Vulnerabilities > CVE-2014-5351 - Credentials Management vulnerability in MIT Kerberos 5 1.12.2
Attack vector
NETWORK Attack complexity
HIGH Privileges required
SINGLE Confidentiality impact
PARTIAL Integrity impact
NONE Availability impact
NONE Summary
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 1 |
Common Weakness Enumeration (CWE)
Nessus
NASL family Mandriva Local Security Checks NASL id MANDRIVA_MDVSA-2014-224.NASL description Updated krb5 packages fix security vulnerability : The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access (CVE-2014-5351). last seen 2020-06-01 modified 2020-06-02 plugin id 79411 published 2014-11-23 reporter This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/79411 title Mandriva Linux Security Advisory : krb5 (MDVSA-2014:224) code #%NASL_MIN_LEVEL 80502 # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Mandriva Linux Security Advisory MDVSA-2014:224. # The text itself is copyright (C) Mandriva S.A. # include("compat.inc"); if (description) { script_id(79411); script_version("1.4"); script_cvs_date("Date: 2019/08/02 13:32:56"); script_cve_id("CVE-2014-5351"); script_bugtraq_id(70380); script_xref(name:"MDVSA", value:"2014:224"); script_name(english:"Mandriva Linux Security Advisory : krb5 (MDVSA-2014:224)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value: "The remote Mandriva Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "Updated krb5 packages fix security vulnerability : The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access (CVE-2014-5351)." ); script_set_attribute( attribute:"see_also", value:"http://advisories.mageia.org/MGASA-2014-0477.html" ); script_set_attribute(attribute:"solution", value:"Update the affected packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:H/Au:S/C:P/I:N/A:N"); script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C"); script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available"); script_set_attribute(attribute:"exploit_available", value:"false"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-pkinit-openssl"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-server-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64krb53"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:mandriva:linux:lib64krb53-devel"); script_set_attribute(attribute:"cpe", value:"cpe:/o:mandriva:business_server:1"); script_set_attribute(attribute:"patch_publication_date", value:"2014/11/21"); script_set_attribute(attribute:"plugin_publication_date", value:"2014/11/23"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2014-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Mandriva Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/cpu", "Host/Mandrake/release", "Host/Mandrake/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/Mandrake/release")) audit(AUDIT_OS_NOT, "Mandriva / Mandake Linux"); if (!get_kb_item("Host/Mandrake/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if (cpu !~ "^(amd64|i[3-6]86|x86_64)$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Mandriva / Mandrake Linux", cpu); flag = 0; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"krb5-1.9.2-3.6.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"krb5-pkinit-openssl-1.9.2-3.6.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"krb5-server-1.9.2-3.6.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"krb5-server-ldap-1.9.2-3.6.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"krb5-workstation-1.9.2-3.6.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64krb53-1.9.2-3.6.mbs1")) flag++; if (rpm_check(release:"MDK-MBS1", cpu:"x86_64", reference:"lib64krb53-devel-1.9.2-3.6.mbs1")) flag++; if (flag) { if (report_verbosity > 0) security_note(port:0, extra:rpm_report_get()); else security_note(0); exit(0); } else audit(AUDIT_HOST_NOT, "affected");NASL family AIX Local Security Checks NASL id AIX_NAS_ADVISORY2.NASL description The version of the Network Authentication Service (NAS) installed on the remote AIX host is affected by a vulnerability related to Kerberos 5 which allows authenticated users to retrieve current keys, which can be used to forge tickets. last seen 2020-06-01 modified 2020-06-02 plugin id 81022 published 2015-01-27 reporter This script is Copyright (C) 2015-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81022 title AIX NAS Advisory : nas_advisory2.asc NASL family Fedora Local Security Checks NASL id FEDORA_2015-2382.NASL description Security fix for CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423 Security fix for CVE-2014-5351 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2015-03-10 plugin id 81705 published 2015-03-10 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81705 title Fedora 20 : krb5-1.11.5-18.fc20 (2015-2382) NASL family SuSE Local Security Checks NASL id OPENSUSE-2015-128.NASL description krb5 was updated to fix five security issues. These security issues were fixed : - CVE-2014-5351: current keys returned when randomizing the keys for a service principal (bnc#897874) - CVE-2014-5352: An authenticated attacker could cause a vulnerable application (including kadmind) to crash or to execute arbitrary code (bnc#912002). - CVE-2014-9421: An authenticated attacker could cause kadmind or other vulnerable server application to crash or to execute arbitrary code (bnc#912002). - CVE-2014-9422: An attacker who possess the key of a particularly named principal (such as last seen 2020-06-05 modified 2015-02-12 plugin id 81304 published 2015-02-12 reporter This script is Copyright (C) 2015-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/81304 title openSUSE Security Update : krb5 (openSUSE-2015-128) NASL family Gentoo Local Security Checks NASL id GENTOO_GLSA-201412-53.NASL description The remote host is affected by the vulnerability described in GLSA-201412-53 (MIT Kerberos 5: User-assisted execution of arbitrary code) Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please review the CVE identifiers referenced below for details. Impact : A remote attacker could execute arbitrary code with the privileges of the process or cause Denial of Service. Workaround : There is no known workaround at this time. last seen 2020-06-01 modified 2020-06-02 plugin id 80328 published 2015-01-02 reporter This script is Copyright (C) 2015 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/80328 title GLSA-201412-53 : MIT Kerberos 5: User-assisted execution of arbitrary code NASL family Ubuntu Local Security Checks NASL id UBUNTU_USN-2498-1.NASL description It was discovered that Kerberos incorrectly sent old keys in response to a -randkey -keepold request. An authenticated remote attacker could use this issue to forge tickets by leveraging administrative access. This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5351) It was discovered that the libgssapi_krb5 library incorrectly processed security context handles. A remote attacker could use this issue to cause a denial of service, or possibly execute arbitrary code. (CVE-2014-5352) Patrik Kis discovered that Kerberos incorrectly handled LDAP queries with no results. An authenticated remote attacker could use this issue to cause the KDC to crash, resulting in a denial of service. (CVE-2014-5353) It was discovered that Kerberos incorrectly handled creating database entries for a keyless principal when using LDAP. An authenticated remote attacker could use this issue to cause the KDC to crash, resulting in a denial of service. (CVE-2014-5354) It was discovered that Kerberos incorrectly handled memory when processing XDR data. A remote attacker could use this issue to cause kadmind to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-9421) It was discovered that Kerberos incorrectly handled two-component server principals. A remote attacker could use this issue to perform impersonation attacks. (CVE-2014-9422) It was discovered that the libgssrpc library leaked uninitialized bytes. A remote attacker could use this issue to possibly obtain sensitive information. (CVE-2014-9423). Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 81297 published 2015-02-11 reporter Ubuntu Security Notice (C) 2015-2019 Canonical, Inc. / NASL script (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/81297 title Ubuntu 10.04 LTS / 12.04 LTS / 14.04 LTS / 14.10 : krb5 vulnerabilities (USN-2498-1) NASL family Fedora Local Security Checks NASL id FEDORA_2014-11940.NASL description Security fix for CVE-2014-5351 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-03-17 modified 2014-10-09 plugin id 78100 published 2014-10-09 reporter This script is Copyright (C) 2014-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/78100 title Fedora 21 : krb5-1.12.2-9.fc21 (2014-11940) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1265.NASL description Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2013-1418 Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured. CVE-2014-5351 Kerberos sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5353 When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. CVE-2014-5355 Kerberos expects that a krb5_read_message data field is represented as a string ending with a last seen 2020-03-17 modified 2018-02-01 plugin id 106536 published 2018-02-01 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106536 title Debian DLA-1265-1 : krb5 security update NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0290-2.NASL description MIT kerberos krb5 was updated to fix several security issues and bugs. Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) sent old keys in a response to a -randkey -keepold request, which allowed remote authenticated users to forge tickets by leveraging administrative access. - CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller was left with a security context handle containing a dangling pointer. Further uses of this handle would have resulted in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind were vulnerable as they can be instructed to call gss_process_context_token(). - CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may have performed use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications might also been vulnerable if they contain insufficiently defensive XDR functions. - CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepted authentications to two-component server principals whose first component is a left substring of last seen 2020-06-01 modified 2020-06-02 plugin id 83683 published 2015-05-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83683 title SUSE SLED12 / SLES12 Security Update : krb5 (SUSE-SU-2015:0290-2) NASL family SuSE Local Security Checks NASL id SUSE_SU-2015-0290-1.NASL description MIT kerberos krb5 was updated to fix several security issues and bugs. Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) sent old keys in a response to a -randkey -keepold request, which allowed remote authenticated users to forge tickets by leveraging administrative access. - CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller was left with a security context handle containing a dangling pointer. Further uses of this handle would have resulted in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind were vulnerable as they can be instructed to call gss_process_context_token(). - CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may have performed use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications might also been vulnerable if they contain insufficiently defensive XDR functions. - CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepted authentications to two-component server principals whose first component is a left substring of last seen 2020-06-01 modified 2020-06-02 plugin id 83682 published 2015-05-20 reporter This script is Copyright (C) 2015-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/83682 title SUSE SLES12 Security Update : krb5 (SUSE-SU-2015:0290-1) NASL family SuSE Local Security Checks NASL id SUSE_11_KRB5-201410-141002.NASL description This update for krb5 fixes the following issues : - When randomizing the keys for a service principal, current keys could be returned. (CVE-2014-5351) - klist -s crashes when handling multiple referral entries. (bnc#890623) last seen 2020-06-05 modified 2014-11-13 plugin id 79232 published 2014-11-13 reporter This script is Copyright (C) 2014-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/79232 title SuSE 11.3 Security Update : krb5 (SAT Patch Number 9827)
References
- http://advisories.mageia.org/MGASA-2014-0477.html
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=8018
- http://lists.fedoraproject.org/pipermail/package-announce/2014-October/140132.html
- http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html
- http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html
- http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html
- http://security.gentoo.org/glsa/glsa-201412-53.xml
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:224
- http://www.securityfocus.com/bid/70380
- http://www.securitytracker.com/id/1031003
- http://www.ubuntu.com/usn/USN-2498-1
- https://bugzilla.redhat.com/show_bug.cgi?id=1145425
- https://exchange.xforce.ibmcloud.com/vulnerabilities/97028
- https://github.com/krb5/krb5/commit/af0ed4df4dfae762ab5fb605f5a0c8f59cb4f6ca
- https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html