[arch-security] [ASA-201502-12] krb5: multiple issues
Arch Linux Security Advisory ASA-201502-12 ========================================== Severity: High Date : 2015-02-17 CVE-ID : CVE-2014-5352 CVE-2014-5353 CVE-2014-5354 CVE-2014-9421 CVE-2014-9422 CVE-2014-9423 Package : krb5 Type : multiple issues Remote : Yes Link : https://wiki.archlinux.org/index.php/CVE Summary ======= The package krb5 before version 1.13.1-1 is vulnerable to multiple issues including authenticated remote code execution, authenticated remote denial of service, authenticated remote privilege escalation and remote information leak. Resolution ========== Upgrade to 1.13.1-1. # pacman -Syu "krb5>=1.13.1-1" The problem has been fixed upstream in version 1.13.1. Workaround ========== None. Description =========== - CVE-2014-5352 (authenticated remote code execution): In the MIT krb5 libgssapi_krb5 library, after gss_process_context_token() is used to process a valid context deletion token, the caller is left with a security context handle containing a dangling pointer. Further uses of this handle will result in use-after-free and double-free memory access violations. libgssrpc server applications such as kadmind are vulnerable as they can be instructed to call gss_process_context_token(). - CVE-2014-5353 (authenticated remote denial of service): In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause a NULL dereference by attempting to use a named ticket policy object as a password policy for a principal. The attacker needs to be authenticated as a user who has the elevated privilege for setting password policy by adding or modifying principals. - CVE-2014-5354 (authenticated remote denial of service): In MIT krb5, when kadmind is configured to use LDAP for the KDC database, an authenticated remote attacker can cause a NULL dereference by inserting into the database a principal entry which contains no long-term keys. - CVE-2014-9421 (authenticated remote code execution): If the MIT krb5 kadmind daemon receives invalid XDR data from an authenticated user, it may perform use-after-free and double-free memory access violations while cleaning up the partial deserialization results. Other libgssrpc server applications may also be vulnerable if they contain insufficiently defensive XDR functions. - CVE-2014-9422 (privilege escalation): The MIT krb5 kadmind daemon incorrectly accepts authentications to two-component server principals whose first component is a left substring of "kadmin" or whose realm is a left prefix of the default realm. - CVE-2014-9423 (unauthenticated remote information leak): libgssrpc applications including kadmind output four or eight bytes of uninitialized memory to the network as part of an unused "handle" field in replies to clients. Impact ====== A remote, unauthenticated attacker can retrieve sensitive information from the memory of the affected system. A remote authenticated attacker can crash the affected process, escalate to administrative privileges and execute arbitrary code. References ========== http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt https://access.redhat.com/security/cve/CVE-2014-5352 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5353 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5354 https://access.redhat.com/security/cve/CVE-2014-9421 https://access.redhat.com/security/cve/CVE-2014-9422 https://access.redhat.com/security/cve/CVE-2014-9423 http://www.openwall.com/lists/oss-security/2014/12/16/1
participants (1)
-
Remi Gacogne