Arch Linux Security Advisory ASA-201507-11 ========================================== Severity: Medium Date : 2015-07-12 CVE-ID : CVE-2014-5355 CVE-2015-2694 Package : lib32-krb5 Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package lib32-krb5 before version 1.13.2-2 is vulnerable to multiple issues including denial of service and preauthentication requirement bypass. Resolution ========== Upgrade to 1.13.2-2. # pacman -Syu "lib32-krb5>=1.13.2-2" The problems have been fixed upstream in version 1.13.2. Workaround ========== None. Description =========== - CVE-2014-5355 (denial of service) When a server process uses the krb5_recvauth function, an unauthenticated remote attacker can cause a NULL dereference by sending a zero-byte version string, or a read beyond the end of allocated storage by sending a non-null-terminated version string. The example user-to-user server application (uuserver) is similarly vulnerable to a zero-length or non-null-terminated principal name string. The krb5_recvauth function reads two version strings from the client using krb5_read_message(), which produces a krb5_data structure containing a length and a pointer to an octet sequence. krb5_recvaut assumes that the data pointer is a valid C string and passes it to strcmp() to verify the versions. If the client sends an empty octet sequence, the data pointer will be NULL and strcmp() will dereference a NULL pointer, causing the process to crash. If the client sends a non-null-terminated octet sequence, strcmp() will read beyond the end of the allocated storage, possibly causing the process to crash. - CVE-2015-2694 (preauthentication requirement bypass) It has been discovered that, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. Impact ====== A remote attacker is able to send specially crafted packets to perform a denial of service attack or bypass the requires_preauth flag and obtain ciphertext that could be used to conduct an off-line dictionary attack against the user's password. References ========== https://krbdev.mit.edu/rt/Ticket/Display.html?id=8050 https://krbdev.mit.edu/rt/Ticket/Display.html?id=8160 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5355 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2694 https://bugs.archlinux.org/task/45575