The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors.

The remote Solaris system is missing necessary patches to address security updates :

  - The krb5_ldap_lockout_audit function in the Key     Distribution Center (KDC) in MIT Kerberos 5 (aka krb5)     1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP     back end is used, allows remote attackers to cause a     denial of service (assertion failure and daemon exit)     via unspecified vectors, related to the locked_check_p     function. NOTE: the Berkeley DB vector is covered by     CVE-2011-4151. (CVE-2011-1528)

  - The lookup_lockout_policy function in the Key     Distribution Center (KDC) in MIT Kerberos 5 (aka krb5)     1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2     (aka Berkeley DB) or LDAP back end is used, allows     remote attackers to cause a denial of service (NULL     pointer dereference and daemon crash) via vectors that     trigger certain process_as_req errors. (CVE-2011-1529)

  - The krb5_db2_lockout_audit function in the Key     Distribution Center (KDC) in MIT Kerberos 5 (aka krb5)     1.8 through 1.8.4, when the db2 (aka Berkeley DB) back     end is used, allows remote attackers to cause a denial     of service (assertion failure and daemon exit) via     unspecified vectors, a different vulnerability than     CVE-2011-1528. (CVE-2011-4151)

The following issues have been fixed :

  - CVE-2011-1528: In releases krb5-1.8 and later, the KDC     can crash due to an assertion failure.

  - CVE-2011-1529: In releases krb5-1.8 and later, the KDC     can crash due to a NULL pointer dereference.

Both bugs could be triggered by unauthenticated remote attackers.
Additionally CVE-2011-1526 was fixed that allowed authenticated users to access files via krb5 ftpd they should not have access to.

The following issues have been fixed :

  - CVE-2011-1528: In releases krb5-1.8 and later, the KDC     can crash due to an assertion failure. 

  - CVE-2011-1529: In releases krb5-1.8 and later, the KDC     can crash due to a NULL pointer dereference. 

Both bugs could be triggered by unauthenticated remote attackers.
Additionally CVE-2011-1526 was fixed that allowed authenticated users to access files via krb5 ftpd they should not have access to.

From Red Hat Security Advisory 2011:1379 :

Updated krb5 packages that fix multiple security issues are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. Common Vulnerability Scoring System (CVSS) base scores, which give detailed severity ratings, are available for each vulnerability from the CVE links in the References section.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC).

Multiple NULL pointer dereference and assertion failure flaws were found in the MIT Kerberos KDC when it was configured to use an LDAP (Lightweight Directory Access Protocol) or Berkeley Database (Berkeley DB) back end. A remote attacker could use these flaws to crash the KDC. (CVE-2011-1527, CVE-2011-1528, CVE-2011-1529)

Red Hat would like to thank the MIT Kerberos project for reporting the CVE-2011-1527 issue. Upstream acknowledges Andrej Ota as the original reporter of CVE-2011-1527.

All krb5 users should upgrade to these updated packages, which contain a backported patch to correct these issues. After installing the updated packages, the krb5kdc daemon will be restarted automatically.

Multiple vulnerabilities has been found and corrected in krb5 :

The kdb_ldap plugin in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a kinit operation with incorrect string case for the realm, related to the is_principal_in_realm, krb5_set_error_message, krb5_ldap_get_principal, and process_as_req functions (CVE-2011-1527).

The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function (CVE-2011-1528).

The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors (CVE-2011-1529).

The updated packages have been patched to correct these issues.

The remote host is affected by the vulnerability described in GLSA-201201-13 (MIT Kerberos 5: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to execute arbitrary code with the       privileges of the administration daemon or the Key Distribution Center       (KDC) daemon, cause a Denial of Service condition, or possibly obtain       sensitive information. Furthermore, a remote attacker may be able to       spoof Kerberos authorization, modify KDC responses, forge user data       messages, forge tokens, forge signatures, impersonate a client, modify       user-visible prompt text, or have other unspecified impact.
  Workaround :

    There is no known workaround at this time.

It was discovered that the Key Distribution Center (KDC) in Kerberos 5 crashes when processing certain crafted requests :

  - CVE-2011-1528     When the LDAP backend is used, remote users can trigger     a KDC daemon crash and denial of service.

  - CVE-2011-1529     When the LDAP or Berkeley DB backend is used, remote     users can trigger a NULL pointer dereference in the KDC     daemon and a denial of service.

The oldstable distribution (lenny) is not affected by these problems.

This update applies the upstream patch to fix a NULL pointer dereference wi= th the LDAP kdb backend (CVE-2011-1527, #744125), an assertion failure with= multiple kdb backends (CVE-2011-1528), and a NULL pointer dereference with= multiple kdb backends (CVE-2011-1529).
(#737711)

It also rolls up a number of mostly-minor fixes, some of which were backpor= ted from upstream to the Fedora 16 branch. The main user-visible change is= a fix for cross-realm authentication in the client libraries.
----------------------------------------------------------------------
-----=

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This update applies the upstream patch to fix a NULL pointer dereference wi= th the LDAP kdb backend (CVE-2011-1527), an assertion failure with multiple= kdb backends (CVE-2011-1528), and a NULL pointer dereference with multiple= kdb backends (CVE-2011-1529).
(#737711)

----------------------------------------------------------------------
-----=

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Multiple vulnerabilities has been found and corrected in krb5 :

The krb5_ldap_lockout_audit function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the LDAP back end is used, allows remote attackers to cause a denial of service (assertion failure and daemon exit) via unspecified vectors, related to the locked_check_p function (CVE-2011-1528).

The lookup_lockout_policy function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8 through 1.8.4 and 1.9 through 1.9.1, when the db2 (aka Berkeley DB) or LDAP back end is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via vectors that trigger certain process_as_req errors (CVE-2011-1529).

The updated packages have been patched to correct these issues.

Nalin Dahyabhai, Andrej Ota and Kyle Moffett discovered a NULL pointer dereference in the KDC LDAP backend. An unauthenticated remote attacker could use this to cause a denial of service. This issue affected Ubuntu 11.10. (CVE-2011-1527)

Mark Deneen discovered that an assert() could be triggered in the krb5_ldap_lockout_audit() function in the KDC LDAP backend and the krb5_db2_lockout_audit() function in the KDC DB2 backend. An unauthenticated remote attacker could use this to cause a denial of service. (CVE-2011-1528)

It was discovered that a NULL pointer dereference could occur in the lookup_lockout_policy() function in the KDC LDAP and DB2 backends. An unauthenticated remote attacker could use this to cause a denial of service. (CVE-2011-1529).

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2011:1379 advisory.

    Kerberos is a network authentication system which allows clients and     servers to authenticate to each other using symmetric encryption and a     trusted third-party, the Key Distribution Center (KDC).

    Multiple NULL pointer dereference and assertion failure flaws were found     in the MIT Kerberos KDC when it was configured to use an LDAP (Lightweight     Directory Access Protocol) or Berkeley Database (Berkeley DB) back end. A     remote attacker could use these flaws to crash the KDC. (CVE-2011-1527,     CVE-2011-1528, CVE-2011-1529)

    Red Hat would like to thank the MIT Kerberos project for reporting the     CVE-2011-1527 issue. Upstream acknowledges Andrej Ota as the original     reporter of CVE-2011-1527.

    All krb5 users should upgrade to these updated packages, which contain a     backported patch to correct these issues. After installing the updated     packages, the krb5kdc daemon will be restarted automatically.

Tenable has extracted the preceding description block directly from the Red Hat Enterprise Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
80650	Oracle Solaris Third-Party Patch Update : kerberos (multiple_input_validation_vulnerabilities_in)	Nessus	Solaris Local Security Checks	high
75885	openSUSE Security Update : krb5 (openSUSE-SU-2011:1169-1)	Nessus	SuSE Local Security Checks	high
75563	openSUSE Security Update : krb5 (openSUSE-SU-2011:1169-1)	Nessus	SuSE Local Security Checks	high
68372	Oracle Linux 6 : krb5 (ELSA-2011-1379)	Nessus	Oracle Linux Local Security Checks	high
61933	Mandriva Linux Security Advisory : krb5 (MDVSA-2011:159)	Nessus	Mandriva Local Security Checks	high
57655	GLSA-201201-13 : MIT Kerberos 5: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	medium
57519	Debian DSA-2379-1 : krb5 - several vulnerabilities	Nessus	Debian Local Security Checks	high
56852	Fedora 15 : krb5-1.9.1-14.fc15 (2011-14673)	Nessus	Fedora Local Security Checks	high
56851	Fedora 14 : krb5-1.8.4-3.fc14 (2011-14650)	Nessus	Fedora Local Security Checks	high
56599	Mandriva Linux Security Advisory : krb5 (MDVSA-2011:160)	Nessus	Mandriva Local Security Checks	high
56556	Ubuntu 10.04 LTS / 10.10 / 11.04 / 11.10 : krb5 vulnerabilities (USN-1233-1)	Nessus	Ubuntu Local Security Checks	high
56552	RHEL 6 : krb5 (RHSA-2011:1379)	Nessus	Red Hat Local Security Checks	high

Detections

Analytics

CVE-2011-1529

high

Tenable Plugins

high

high

high

high

high

medium

high

high

high

high

high

high