CVE-2014-9422

krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)

Severity Score

6.1

*CVSS v2

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.

La función check_rpcsec_auth en kadmin/server/kadm_rpc_svc.c en kadmind en MIT Kerberos 5 (también conocido como krb5) hasta 1.11.5, 1.12.x hasta 1.12.2, y 1.13.x anterior a 1.13.1 permite a usuarios remotos autenticados evadir una comprobación de la autorización kadmin/* y obtener acceso administrativo mediante el aprovechamiento del acceso a un principal de dos componentes con una subcadena 'kadmind' inicial, tal y como fue demostrado por un principal 'ka/x'.

It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as "kad/x") could use this flaw to impersonate any user to kadmind, and perform administrative actions as that user.

*Credits: N/A

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Complete

Attack Vector

Network

Attack Complexity

High

Authentication

Single

Confidentiality

Partial

Integrity

Partial

Availability

Partial

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2014-12-26 CVE Reserved
2015-02-04 CVE Published
2023-03-07 EPSS Updated
2024-08-06 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-284: Improper Access Control
CWE-305: Authentication Bypass by Primary Weakness

CAPEC

References (16)

URL	Tag	Source
http://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txt	X_refsource_confirm
http://www.securityfocus.com/bid/72494	Vdb Entry
https://github.com/krb5/krb5/commit/6609658db0799053fbef0d7d0aa2f1fd68ef32d8	X_refsource_confirm

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.html	2020-01-21
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.html	2020-01-21
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.html	2020-01-21
http://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.html	2020-01-21
http://lists.opensuse.org/opensuse-updates/2015-02/msg00044.html	2020-01-21
http://rhn.redhat.com/errata/RHSA-2015-0439.html	2020-01-21
http://rhn.redhat.com/errata/RHSA-2015-0794.html	2020-01-21
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt	2020-01-21
http://www.debian.org/security/2015/dsa-3153	2020-01-21
http://www.mandriva.com/security/advisories?name=MDVSA-2015:069	2020-01-21
http://www.ubuntu.com/usn/USN-2498-1	2020-01-21
https://access.redhat.com/security/cve/CVE-2014-9422	2015-04-09
https://bugzilla.redhat.com/show_bug.cgi?id=1179861	2015-04-09

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.11 Search vendor "Mit" for product "Kerberos 5" and version "1.11"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.11.1 Search vendor "Mit" for product "Kerberos 5" and version "1.11.1"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.11.2 Search vendor "Mit" for product "Kerberos 5" and version "1.11.2"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.11.3 Search vendor "Mit" for product "Kerberos 5" and version "1.11.3"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.11.4 Search vendor "Mit" for product "Kerberos 5" and version "1.11.4"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.11.5 Search vendor "Mit" for product "Kerberos 5" and version "1.11.5"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.12 Search vendor "Mit" for product "Kerberos 5" and version "1.12"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.12.1 Search vendor "Mit" for product "Kerberos 5" and version "1.12.1"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.12.2 Search vendor "Mit" for product "Kerberos 5" and version "1.12.2"		-		Affected
Mit Search vendor "Mit"		Kerberos 5 Search vendor "Mit" for product "Kerberos 5"				1.13 Search vendor "Mit" for product "Kerberos 5" and version "1.13"		-		Affected