VuXML ID | Description |
e3f64457-cccd-11e2-af76-206a8a720317 | krb5 -- UDP ping-pong vulnerability in the kpasswd (password changing) service. [CVE-2002-2443]
No advisory has been released yet.
schpw.c in the kpasswd service in kadmind in MIT Kerberos 5
(aka krb5) before 1.11.3 does not properly validate UDP packets
before sending responses, which allows remote attackers to cause
a denial of service (CPU and bandwidth consumption) via a forged
packet that triggers a communication loop, as demonstrated by
krb_pingpong.nasl, a related issue to CVE-1999-0103.
[CVE-2002-2443].
Discovery 2013-05-10 Entry 2013-06-03 krb5
le 1.11.2
CVE-2002-2443
http://web.mit.edu/kerberos/www/krb5-1.11/
|
a30573dc-4893-11df-a5f9-001641aeabdf | krb5 -- remote denial of service vulnerability
An authenticated remote attacker can causing a denial
of service by using a newer version of the kadmin protocol
than the server supports.
The MIT Kerberos team also reports the cause:
The Kerberos administration daemon (kadmind) can crash
due to referencing freed memory.
Discovery 2010-04-06 Entry 2010-04-18 krb5
le 1.6.3_9
39247
CVE-2010-0629
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-003.txt
|
0bb7677d-52f3-11d9-a9e7-0001020eed82 | krb5 -- heap buffer overflow vulnerability in libkadm5srv
A MIT krb5 Security Advisory reports:
The MIT Kerberos 5 administration library (libkadm5srv)
contains a heap buffer overflow in password history
handling code which could be exploited to execute
arbitrary code on a Key Distribution Center (KDC)
host. The overflow occurs during a password change of a
principal with a certain password history state. An
administrator must have performed a certain password
policy change in order to create the vulnerable state.
An authenticated user, not necessarily one with
administrative privileges, could execute arbitrary code on
the KDC host, compromising an entire Kerberos realm.
Discovery 2004-12-06 Entry 2004-12-21 krb5
krb5-beta
< 1.3.6
CVE-2004-1189
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-004-pwhist.txt
|
094e4a5b-6511-11ed-8c5e-206a8a720317 | krb5 -- Integer overflow vulnerabilities in PAC parsing
MITKRB5-SA-2022-001 Vulnerabilities in PAC parsing:
Due to an integer overflow vulnerabilities in PAC parsing
An authenticated attacker may be able to cause a KDC or kadmind
process to crash by reading beyond the bounds of allocated memory,
creating a denial of service.
On 32-bit platforms an authenticated attacker may be able to
cause heap corruption resulting in an RCE.
Discovery 2022-11-05 Entry 2022-11-15 krb5
< 1.19.3_1
gt 1.20 lt 1.20_1
krb5-120
< 1.20_1
krb5-119
< 1.19.3_1
krb5-devel
< 1.20.2022.11.03
CVE-2022-42898
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-42898
|
3f3837cc-48fb-4414-aa46-5b1c23c9feae | krb5 -- Multiple vulnerabilities
MIT reports:
CVE-2017-11368:
In MIT krb5 1.7 and later, an authenticated attacker can cause an
assertion failure in krb5kdc by sending an invalid S4U2Self or
S4U2Proxy request.
CVE-2017-11462:
RFC 2744 permits a GSS-API implementation to delete an existing
security context on a second or subsequent call to gss_init_sec_context()
or gss_accept_sec_context() if the call results in an error.
This API behavior has been found to be dangerous, leading to the
possibility of memory errors in some callers. For safety, GSS-API
implementations should instead preserve existing security contexts
on error until the caller deletes them.
All versions of MIT krb5 prior to this change may delete acceptor
contexts on error. Versions 1.13.4 through 1.13.7, 1.14.1 through
1.14.5, and 1.15 through 1.15.1 may also delete initiator contexts
on error.
Discovery 2017-07-14 Entry 2017-10-18 krb5
< 1.14.6
ge 1.15 lt 1.15.2
krb5-devel
< 1.14.6
ge 1.15 lt 1.15.2
krb5-115
< 1.15.2
krb5-114
< 1.14.6
krb5-113
< 1.14.6
https://nvd.nist.gov/vuln/detail/CVE-2017-11368
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8599
https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970
https://nvd.nist.gov/vuln/detail/CVE-2017-11462
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8598
https://github.com/krb5/krb5/commit/56f7b1bc95a2a3eeb420e069e7655fb181ade5cf
CVE-2017-11368
CVE-2017-11462
|
24ce5597-acab-11e4-a847-206a8a720317 | krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092
SO-AND-SO reports:
CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library, after
gss_process_context_token() is used to process a valid context
deletion token, the caller is left with a security context handle
containing a dangling pointer. Further uses of this handle will
result in use-after-free and double-free memory access violations.
libgssrpc server applications such as kadmind are vulnerable as
they can be instructed to call gss_process_context_token().
CVE-2014-9421: If the MIT krb5 kadmind daemon receives invalid XDR
data from an authenticated user, it may perform use-after-free and
double-free memory access violations while cleaning up the partial
deserialization results. Other libgssrpc server applications may
also be vulnerable if they contain insufficiently defensive XDR
functions.
CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly accepts
authentications to two-component server principals whose first
component is a left substring of "kadmin" or whose realm is a left
prefix of the default realm.
CVE-2014-9423: libgssrpc applications including kadmind output
four or eight bytes of uninitialized memory to the network as
part of an unused "handle" field in replies to clients.
Discovery 2015-02-03 Entry 2015-02-04 krb5
< 1.13_1
krb5-112
< 1.12.2_1
krb5-111
< 1.11.5_4
CVE-2014-5352
CVE-2014-9421
CVE-2014-9422
CVE-2014-9423
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt
|
f54584bc-7d2b-11e2-9bd1-206a8a720317 | krb5 -- null pointer dereference in the KDC PKINIT code [CVE-2013-1415]
No advisory has been released yet.
Fix a null pointer dereference in the KDC PKINIT code [CVE-2013-1415].
Discovery 2013-02-21 Entry 2013-02-22 krb5
le 1.11
CVE-2013-1415
http://web.mit.edu/kerberos/www/krb5-1.11/
|
a6986f0f-3ac0-11ee-9a88-206a8a720317 | krb5 -- Double-free in KDC TGS processing
SO-AND-SO reports:
When issuing a ticket for a TGS renew or validate request, copy
only the server field from the outer part of the header ticket
to the new ticket. Copying the whole structure causes the
enc_part pointer to be aliased to the header ticket until
krb5_encrypt_tkt_part() is called, resulting in a double-free
if handle_authdata() fails..
Discovery 2023-08-07 Entry 2023-08-14 krb5
< 1.21.1_1
krb5-121
< 1.21.1_1
krb5-devel
< 1.22.2023.08.07
CVE-2023-39975
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-39975
|
bd60922b-fb8d-11d8-a13e-000a95bc6fae | krb5 -- ASN.1 decoder denial-of-service vulnerability
An advisory published by the MIT Kerberos team says:
The ASN.1 decoder library in the MIT Kerberos 5 distribution
is vulnerable to a denial-of-service attack causing an infinite
loop in the decoder. The KDC is vulnerable to this attack.
An unauthenticated remote attacker can cause a KDC or application
server to hang inside an infinite loop.
An attacker impersonating a legitimate KDC or application
server may cause a client program to hang inside an infinite
loop.
Discovery 2004-08-31 Entry 2004-08-31 krb5
ge 1.2.2 le 1.3.4
CVE-2004-0644
550464
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-003-asn1.txt
|
86a98b57-fb8e-11d8-9343-000a95bc6fae | krb5 -- double-free vulnerabilities
An advisory published by the MIT Kerberos team says:
The MIT Kerberos 5 implementation's Key Distribution Center
(KDC) program contains a double-free vulnerability that
potentially allows a remote attacker to execute arbitrary code.
Compromise of a KDC host compromises the security of the entire
authentication realm served by the KDC. Additionally, double-free
vulnerabilities exist in MIT Kerberos 5 library code, making
client programs and application servers vulnerable.
Double-free vulnerabilities of this type are not believed to be
exploitable for code execution on FreeBSD systems. However,
the potential for other ill effects may exist.
Discovery 2004-08-31 Entry 2004-08-31 krb5
le 1.3.4_1
CVE-2004-0642
CVE-2004-0643
CVE-2004-0772
795632
866472
350792
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2004-002-dblfree.txt
|
3a888a1e-b321-11e4-83b2-206a8a720317 | krb5 -- Vulnerabilities in kadmind, libgssrpc, gss_process_context_token VU#540092
The MIT Kerberos team reports:
CVE-2014-5353: The krb5_ldap_get_password_policy_from_dn
function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in
MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP,
allows remote authenticated users to cause a denial of service
(daemon crash) via a successful LDAP query with no results, as
demonstrated by using an incorrect object type for a password
policy.
CVE-2014-5354: plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in
MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when
the KDC uses LDAP, allows remote authenticated users to cause a
denial of service (NULL pointer dereference and daemon crash) by
creating a database entry for a keyless principal, as
demonstrated by a kadmin "add_principal -nokey" or "purgekeys
-all" command.
Discovery 2015-02-12 Entry 2015-02-12 Modified 2015-02-13 krb5
< 1.13.1
krb5-112
< 1.12.2_2
krb5-111
< 1.11.5_5
CVE-2014-5353
CVE-2014-5354
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt
|
406636fe-055d-11e5-aab1-d050996490d0 | krb5 -- requires_preauth bypass in PKINIT-enabled KDC
MIT reports:
In MIT krb5 1.12 and later, when the KDC is configured
with PKINIT support, an unauthenticated remote attacker
can bypass the requires_preauth flag on a client principal
and obtain a ciphertext encrypted in the principal's
long-term key. This ciphertext could be used to conduct
an off-line dictionary attack against the user's password.
Discovery 2015-05-25 Entry 2015-05-28 krb5
< 1.13.2
krb5-112
< 1.12.3_2
CVE-2015-2694
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160
|