif last seen 2020-06-05 modified 2014-06-13 plugin id 74989 published 2014-06-13 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/74989 title openSUSE Security Update : krb5 (openSUSE-SU-2013:0904-1) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2013-0748.NASL description Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2013-1416) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 66001 published 2013-04-18 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66001 title CentOS 6 : krb5 (CESA-2013:0748) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2013-0748.NASL description From Red Hat Security Advisory 2013:0748 : Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section. Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2013-1416) All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically. last seen 2020-06-01 modified 2020-06-02 plugin id 68810 published 2013-07-12 reporter This script is Copyright (C) 2013-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/68810 title Oracle Linux 6 : krb5 (ELSA-2013-0748) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2013-182.NASL description A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2013-1416) last seen 2020-06-01 modified 2020-06-02 plugin id 69741 published 2013-09-04 reporter This script is Copyright (C) 2013-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/69741 title Amazon Linux AMI : krb5 (ALAS-2013-182) NASL family Fedora Local Security Checks NASL id FEDORA_2013-5280.NASL description These updates incorporate the upstream patch for a NULL pointer dereference in the KDC which could occur while processing certain TGS requests (CVE-2013-1416). Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2013-04-18 plugin id 66007 published 2013-04-18 reporter This script is Copyright (C) 2013-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/66007 title Fedora 18 : krb5-1.10.3-15.fc18 (2013-5280)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7600
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102058.html
- http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102074.html
- http://lists.opensuse.org/opensuse-updates/2013-05/msg00011.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00041.html
- http://lists.opensuse.org/opensuse-updates/2013-06/msg00102.html
- http://rhn.redhat.com/errata/RHSA-2013-0748.html
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:157
- http://www.mandriva.com/security/advisories?name=MDVSA-2013:158
- https://github.com/krb5/krb5/commit/8ee70ec63931d1e38567905387ab9b1d45734d81