Oracle Linux 7 : krb5 (ELSA-2024-5076)

critical Nessus Plugin ID 207970

Synopsis

The remote Oracle Linux host is missing one or more security updates.

Description

The remote Oracle Linux 7 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2024-5076 advisory.

- Fix integer overflows in PAC parsing (CVE-2022-42898)
- Fix KDC null deref on TGS inner body null server (CVE-2021-37750)
- Fix flaws in LDAP DN checking (CVE-2018-5729, CVE-2018-5730)
- Fix CVE-2017-7562 (certauth eku bypass)
- Fix CVE-2017-11368 (s4u2 request assertion failures)
- Fix CVE-2016-3120
- Fix CVE-2016-3119 (LDAP NULL dereference)
- Fix CVE-2015-8631, CVE-2015-8630, and CVE-2015-8629
- the rebase to krb5 1.13.1 in vers 1.13.1-0 also fixed:
- Bug 1144498 ('Fix the race condition in the libkrb5 replay cache')
- Bug 1163402 ('kdb5_ldap_util view_policy does not shows ticket flags on s390x and ppc64')
- Bug 1185770 ('Missing upstream test in krb5-1.12.2: src/tests/gssapi/t_invalid.c')
- Bug 1204211 ('CVE-2014-5355 krb5: unauthenticated denial of service in recvauth_common() and other')
- fix for CVE-2015-2694 (#1218020) 'requires_preauth bypass in PKINIT-enabled KDC'.
In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.
- fix for CVE-2014-5352 (#1179856) 'gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)'
- fix for CVE-2014-9421 (#1179857) 'kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)'
- fix for CVE-2014-9422 (#1179861) 'kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)'
- fix for CVE-2014-9423 (#1179863) 'libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)'
- fix for CVE-2014-5354 (#1174546) 'krb5: NULL pointer dereference when using keyless entries'
- fix for CVE-2014-5353 (#1174543) 'Fix LDAP misused policy name crash'
- update to 1.12.2
- drop patch for RT#7820, fixed in 1.12.2
- drop patch for #231147, fixed as RT#3277 in 1.12.2
- drop patch for RT#7818, fixed in 1.12.2
- drop patch for RT#7836, fixed in 1.12.2
- drop patch for RT#7858, fixed in 1.12.2
- drop patch for RT#7924, fixed in 1.12.2
- drop patch for RT#7926, fixed in 1.12.2
- drop patches for CVE-2014-4341/CVE-2014-4342, included in 1.12.2
- drop patch for CVE-2014-4343, included in 1.12.2
- drop patch for CVE-2014-4344, included in 1.12.2
- drop patch for CVE-2014-4345, included in 1.12.2
- incorporate fix for MITKRB5-SA-2014-001 (CVE-2014-4345)
- gssapi: pull in upstream fix for a possible NULL dereference in spnego (CVE-2014-4344)
- gssapi: pull in proposed fix for a double free in initiators (David Woodhouse, CVE-2014-4343, #1117963)
- pull in fix for denial of service by injection of malformed GSSAPI tokens (CVE-2014-4341, CVE-2014-4342, #1116181)
- update to 1.11.4
- drop patch for RT#7650, obsoleted
- drop patch for RT#7706, obsoleted as RT#7723
- drop patch for CVE-2013-1418/CVE-2013-6800, included in 1.11.4
- incorporate upstream patch for remote crash of KDCs which serve multiple realms simultaneously (RT#7756, CVE-2013-1418/CVE-2013-6800,
- update to 1.11.3
- drop patch for RT#7605, fixed in this release
- drop patch for CVE-2002-2443, fixed in this release
- drop patch for RT#7369, fixed in this release
- pull up fix for UDP ping-pong flaw in kpasswd service (CVE-2002-2443,
- add upstream patch to fix freeing an uninitialized pointer and dereferencing another uninitialized pointer in the KDC (MITKRB5-SA-2012-001, CVE-2012-1014 and CVE-2012-1015, #844779 and #844777)
- update to 1.10.1
- drop the KDC crash fix
- drop the KDC lookaside cache fix
- drop the fix for kadmind RPC ACLs (CVE-2012-1012)
- Fix string RPC ACLs (RT#7093); CVE-2012-1012
- apply upstream patch to fix a null pointer dereference when processing TGS requests (CVE-2011-1530, #753748)
- apply upstream patch to fix a null pointer dereference with the LDAP kdb backend (CVE-2011-1527, #744125), an assertion failure with multiple kdb backends (CVE-2011-1528), and a null pointer dereference with multiple kdb backends (CVE-2011-1529) (#737711)
- update to 1.9.1:
- drop no-longer-needed patches for CVE-2010-4022, CVE-2011-0281, CVE-2011-0282, CVE-2011-0283, CVE-2011-0284, CVE-2011-0285
- kadmind: add upstream patch to fix free() on an invalid pointer (#696343, MITKRB5-SA-2011-004, CVE-2011-0285)

* Mon Apr 04 2011 Nalin Dahyabhai <[email protected]>
- add revised upstream patch to fix double-free in KDC while returning typed-data with errors (MITKRB5-SA-2011-003, CVE-2011-0284, #674325)

* Thu Feb 17 2011 Nalin Dahyabhai <[email protected]>
- add upstream patches to fix standalone kpropd exiting if the per-client child process exits with an error (MITKRB5-SA-2011-001), a hang or crash in the KDC when using the LDAP kdb backend, and an uninitialized pointer use in the KDC (MITKRB5-SA-2011-002) (CVE-2010-4022, #664009, CVE-2011-0281, #668719, CVE-2011-0282, #668726, CVE-2011-0283, #676126)
- start moving to 1.9 with beta 1
- drop patches for RT#5755, RT#6762, RT#6774, RT#6775
- drop no-longer-needed backport patch for #539423
- drop no-longer-needed patch for CVE-2010-1322
- incorporate upstream patch to fix uninitialized pointer crash in the KDC's authorization data handling (CVE-2010-1322, #636335)
- update to 1.8.2
- drop patches for CVE-2010-1320, CVE-2010-1321
- add patch to correct GSSAPI library null pointer dereference which could be triggered by malformed client requests (CVE-2010-1321, #582466)
- incorporate patch to fix double-free in the KDC (CVE-2010-1320, #581922)
- update to 1.8.1
- no longer need patches for #555875, #561174, #563431, RT#6661, CVE-2010-0628
- add upstream fix for denial-of-service in SPNEGO (CVE-2010-0628, #576325)
- update to 1.8
- temporarily bundling the krb5-appl package (split upstream as of 1.8) until its package review is complete
- profile.d scriptlets are now only needed by -workstation-clients
- adjust paths in init scripts
- drop upstreamed fix for KDC denial of service (CVE-2010-0283)
- drop patch to check the user's password correctly using crypt(), which isn't a code path we hit when we're using PAM
- apply patch from upstream to fix KDC denial of service (CVE-2010-0283,
- update to 1.7.1
- don't trip AD lockout on wrong password (#542687, #554351)
- incorporates fixes for CVE-2009-4212 and CVE-2009-3295
- fixes gss_krb5_copy_ccache() when SPNEGO is used
- add upstream patch for integer underflow during AES and RC4 decryption (CVE-2009-4212), via Tom Yu (#545015)
- add upstream patch for KDC crash during referral processing (CVE-2009-3295), via Tom Yu (#545002)
- add patches for read overflow and null pointer dereference in the implementation of the SPNEGO mechanism (CVE-2009-0844, CVE-2009-0845)
- add patch for attempt to free uninitialized pointer in libkrb5 (CVE-2009-0846)
- add patch to fix length validation bug in libkrb5 (CVE-2009-0847)
- libgssapi_krb5: backport fix for some errors which can occur when we fail to set up the server half of a context (CVE-2009-0845)
- add fixes from MITKRB5-SA-2008-001 for use of null or dangling pointer when v4 compatibility is enabled on the KDC (CVE-2008-0062, CVE-2008-0063,
- add fixes from MITKRB5-SA-2008-002 for array out-of-bounds accesses when high-numbered descriptors are used (CVE-2008-0947, #433596)
- add backport bug fix for an attempt to free non-heap memory in libgssapi_krb5 (CVE-2007-5901, #415321)
- add backport bug fix for a double-free in out-of-memory situations in libgssapi_krb5 (CVE-2007-5971, #415351)
- update to 1.6.3, dropping now-integrated patches for CVE-2007-3999 and CVE-2007-4000 (the new pkinit module is built conditionally and goes into the -pkinit-openssl package, at least for now, to make a buildreq loop with openssl avoidable)
- apply the fix for CVE-2007-4000 instead of the experimental patch for setting ok-as-delegate flags
- incorporate updated fix for CVE-2007-3999 (CVE-2007-4743)
- incorporate fixes for MITKRB5-SA-2007-006 (CVE-2007-3999, CVE-2007-4000)
- incorporate fixes for MITKRB5-SA-2007-004 (CVE-2007-2442,CVE-2007-2443) and MITKRB5-SA-2007-005 (CVE-2007-2798)
- update to 1.6.1
- drop no-longer-needed patches for CVE-2007-0956,CVE-2007-0957,CVE-2007-1216
- drop patch for sendto bug in 1.6, fixed in 1.6.1

* Fri May 18 2007 Nalin Dahyabhai <[email protected]>
- add patch to correct unauthorized access via krb5-aware telnet daemon (#229782, CVE-2007-0956)
- add patch to fix buffer overflow in krb5kdc and kadmind (#231528, CVE-2007-0957)
- add patch to fix double-free in kadmind (#231537, CVE-2007-1216)

* Thu Mar 22 2007 Nalin Dahyabhai <[email protected]>
- add preliminary patch to fix buffer overflow in krb5kdc and kadmind (#231528, CVE-2007-0957)
- add preliminary patch to fix double-free in kadmind (#231537, CVE-2007-1216)

* Wed Feb 28 2007 Nalin Dahyabhai <[email protected]>
- apply fixes from Tom Yu for MITKRB5-SA-2006-002 (CVE-2006-6143) (#218456)
- apply fixes from Tom Yu for MITKRB5-SA-2006-003 (CVE-2006-6144) (#218456)
- apply patch to address MITKRB-SA-2006-001 (CVE-2006-3084)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected packages.

See Also

https://linux.oracle.com/errata/ELSA-2024-5076.html

Plugin Details

Severity: Critical

ID: 207970

File Name: oraclelinux_ELSA-2024-5076.nasl

Version: 1.3

Type: local

Agent: unix

Published: 10/1/2024

Updated: 11/2/2024

Supported Sensors: Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.2

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2024-37371

CVSS v3

Risk Factor: Critical

Base Score: 9.1

Temporal Score: 7.9

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: p-cpe:/a:oracle:linux:krb5-pkinit, p-cpe:/a:oracle:linux:krb5-server-ldap, p-cpe:/a:oracle:linux:libkadm5, p-cpe:/a:oracle:linux:krb5-workstation, cpe:/o:oracle:linux:7, cpe:/a:oracle:linux:7::latest, p-cpe:/a:oracle:linux:krb5-server, p-cpe:/a:oracle:linux:krb5-devel, cpe:/a:oracle:linux:7::optional_latest, p-cpe:/a:oracle:linux:krb5-libs, cpe:/a:oracle:linux:7:9:patch

Required KB Items: Host/OracleLinux, Host/RedHat/release, Host/RedHat/rpm-list, Host/local_checks_enabled

Exploit Ease: No known exploits are available

Patch Publication Date: 9/30/2024

Vulnerability Publication Date: 6/28/2024

Reference Information

CVE: CVE-2024-37370, CVE-2024-37371