The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request.

The remote Solaris system is missing necessary patches to address security updates :

  - The prep_reprocess_req function in do_tgs_req.c in the     Key Distribution Center (KDC) in MIT Kerberos 5 (aka     krb5) before 1.10.5 does not properly perform     service-principal realm referral, which allows remote     authenticated users to cause a denial of service (NULL     pointer dereference and daemon crash) via a crafted     TGS-REQ request. (CVE-2013-1416)

The remote OracleVM system is missing necessary patches to address critical security updates :

  - actually apply that last patch

  - incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345,     #1128157)

  - ksu: when evaluating .k5users, don't throw away data     from .k5users when we're not passed a command to run,     which implicitly means we're attempting to run the     target user's shell (#1026721, revised)

  - ksu: when evaluating .k5users, treat lines with just a     principal name as if they contained the principal name     followed by '*', and don't throw away data from .k5users     when we're not passed a command to run, which implicitly     means we're attempting to run the target user's shell     (#1026721, revised)

  - gssapi: pull in upstream fix for a possible NULL     dereference in spnego (CVE-2014-4344, #1121510)

  - gssapi: pull in proposed-and-accepted fix for a double     free in initiators (David Woodhouse, CVE-2014-4343,     #1121510)

  - correct a type mistake in the backported fix for     (CVE-2013-1418, CVE-2013-6800)

  - pull in backported fix for denial of service by     injection of malformed GSSAPI tokens (CVE-2014-4341,     CVE-2014-4342, #1121510)

  - incorporate backported patch for remote crash of KDCs     which serve multiple realms simultaneously (RT#7756,     CVE-2013-1418/CVE-2013-6800, more of

  - pull in backport of patch to not subsequently always     require that responses come from master KDCs if we get     one from a master somewhere along the way while chasing     referrals (RT#7650, #1113652)

  - ksu: if the -e flag isn't used, use the target user's     shell when checking for authorization via the target     user's .k5users file (#1026721)

  - define _GNU_SOURCE in files where we use EAI_NODATA, to     make sure that it's declared (#1059730)

  - spnego: pull in patch from master to restore preserving     the OID of the mechanism the initiator requested when we     have multiple OIDs for the same mechanism, so that we     reply using the same mechanism OID and the initiator     doesn't get confused (#1087068, RT#7858)

  - add patch from Jatin Nansi to avoid attempting to clear     memory at the NULL address if krb5_encrypt_helper     returns an error when called from encrypt_credencpart     (#1055329, pull #158)

  - drop patch to add additional access checks to ksu - they     shouldn't be resulting in any benefit

  - apply patch from Nikolai Kondrashov to pass a default     realm set in /etc/sysconfig/krb5kdc to the     kdb_check_weak helper, so that it doesn't produce an     error if there isn't one set in krb5.conf (#1009389)

  - packaging: don't Obsoletes: older versions of     krb5-pkinit-openssl and virtual Provide:
    krb5-pkinit-openssl on EL6, where we don't need to     bother with any of that (#1001961)

  - pkinit: backport tweaks to avoid trying to call the     prompter callback when one isn't set (part of #965721)

  - pkinit: backport the ability to use a prompter callback     to prompt for a password when reading private keys (the     rest of #965721)

  - backport fix to not spin on a short read when reading     the length of a response over TCP (RT#7508, #922884)

  - backport fix for trying all compatible keys when not     being strict about acceptor names while reading AP-REQs     (RT#7883, #1070244)

  - backport fix for not being able to verify the list of     transited realms in GSS acceptors (RT#7639, #959685)

  - pull fix for keeping track of the message type when     parsing FAST requests in the KDC (RT#7605, #951965)

  - incorporate upstream patch to fix a NULL pointer     dereference while processing certain TGS requests     (CVE-2013-1416, #950343)

  - incorporate upstream patch to fix a NULL pointer     dereference when the client supplies an     otherwise-normal-looking PKINIT request (CVE-2013-1415,     #917910)

  - add patch to avoid dereferencing a NULL pointer in the     KDC when handling a draft9 PKINIT request (#917910,     CVE-2012-1016)

  - pull up fix for UDP ping-pong flaw in kpasswd service     (CVE-2002-2443, 

  - don't leak the memory used to hold the previous entry     when walking a keytab to figure out which kinds of keys     we have (#911147)

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2310-1 advisory.

    It was discovered that Kerberos incorrectly handled certain crafted Draft 9 requests. A remote attacker     could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only     affected Ubuntu 12.04 LTS. (CVE-2012-1016)

    It was discovered that Kerberos incorrectly handled certain malformed KRB5_PADATA_PK_AS_REQ AS-REQ     requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of     service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1415)

    It was discovered that Kerberos incorrectly handled certain crafted TGS-REQ requests. A remote     authenticated attacker could use this issue to cause the daemon to crash, resulting in a denial of     service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1416)

    It was discovered that Kerberos incorrectly handled certain crafted requests when multiple realms were     configured. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of     service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1418, CVE-2013-6800)

    It was discovered that Kerberos incorrectly handled certain invalid tokens. If a remote attacker were able     to perform a machine-in-the-middle attack, this flaw could be used to cause the daemon to crash, resulting     in a denial of service. (CVE-2014-4341, CVE-2014-4342)

    It was discovered that Kerberos incorrectly handled certain mechanisms when used with SPNEGO. If a remote     attacker were able to perform a machine-in-the-middle attack, this flaw could be used to cause clients to     crash, resulting in a denial of service. (CVE-2014-4343)

    It was discovered that Kerberos incorrectly handled certain continuation tokens during SPNEGO     negotiations. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial     of service. (CVE-2014-4344)

    Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon incorrectly handled buffers when     used with the LDAP backend. A remote attacker could use this issue to cause the daemon to crash, resulting     in a denial of service, or possibly execute arbitrary code. (CVE-2014-4345)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

- fix prep_reprocess_req NULL pointer deref CVE-2013-1416     (bnc#816413)     bug-816413-CVE-2013-1416-prep_reprocess_req-NULL-ptr-der     ef.dif

The remote host is affected by the vulnerability described in GLSA-201312-12 (MIT Kerberos 5: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in the Key Distribution       Center in MIT Kerberos 5. Please review the CVE identifiers referenced       below for details.
  Impact :

    A remote attacker could send a specially crafted request, possibly       resulting in execution of arbitrary code with the privileges of the       process or a Denial of Service condition. Additionally, a remote attacker       could impersonate a kadmind server and send a specially crafted packet to       the password change port, which can result in a ping-pong condition and a       Denial of Service condition.
  Workaround :

    There is no known workaround at this time.

A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2013-1416)

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2013-0748 advisory.

    [1.10.3-10.2]
    - incorporate upstream patch to fix a NULL pointer dereference while processing       certain TGS requests (CVE-2013-1416, #950342)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A vulnerability has been discovered and corrected in krb5 :

The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request (CVE-2013-1416).

The updated packages have been patched to correct this issue.

These updates incorporate the upstream patch for a NULL pointer dereference in the KDC which could occur while processing certain TGS requests (CVE-2013-1416).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having moderate security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC).

A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2013-1416)

All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically.

A NULL pointer dereference flaw was found in the way the MIT Kerberos KDC processed certain TGS (Ticket-granting Server) requests. A remote, authenticated attacker could use this flaw to crash the KDC via a specially crafted TGS request. (CVE-2013-1416)

After installing the updated packages, the krb5kdc daemon will be restarted automatically.

The remote Redhat Enterprise Linux 6 host has packages installed that are affected by a vulnerability as referenced in the RHSA-2013:0748 advisory.

  - krb5: NULL pointer dereference (DoS, KDC crash) by processing certain TGS requests (CVE-2013-1416)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

ID	Name	Product	Family	Severity
80651	Oracle Solaris Third-Party Patch Update : kerberos (cve_2013_1416_denial_of)	Nessus	Solaris Local Security Checks	medium
79549	OracleVM 3.3 : krb5 (OVMSA-2014-0034)	Nessus	OracleVM Local Security Checks	high
77147	Ubuntu 14.04 LTS : Kerberos vulnerabilities (USN-2310-1)	Nessus	Ubuntu Local Security Checks	critical
74989	openSUSE Security Update : krb5 (openSUSE-SU-2013:0904-1)	Nessus	SuSE Local Security Checks	medium
71487	GLSA-201312-12 : MIT Kerberos 5: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	high
69741	Amazon Linux AMI : krb5 (ALAS-2013-182)	Nessus	Amazon Linux Local Security Checks	medium
68810	Oracle Linux 6 : krb5 (ELSA-2013-0748)	Nessus	Oracle Linux Local Security Checks	medium
66285	Mandriva Linux Security Advisory : krb5 (MDVSA-2013:158)	Nessus	Mandriva Local Security Checks	medium
66008	Fedora 17 : krb5-1.10.2-10.fc17 (2013-5286)	Nessus	Fedora Local Security Checks	medium
66007	Fedora 18 : krb5-1.10.3-15.fc18 (2013-5280)	Nessus	Fedora Local Security Checks	medium
66001	CentOS 6 : krb5 (CESA-2013:0748)	Nessus	CentOS Local Security Checks	medium
65993	Scientific Linux Security Update : krb5 on SL6.x i386/x86_64 (20130416)	Nessus	Scientific Linux Local Security Checks	medium
65992	RHEL 6 : krb5 (RHSA-2013:0748)	Nessus	Red Hat Local Security Checks	medium

Detections

Analytics

CVE-2013-1416

medium

Tenable Plugins

medium

high

critical

medium

high

medium

medium

medium

medium

medium

medium

medium

medium