The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.

The remote Redhat Enterprise Linux 6 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - krb5: Automatic sec context deletion could lead to double-free (CVE-2017-11462)

  - The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka     krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote     authenticated users to forge tickets by leveraging administrative access. (CVE-2014-5351)

  - lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) before 1.14 relies on an inappropriate     context handle, which allows remote attackers to cause a denial of service (incorrect pointer read and     process crash) via a crafted SPNEGO packet that is mishandled during a gss_inquire_context call.
    (CVE-2015-2695)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 5 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001) (CVE-2014-9421)

  - krb5: Automatic sec context deletion could lead to double-free (CVE-2017-11462)

  - The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka     krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote     authenticated users to forge tickets by leveraging administrative access. (CVE-2014-5351)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

The remote Redhat Enterprise Linux 7 host has one or more packages installed that are affected by multiple vulnerabilities that have been acknowledged by the vendor but will not be patched.

  - krb5: Buffer overflow in get_matching_data() (CVE-2017-15088)

  - Kerberos: delegation constrain bypass in S4U2Proxy (CVE-2020-17049)

  - The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka     krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote     authenticated users to forge tickets by leveraging administrative access. (CVE-2014-5351)

Note that Nessus has not tested for these issues but has instead relied on the package manager's report that the package is installed.

Kerberos, a system for authenticating users and services on a network, was affected by several vulnerabilities. The Common Vulnerabilities and Exposures project identifies the following issues.

CVE-2013-1418 Kerberos allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request when multiple realms are configured.

CVE-2014-5351 Kerberos sends old keys in a response to a -randkey
-keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.

CVE-2014-5353 When the KDC uses LDAP, allows remote authenticated users to cause a denial of service (daemon crash) via a successful LDAP query with no results, as demonstrated by using an incorrect object type for a password policy.

CVE-2014-5355 Kerberos expects that a krb5_read_message data field is represented as a string ending with a '\0' character, which allows remote attackers to (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '\0' character,

CVE-2016-3119 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted request to modify a principal.

CVE-2016-3120 Kerberos allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.

For Debian 7 'Wheezy', these problems have been fixed in version 1.10.1+dfsg-5+deb7u9.

We recommend that you upgrade your krb5 packages.

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

MIT kerberos krb5 was updated to fix several security issues and bugs.

Security issues fixed: CVE-2014-5351: The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) sent old keys in a response to a -randkey -keepold request, which allowed remote authenticated users to forge tickets by leveraging administrative access.

  - CVE-2014-5352: In the MIT krb5 libgssapi_krb5 library,     after gss_process_context_token() is used to process a     valid context deletion token, the caller was left with a     security context handle containing a dangling pointer.
    Further uses of this handle would have resulted in     use-after-free and double-free memory access violations.
    libgssrpc server applications such as kadmind were     vulnerable as they can be instructed to call     gss_process_context_token().

  - CVE-2014-9421: If the MIT krb5 kadmind daemon receives     invalid XDR data from an authenticated user, it may have     performed use-after-free and double-free memory access     violations while cleaning up the partial deserialization     results. Other libgssrpc server applications might also     been vulnerable if they contain insufficiently defensive     XDR functions.

  - CVE-2014-9422: The MIT krb5 kadmind daemon incorrectly     accepted authentications to two-component server     principals whose first component is a left substring of     'kadmin' or whose realm is a left prefix of the default     realm.

  - CVE-2014-9423: libgssrpc applications including kadmind     output four or eight bytes of uninitialized memory to     the network as part of an unused 'handle' field in     replies to clients.

Bugs fixed :

  - Work around replay cache creation race; (bnc#898439).

Note that Tenable Network Security has extracted the preceding description block directly from the SUSE security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Security fix for CVE-2014-5352, CVE-2014-9421, CVE-2014-9422, CVE-2014-9423 Security fix for CVE-2014-5351

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

krb5 was updated to fix five security issues.

These security issues were fixed :

  - CVE-2014-5351: current keys returned when randomizing     the keys for a service principal (bnc#897874) 

  - CVE-2014-5352: An authenticated attacker could cause a     vulnerable application (including kadmind) to crash or     to execute arbitrary code (bnc#912002).

  - CVE-2014-9421: An authenticated attacker could cause     kadmind or other vulnerable server application to crash     or to execute arbitrary code (bnc#912002).

  - CVE-2014-9422: An attacker who possess the key of a     particularly named principal (such as 'kad/root') could     impersonate any user to kadmind and perform     administrative actions as that user (bnc#912002).

  - CVE-2014-9423: An attacker could attempt to glean     sensitive information from the four or eight bytes of     uninitialized data output by kadmind or other libgssrpc     server application. Because MIT krb5 generally sanitizes     memory containing krb5 keys before freeing it, it is     unlikely that kadmind would leak Kerberos key     information, but it is not impossible (bnc#912002).

This non-security issue was fixed :

  - Work around replay cache creation race (bnc#898439).

The remote Ubuntu 14.04 LTS host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-2498-1 advisory.

    It was discovered that Kerberos incorrectly sent old keys in response to a -randkey -keepold request. An     authenticated remote attacker could use this issue to forge tickets by leveraging administrative access.
    This issue only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS. (CVE-2014-5351)

    It was discovered that the libgssapi_krb5 library incorrectly processed security context handles. A remote     attacker could use this issue to cause a denial of service, or possibly execute arbitrary code.
    (CVE-2014-5352)

    Patrik Kis discovered that Kerberos incorrectly handled LDAP queries with no results. An authenticated     remote attacker could use this issue to cause the KDC to crash, resulting in a denial of service.
    (CVE-2014-5353)

    It was discovered that Kerberos incorrectly handled creating database entries for a keyless principal when     using LDAP. An authenticated remote attacker could use this issue to cause the KDC to crash, resulting in     a denial of service. (CVE-2014-5354)

    It was discovered that Kerberos incorrectly handled memory when processing XDR data. A remote attacker     could use this issue to cause kadmind to crash, resulting in a denial of service, or possibly execute     arbitrary code. (CVE-2014-9421)

    It was discovered that Kerberos incorrectly handled two-component server principals. A remote attacker     could use this issue to perform impersonation attacks. (CVE-2014-9422)

    It was discovered that the libgssrpc library leaked uninitialized bytes. A remote attacker could use this     issue to possibly obtain sensitive information. (CVE-2014-9423)

Tenable has extracted the preceding description block directly from the Ubuntu security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The version of the Network Authentication Service (NAS) installed on the remote AIX host is affected by a vulnerability related to Kerberos 5 which allows authenticated users to retrieve current keys, which can be used to forge tickets.

The remote host is affected by the vulnerability described in GLSA-201412-53 (MIT Kerberos 5: User-assisted execution of arbitrary code)

    Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker could execute arbitrary code with the privileges of       the process or cause Denial of Service.
  Workaround :

    There is no known workaround at this time.

Updated krb5 packages fix security vulnerability :

The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access (CVE-2014-5351).

This update for krb5 fixes the following issues :

  - When randomizing the keys for a service principal,     current keys could be returned. (CVE-2014-5351)

  - klist -s crashes when handling multiple referral     entries. (bnc#890623)

Security fix for CVE-2014-5351

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
199166	RHEL 6 : krb5 (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
199152	RHEL 5 : krb5 (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
199136	RHEL 7 : krb5 (Unpatched Vulnerability)	Nessus	Red Hat Local Security Checks	critical
106536	Debian DLA-1265-1 : krb5 security update	Nessus	Debian Local Security Checks	medium
83683	SUSE SLED12 / SLES12 Security Update : krb5 (SUSE-SU-2015:0290-2)	Nessus	SuSE Local Security Checks	high
83682	SUSE SLES12 Security Update : krb5 (SUSE-SU-2015:0290-1)	Nessus	SuSE Local Security Checks	high
81705	Fedora 20 : krb5-1.11.5-18.fc20 (2015-2382)	Nessus	Fedora Local Security Checks	high
81304	openSUSE Security Update : krb5 (openSUSE-2015-128)	Nessus	SuSE Local Security Checks	high
81297	Ubuntu 14.04 LTS : Kerberos vulnerabilities (USN-2498-1)	Nessus	Ubuntu Local Security Checks	medium
81022	AIX NAS Advisory : nas_advisory2.asc	Nessus	AIX Local Security Checks	low
80328	GLSA-201412-53 : MIT Kerberos 5: User-assisted execution of arbitrary code	Nessus	Gentoo Local Security Checks	high
79411	Mandriva Linux Security Advisory : krb5 (MDVSA-2014:224)	Nessus	Mandriva Local Security Checks	low
79232	SuSE 11.3 Security Update : krb5 (SAT Patch Number 9827)	Nessus	SuSE Local Security Checks	low
78100	Fedora 21 : krb5-1.12.2-9.fc21 (2014-11940)	Nessus	Fedora Local Security Checks	low

Detections

Analytics

CVE-2014-5351

medium

Tenable Plugins

critical

critical

critical

medium

high

high

high

high

medium

low

high

low

low

low