Vulnerabilities > CVE-2016-3120 - NULL Pointer Dereference vulnerability in MIT Kerberos 5
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
NONE Availability impact
HIGH Summary
The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.
Vulnerable Configurations
| Part | Description | Count |
|---|---|---|
| Application | 10 |
Common Weakness Enumeration (CWE)
Nessus
NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0021.NASL description An update of [zlib,bindutils,ruby,krb5,sudo] packages for PhotonOS has been released. last seen 2019-02-21 modified 2019-02-07 plugin id 111870 published 2018-08-17 reporter Tenable source https://www.tenable.com/plugins/index.php?view=single&id=111870 title Photon OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021 (deprecated) code # # (C) Tenable Network Security, Inc. # # @DEPRECATED@ # # Disabled on 2/7/2019 # # The descriptive text and package checks in this plugin were # extracted from VMware Security Advisory PHSA-2017-0021. The text # itself is copyright (C) VMware, Inc. include("compat.inc"); if (description) { script_id(111870); script_version("1.3"); script_cvs_date("Date: 2019/04/05 23:25:07"); script_cve_id( "CVE-2016-2776", "CVE-2016-3120", "CVE-2016-9841", "CVE-2016-9843", "CVE-2016-1000368", "CVE-2017-9224", "CVE-2017-9225", "CVE-2017-9227", "CVE-2017-9229", "CVE-2017-1000367", "CVE-2017-1000368" ); script_name(english:"Photon OS 1.0: Bindutils / Krb5 / Ruby / Sudo / Zlib PHSA-2017-0021 (deprecated)"); script_summary(english:"Checks the rpm output for the updated packages."); script_set_attribute(attribute:"synopsis", value: "This plugin has been deprecated."); script_set_attribute(attribute:"description", value: "An update of [zlib,bindutils,ruby,krb5,sudo] packages for PhotonOS has been released."); # https://github.com/vmware/photon/wiki/Security-Updates-51 script_set_attribute(attribute:"see_also", value:"http://www.nessus.org/u?11072ed6"); script_set_attribute(attribute:"solution", value:"n/a."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:C"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"); script_set_cvss3_temporal_vector("CVSS:3.0/E:P/RL:O/RC:C"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2016-2776"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"patch_publication_date", value:"2017/06/22"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/08/17"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:bindutils"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:krb5"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:ruby"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:sudo"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:vmware:photonos:zlib"); script_set_attribute(attribute:"cpe", value:"cpe:/o:vmware:photonos:1.0"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"PhotonOS Local Security Checks"); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/PhotonOS/release", "Host/PhotonOS/rpm-list"); exit(0); } exit(0, "This plugin has been deprecated."); include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); release = get_kb_item("Host/PhotonOS/release"); if (isnull(release) || release !~ "^VMware Photon") audit(AUDIT_OS_NOT, "PhotonOS"); if (release !~ "^VMware Photon (?:Linux|OS) 1\.0(\D|$)") audit(AUDIT_OS_NOT, "PhotonOS 1.0"); if (!get_kb_item("Host/PhotonOS/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "PhotonOS", cpu); flag = 0; pkgs = [ "bindutils-9.10.4-2.ph1", "bindutils-debuginfo-9.10.4-2.ph1", "krb5-1.14-6.ph1", "krb5-debuginfo-1.14-6.ph1", "ruby-2.4.0-3.ph1", "ruby-debuginfo-2.4.0-3.ph1", "sudo-1.8.20p2-1.ph1", "sudo-debuginfo-1.8.20p2-1.ph1", "zlib-1.2.8-5.ph1", "zlib-debuginfo-1.2.8-5.ph1", "zlib-devel-1.2.8-5.ph1" ]; foreach (pkg in pkgs) if (rpm_check(release:"PhotonOS-1.0", reference:pkg)) flag++; if (flag) { security_report_v4( port : 0, severity : SECURITY_HOLE, extra : rpm_report_get() ); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "bindutils / krb5 / ruby / sudo / zlib"); }NASL family PhotonOS Local Security Checks NASL id PHOTONOS_PHSA-2017-0021_KRB5.NASL description An update of the krb5 package has been released. last seen 2020-03-17 modified 2019-02-07 plugin id 121701 published 2019-02-07 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/121701 title Photon OS 1.0: Krb5 PHSA-2017-0021 NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2016-2591.NASL description An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es) : * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 94554 published 2016-11-04 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94554 title RHEL 7 : krb5 (RHSA-2016:2591) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2016-2591.NASL description An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es) : * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 95337 published 2016-11-28 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95337 title CentOS 7 : krb5 (CESA-2016:2591) NASL family Fedora Local Security Checks NASL id FEDORA_2016-4A36663643.NASL description Misc samba and sssd-related bugfixes. ---- Bump version to 1.14.3 for the convenience of those needing the SNI fix. ---- Require krb5 to set the last seen 2020-06-05 modified 2016-09-02 plugin id 93262 published 2016-09-02 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93262 title Fedora 23 : krb5 (2016-4a36663643) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2016-1076.NASL description According to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) - A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true.(CVE-2016-3120) Note that Tenable Network Security has extracted the preceding description block directly from the EulerOS security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-05-06 modified 2017-05-01 plugin id 99836 published 2017-05-01 reporter This script is Copyright (C) 2017-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/99836 title EulerOS 2.0 SP1 : krb5 (EulerOS-SA-2016-1076) NASL family SuSE Local Security Checks NASL id OPENSUSE-2016-1065.NASL description This update for krb5 fixes the following issues : - CVE-2016-3120: KDC NULL pointer Dereference Denial Of Service Vulnerability (bsc#991088) This update was imported from the SUSE:SLE-12:Update update project. last seen 2020-06-05 modified 2016-09-09 plugin id 93393 published 2016-09-09 reporter This script is Copyright (C) 2016-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/93393 title openSUSE Security Update : krb5 (openSUSE-2016-1065) NASL family Fedora Local Security Checks NASL id FEDORA_2016-0674A3C372.NASL description Fix low-impact CVE-2016-3120 where S4U2Self may cause KDC crash when anon is restricted Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-05 modified 2016-08-02 plugin id 92668 published 2016-08-02 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92668 title Fedora 24 : krb5 (2016-0674a3c372) NASL family Fedora Local Security Checks NASL id FEDORA_2016-F405B25923.NASL description Bump version to 1.14.3 for the convenience of those needing the SNI fix. ---- Require krb5 to set the last seen 2020-06-05 modified 2016-09-02 plugin id 93266 published 2016-09-02 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93266 title Fedora 23 : krb5 (2016-f405b25923) NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2016-2591.NASL description From Red Hat Security Advisory 2016:2591 : An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Low. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link (s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). (BZ#1292153) Security Fix(es) : * A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) * A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.3 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 94712 published 2016-11-11 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/94712 title Oracle Linux 7 : krb5 (ELSA-2016-2591) NASL family Debian Local Security Checks NASL id DEBIAN_DLA-1265.NASL description Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues. CVE-2013-1418 Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured. CVE-2014-5351 Kerberos sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access. CVE-2014-5353 When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. CVE-2014-5355 Kerberos expects that a krb5_read_message data field is represented as a string ending with a last seen 2020-03-17 modified 2018-02-01 plugin id 106536 published 2018-02-01 reporter This script is Copyright (C) 2018-2020 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/106536 title Debian DLA-1265-1 : krb5 security update NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2017-793.NASL description A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) last seen 2020-06-01 modified 2020-06-02 plugin id 97023 published 2017-02-07 reporter This script is Copyright (C) 2017-2018 Tenable Network Security, Inc. source https://www.tenable.com/plugins/nessus/97023 title Amazon Linux AMI : krb5 (ALAS-2017-793) NASL family FreeBSD Local Security Checks NASL id FREEBSD_PKG_62D452294FA011E69D13206A8A720317.NASL description Major changes in krb5 1.14.3 and krb5 1.13.6 : Fix a rare KDC denial of service vulnerability when anonymous client principals are restricted to obtaining TGTs only [CVE-2016-3120] . last seen 2020-06-01 modified 2020-06-02 plugin id 92503 published 2016-07-22 reporter This script is Copyright (C) 2016-2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/92503 title FreeBSD : krb5 -- KDC denial of service vulnerability (62d45229-4fa0-11e6-9d13-206a8a720317) NASL family SuSE Local Security Checks NASL id SUSE_SU-2016-2136-1.NASL description This update for krb5 fixes the following issues : - CVE-2016-3120: KDC NULL pointer Dereference Denial Of Service Vulnerability (bsc#991088) Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 93303 published 2016-09-02 reporter This script is Copyright (C) 2016-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/93303 title SUSE SLED12 / SLES12 Security Update : krb5 (SUSE-SU-2016:2136-1) NASL family Scientific Linux Local Security Checks NASL id SL_20161103_KRB5_ON_SL7_X.NASL description The following packages have been upgraded to a newer upstream version: krb5 (1.14.1). Security Fix(es) : - A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a NULL pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. (CVE-2016-3119) - A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a NULL pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. (CVE-2016-3120) Additional Changes : last seen 2020-03-18 modified 2016-12-15 plugin id 95842 published 2016-12-15 reporter This script is Copyright (C) 2016-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/95842 title Scientific Linux Security Update : krb5 on SL7.x x86_64 (20161103)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- http://web.mit.edu/kerberos/krb5-1.13/
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=8458
- https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
- http://web.mit.edu/kerberos/krb5-1.14/
- http://lists.opensuse.org/opensuse-updates/2016-09/msg00035.html
- http://www.securityfocus.com/bid/92132
- http://www.securitytracker.com/id/1036442
- http://rhn.redhat.com/errata/RHSA-2016-2591.html
- https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWL3KYFRJIX37EAM4DKCQQIQP2WBKL35/