[arch-security] [ASA-201507-11] lib32-krb5: multiple issues
Levente Polyak
anthraxx at archlinux.org
Sun Jul 12 19:16:37 UTC 2015
Arch Linux Security Advisory ASA-201507-11
==========================================
Severity: Medium
Date : 2015-07-12
CVE-ID : CVE-2014-5355 CVE-2015-2694
Package : lib32-krb5
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/index.php/CVE
Summary
=======
The package lib32-krb5 before version 1.13.2-2 is vulnerable to multiple
issues including denial of service and preauthentication requirement bypass.
Resolution
==========
Upgrade to 1.13.2-2.
# pacman -Syu "lib32-krb5>=1.13.2-2"
The problems have been fixed upstream in version 1.13.2.
Workaround
==========
None.
Description
===========
- CVE-2014-5355 (denial of service)
When a server process uses the krb5_recvauth function, an
unauthenticated remote attacker can cause a NULL dereference by sending
a zero-byte version string, or a read beyond the end of allocated
storage by sending a non-null-terminated version string. The example
user-to-user server application (uuserver) is similarly vulnerable to a
zero-length or non-null-terminated principal name string.
The krb5_recvauth function reads two version strings from the client
using krb5_read_message(), which produces a krb5_data structure
containing a length and a pointer to an octet sequence. krb5_recvaut
assumes that the data pointer is a valid C string and passes it to
strcmp() to verify the versions. If the client sends an empty octet
sequence, the data pointer will be NULL and strcmp() will dereference a
NULL pointer, causing the process to crash. If the client sends a
non-null-terminated octet sequence, strcmp() will read beyond the end of
the allocated storage, possibly causing the process to crash.
- CVE-2015-2694 (preauthentication requirement bypass)
It has been discovered that, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key. This ciphertext could be
used to conduct an off-line dictionary attack against the user's password.
Impact
======
A remote attacker is able to send specially crafted packets to perform a
denial of service attack or bypass the requires_preauth flag and obtain
ciphertext that could be used to conduct an off-line dictionary attack
against the user's password.
References
==========
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8050
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8160
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5355
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2694
https://bugs.archlinux.org/task/45575
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150712/2a700ae4/attachment.asc>
More information about the arch-security
mailing list