CVE-2017-11368 – krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure
https://notcve.org/view.php?id=CVE-2017-11368
In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests. En MIT Kerberos 5 (también llamado krb5) en versiones 1.7 y posteriores, un atacante autenticado puede provocar un error de aserción KDC mediante el envío de peticiones S4U2Self o S4U2Proxy no válidas. A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request. • http://www.securityfocus.com/bid/100291 https://access.redhat.com/errata/RHSA-2018:0666 https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/4HNWXM6OQU7G23MG7XWIOBRGP43ECLDT https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/UBUTXMNZWMVJLQ4NDX5OQFPUVCJRLV3W https://access.redhat.com/security/cve/CVE-2017-11368 https://bugzilla.redhat.com/show_bug.cgi?id=1473560 • CWE-617: Reachable Assertion •
CVE-2016-3120 – krb5: S4U2Self KDC crash when anon is restricted
https://notcve.org/view.php?id=CVE-2016-3120
The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request. La función validate_as_request en kdc_util.c en el Key Distribution Center (KDC) en MIT Kerberos 5 (también conocido como krb5) en versiones anteriores a 1.13.6 y 1.4.x en versiones anteriores a 1.14.3, cuando restrict_anonymous_to_tgt está activo, utiliza una estructura de datos de clientes incorrecta, lo que permite a usuarios remotos autenticados provocar una denegación de servicio (referencia al puntero NULO y caída de daemon) a través de una petición S4U2Selft. A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a null pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true. • http://krbdev.mit.edu/rt/Ticket/Display.html?id=8458 http://lists.opensuse.org/opensuse-updates/2016-09/msg00035.html http://rhn.redhat.com/errata/RHSA-2016-2591.html http://web.mit.edu/kerberos/krb5-1.13 http://web.mit.edu/kerberos/krb5-1.14 http://www.securityfocus.com/bid/92132 http://www.securitytracker.com/id/1036442 https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7 https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html https:/ • CWE-476: NULL Pointer Dereference •
CVE-2016-3119 – krb5: null pointer dereference in kadmin
https://notcve.org/view.php?id=CVE-2016-3119
The process_db_args function in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the LDAP KDB module in kadmind in MIT Kerberos 5 (aka krb5) through 1.13.4 and 1.14.x through 1.14.1 mishandles the DB argument, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal. La función process_db_args en plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c en el módulo LDAP KDB en kadmind en MIT Kerberos 5 (también conocido como krb5) hasta la versión 1.13.4 y 1.14.x hasta la versión 1.14.1 no maneja adecuadamente el argumento DB, lo que permite a usuarios remotros autenticados provocar una denegación de servicio (referencia a puntero NULL y caída de demonio) a través de una petición manipulada para modificar una principal. A NULL pointer dereference flaw was found in MIT Kerberos kadmind service. An authenticated attacker with permission to modify a principal entry could use this flaw to cause kadmind to dereference a null pointer and crash by supplying an empty DB argument to the modify_principal command, if kadmind was configured to use the LDAP KDB module. • http://lists.opensuse.org/opensuse-updates/2016-04/msg00007.html http://lists.opensuse.org/opensuse-updates/2016-04/msg00055.html http://rhn.redhat.com/errata/RHSA-2016-2591.html http://www.securityfocus.com/bid/85392 http://www.securitytracker.com/id/1035399 https://github.com/krb5/krb5/commit/08c642c09c38a9c6454ab43a9b53b2a89b9eef99 https://lists.debian.org/debian-lts-announce/2018/01/msg00040.html https://access.redhat.com/security/cve/CVE-2016-3119 https://bugzilla.redhat.com/show_bug& • CWE-476: NULL Pointer Dereference •
CVE-2015-8629 – krb5: xdr_nullstring() doesn't check for terminating null character
https://notcve.org/view.php?id=CVE-2015-8629
The xdr_nullstring function in lib/kadm5/kadm_rpc_xdr.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13.4 and 1.14.x before 1.14.1 does not verify whether '\0' characters exist as expected, which allows remote authenticated users to obtain sensitive information or cause a denial of service (out-of-bounds read) via a crafted string. La función xdr_nullstring en lib/kadm5/kadm_rpc_xdr.c en kadmind in MIT Kerberos 5 (también conocido como krb5) en versiones anteriores a 1.13.4 y 1.14.x en versiones anteriores a 1.14.1 no verifica si existen caracteres '\0' según lo esperado, lo que permite a usuarios remotos autenticados obtener información sensible o causar una denegación de servicio (lectura fuera de rango) a través de una cadena manipulada. An out-of-bounds read flaw was found in the kadmind service of MIT Kerberos. An authenticated attacker could send a maliciously crafted message to force kadmind to read beyond the end of allocated memory, and write the memory contents to the KDC database if the attacker has write permission, leading to information disclosure. • http://krbdev.mit.edu/rt/Ticket/Display.html?id=8341 http://lists.opensuse.org/opensuse-updates/2016-02/msg00059.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00110.html http://rhn.redhat.com/errata/RHSA-2016-0493.html http://rhn.redhat.com/errata/RHSA-2016-0532.html http://www.debian.org/security/2016/dsa-3466 http://www.oracle.com/technetwork/topics/security/bulletinapr2016-2952098.html http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html htt • CWE-119: Improper Restriction of Operations within the Bounds of a Memory Buffer CWE-125: Out-of-bounds Read •
CVE-2015-8630 – krb5: krb5 doesn't check for null policy when KADM5_POLICY is set in the mask
https://notcve.org/view.php?id=CVE-2015-8630
The (1) kadm5_create_principal_3 and (2) kadm5_modify_principal functions in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.4 and 1.14.x before 1.14.1 allow remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by specifying KADM5_POLICY with a NULL policy name. Las funciones (1) kadm5_create_principal_3 y (2) kadm5_modify_principal en lib/kadm5/srv/svr_principal.c en kadmind en MIT Kerberos 5 (también conocido como krb5) 1.12.x y 1.13.x en versiones anteriores a 1.13.4 y 1.14.x en versiones anteriores a 1.14.1 permiten a usuarios remotos autenticados causar una denegación de servicio (referencia a puntero NULL y caída de demonio) mediante la especificación KADM5_POLICY con un nombre de política NULL. A NULL pointer dereference flaw was found in the procedure used by the MIT Kerberos kadmind service to store policies: the kadm5_create_principal_3() and kadm5_modify_principal() function did not ensure that a policy was given when KADM5_POLICY was set. An authenticated attacker with permissions to modify the database could use this flaw to add or modify a principal with a policy set to NULL, causing the kadmind service to crash. • http://krbdev.mit.edu/rt/Ticket/Display.html?id=8342 http://lists.opensuse.org/opensuse-updates/2016-02/msg00059.html http://lists.opensuse.org/opensuse-updates/2016-02/msg00110.html http://rhn.redhat.com/errata/RHSA-2016-0532.html http://www.debian.org/security/2016/dsa-3466 http://www.oracle.com/technetwork/topics/security/linuxbulletinapr2016-2952096.html http://www.securitytracker.com/id/1034915 https://github.com/krb5/krb5/commit/b863de7fbf080b15e347a736fdda0a82d42f4f6b https://access.red • CWE-476: NULL Pointer Dereference •