CVE-2017-15088
https://notcve.org/view.php?id=CVE-2017-15088
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and application crash) in situations involving untrusted X.509 data, related to the get_matching_data and X509_NAME_oneline_ex functions. NOTE: this has security relevance only in use cases outside of the MIT Kerberos distribution, e.g., the use of get_matching_data in KDC certauth plugin code that is specific to Red Hat. plugins/preauth/pkinit/pkinit_crypto_openssl.c en MIT Kerberos 5 (también conocido como krb5) hasta la versión 1.15.2 gestiona de manera incorrecta los campos Distinguished Name (DN). Esto permite que atacantes remotos ejecuten código arbitrario o provoquen una denegación de servicio (desbordamiento de búfer y cierre inesperado de la aplicación) en situaciones relacionadas con datos X.509 no fiables. Esto se relaciona con las funciones get_matching_data y X509_NAME_oneline_ex. NOTA: esto es relevante para la seguridad solo en casos externos a la distribución de MIT Kerberos, por ejemplo, el uso de get_matching_data en el código del plugin KDC certauth específico de Red Hat. • http://www.securityfocus.com/bid/101594 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=871698 https://bugzilla.redhat.com/show_bug.cgi?id=1504045 https://github.com/krb5/krb5/commit/fbb687db1088ddd894d975996e5f6a4252b9a2b4 https://github.com/krb5/krb5/pull/707 • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-121: Stack-based Buffer Overflow •
CVE-2017-11368 – krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure
https://notcve.org/view.php?id=CVE-2017-11368
In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests. En MIT Kerberos 5 (también llamado krb5) en versiones 1.7 y posteriores, un atacante autenticado puede provocar un error de aserción KDC mediante el envío de peticiones S4U2Self o S4U2Proxy no válidas. A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request. • http://www.securityfocus.com/bid/100291 https://access.redhat.com/errata/RHSA-2018:0666 https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4HNWXM6OQU7G23MG7XWIOBRGP43ECLDT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBUTXMNZWMVJLQ4NDX5OQFPUVCJRLV3W https://access.redhat.com/security/cve/CVE-2017-11368 https://bugzilla.redhat.com/show_bug.cgi?id=1473560 • CWE-617: Reachable Assertion •
CVE-2016-3119 – krb5: null pointer dereference in kadmin
https://notcve.org/view.php?id=CVE-2016-3119
The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. La función process_db_args en plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c en el módulo LDAP KDB en kadmind en MIT Kerberos 5 (también conocido como krb5) hasta la versión 1.13.4 y 1.14.x hasta la versión 1.14.1 no maneja adecuadamente el argumento DB, lo que permite a usuarios remotros autenticados provocar una denegación de servicio (referencia a puntero NULL y caída de demonio) a través de una petición manipulada para modificar una principal. A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a null pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. • http://lists.opensuse.org/opensuse-updates/2016-04/msg00007.html http://lists.opensuse.org/opensuse-updates/2016-04/msg00055.html http://rhn.redhat.com/errata/RHSA-2016-2591.html http://www.securityfocus.com/bid/85392 http://www.securitytracker.com/id/1035399 https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99 https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html https://access.redhat.com/security/cve/CVE-2016-3119 https://bugzilla.redhat.com/show_bug& • CWE-476: NULL Pointer Dereference •
CVE-2015-8629 – krb5: xdr_nullstring() doesn't check for terminating null character
https://notcve.org/view.php?id=CVE-2015-8629
The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string. La función xdr_nullstring en lib/kadm5/kadm_rpc_xdr.c en kadmind in MIT Kerberos 5 (también conocido como krb5) en versiones anteriores a 1.13.4 y 1.14.x en versiones anteriores a 1.14.1 no verifica si existen caracteres '\0' según lo esperado, lo que permite a usuarios remotos autenticados obtener información sensible o causar una denegación de servicio (lectura fuera de rango) a través de una cadena manipulada. An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. • http://krbdev.mit.edu/rt/Ticket/Display.html?id=8341 http://lists.opensuse.org/opensuse-updates/2016-02/msg00059.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00110.html http://rhn.redhat.com/errata/RHSA-2016-0493.html http://rhn.redhat.com/errata/RHSA-2016-0532.html http://www.debian.org/security/2016/dsa-3466 http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html htt • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVE-2015-8631 – krb5: Memory leak caused by supplying a null principal name in request
https://notcve.org/view.php?id=CVE-2015-8631
Multiple memory leaks in kadmin/server/server_stubs.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (memory consumption) via a request specifying a NULL principal name. Múltiples pérdidas de memoria en kadmin/server/server_stubs.c en kadmind en MIT Kerberos 5 (también conocido como krb5) en versiones anteriores a 1.13.4 y 1.14.x en versiones anteriores a 1.14.1 permiten a usuarios remotos autenticados causar una denegación de servicio (consumo de memoria) a través de una solicitud especificando un nombre principal NULL. A memory leak flaw was found in the krb5_unparse_name() function of the MIT Kerberos kadmind service. An authenticated attacker could repeatedly send specially crafted requests to the server, which could cause the server to consume large amounts of memory resources, ultimately leading to a denial of service due to memory exhaustion. • http://krbdev.mit.edu/rt/Ticket/Display.html?id=8343 http://lists.opensuse.org/opensuse-updates/2016-02/msg00059.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00110.html http://rhn.redhat.com/errata/RHSA-2016-0493.html http://rhn.redhat.com/errata/RHSA-2016-0532.html http://www.debian.org/security/2016/dsa-3466 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.securitytracker.com/id/1034916 https://github.com/krb5/krb5 • CWE-401: Missing Release of Memory after Effective Lifetime CWE-772: Missing Release of Resource after Effective Lifetime •