CVE-2014-9423 – krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
https://notcve.org/view.php?id=CVE-2014-9423
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field. La función svcauth_gss_accept_sec_context en lib/rpc/svc_auth_gss.c en MIT Kerberos 5 (también conocido como krb5) 1.11.x hasta 1.11.5, 1.12.x hasta 1.12.2, y 1.13.x anterior a 1.13.1 trasmite datos intercalados no inicializados a clientes, lo que permite a atacantes remotos obtener información sensible de la memoria dinámica de procesos mediante la captura de trafico de la red para datos en un campo de manejo (handle). An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS implementation (libgssrpc) handled certain requests. An attacker could send a specially crafted request to an application using libgssrpc to disclose a limited portion of uninitialized memory used by that application. • http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html http://rhn.redhat.com/errata/RHSA-2015-0439.html http://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txt http://we • CWE-200: Exposure of Sensitive Information to an Unauthorized Actor CWE-212: Improper Removal of Sensitive Information Before Storage or Transfer •
CVE-2014-9421 – krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
https://notcve.org/view.php?id=CVE-2014-9421
The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind. La función auth_gssapi_unwrap_data en lib/rpc/auth_gssapi_misc.c en MIT Kerberos 5 (también conocido como krb5) hasta 1.11.5, 1.12.x hasta 1.12.2, y 1.13.x anterior a 1.13.1 no maneja correctamente la deserialización XDR parcial, lo que permite a usuarios remotos autenticados causar una denegación de servicio (uso después de liberación y doble liberación, y caída del demonio) o posiblemente ejecutar código arbitrario a través de datos XDR malformados, tal y como fue demostrado mediante datos enviados a kadmind. A double-free flaw was found in the way MIT Kerberos handled invalid External Data Representation (XDR) data. An authenticated user could use this flaw to crash the MIT Kerberos administration server (kadmind), or other applications using Kerberos libraries, using specially crafted XDR packets. • http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html http://rhn.redhat.com/errata/RHSA-2015-0439.html http://rhn.redhat.com/errata/RHSA-2015-0794.html http://web.mit.edu/ • CWE-416: Use After Free •
CVE-2014-9422 – krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
https://notcve.org/view.php?id=CVE-2014-9422
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal. La función check_rpcsec_auth en kadmin/server/kadm_rpc_svc.c en kadmind en MIT Kerberos 5 (también conocido como krb5) hasta 1.11.5, 1.12.x hasta 1.12.2, y 1.13.x anterior a 1.13.1 permite a usuarios remotos autenticados evadir una comprobación de la autorización kadmin/* y obtener acceso administrativo mediante el aprovechamiento del acceso a un principal de dos componentes con una subcadena 'kadmind' inicial, tal y como fue demostrado por un principal 'ka/x'. It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as "kad/x") could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user. • http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html http://rhn.redhat.com/errata/RHSA-2015-0439.html http://rhn.redhat.com/errata/RHSA-2015-0794.html http://web.mit.edu/ • CWE-284: Improper Access Control CWE-305: Authentication Bypass by Primary Weakness •
CVE-2014-5352 – krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
https://notcve.org/view.php?id=CVE-2014-5352
The krb5_gss_process_context_token function in lib/gssapi/krb5/process_context_token.c in the libgssapi_krb5 library in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly maintain security-context handles, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via crafted GSSAPI traffic, as demonstrated by traffic to kadmind. La función krb5_gss_process_context_token en lib/gssapi/krb5/process_context_token.c en la libraría libgssapi_krb5 en MIT Kerberos 5 (también conocido como krb5) hasta 1.11.5, 1.12.x hasta 1.12.2, y 1.13.x anterior a 1.13.1 no mantiene correctamente los manejos en el contexto de seguridad, lo que permite a usuarios remotos autenticados causar una denegación de servicio (uso después de liberación y doble liberación, y caída del demonio) o posiblemente ejecutar código arbitrario a través de trafico GSSAPI manipulado, tal y como fue demostrado por trafico a kadmind. A use-after-free flaw was found in the way the MIT Kerberos libgssapi_krb5 library processed valid context deletion tokens. An attacker able to make an application using the GSS-API library (libgssapi) call the gss_process_context_token() function could use this flaw to crash that application. • http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html http://rhn.redhat.com/errata/RHSA-2015-0439.html http://rhn.redhat.com/errata/RHSA-2015-0794.html http://web.mit.edu/ • CWE-416: Use After Free •
CVE-2014-5353 – krb5: NULL pointer dereference when using a ticket policy name as a password policy name
https://notcve.org/view.php?id=CVE-2014-5353
The krb5_ldap_get_password_policy_from_dn function in plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c in MIT Kerberos 5 (aka krb5) before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy. La función krb5_ldap_get_password_policy_from_dn en plugins/kdb/ldap/libkdb_ldap/ldap_pwd_policy.c en MIT Kerberos 5 (también conocido como krb5) anterior a 1.13.1, cuando el KDC utiliza LDAP, permite a usuarios remotos autenticados causar una denegación de servicio (caída del demonio) a través de una consulta LDAP con éxito pero sin resultados, tal y como fue demostrado mediante el uso de un tipo de objeto incorrecto para una política de contraseñas. If kadmind were used with an LDAP back end for the KDC database, a remote, authenticated attacker who has the permissions to set the password policy could crash kadmind by attempting to use a named ticket policy object as a password policy for a principal. • http://advisories.mageia.org/MGASA-2014-0536.html http://lists.fedoraproject.org/pipermail/package-announce/2015-April/155828.html http://lists.opensuse.org/opensuse-updates/2015-03/msg00061.html http://rhn.redhat.com/errata/RHSA-2015-0439.html http://rhn.redhat.com/errata/RHSA-2015-0794.html http://www.mandriva.com/security/advisories?name=MDVSA-2015:009 http://www.oracle.com/technetwork/topics/security/bulletinapr2015-2511959.html http://www.securityfocus.com/bid/71679 http://www.sec • CWE-476: NULL Pointer Dereference •