A flaw was found in pam_krb5. In some non-default configurations (specifically, those where pam_krb5 would be the first module to prompt for a password), the text of the password prompt varied based on whether or not the username provided was a username known to the system. A remote attacker could use this flaw to recognize valid usernames, which would aid a dictionary-based password guess attack.
(CVE-2009-1384)

This update also fixes the following bugs :

  - certain applications which do not properly implement PAM     conversations may fail to authenticate users whose     passwords have expired and must be changed, or may     succeed without forcing the user's password to be     changed. This bug is triggered by a previously-applied     fix to pam_krb5 which makes it comply more closely to     PAM specifications. If an application misbehaves,     enabling the 'chpw_prompt' option for its service should     restore the old behavior. (BZ#509092)

  - pam_krb5 does not allow the user to change an expired     password in cases where the Key Distribution Center     (KDC) is configured to refuse attempts to obtain     forwardable password-changing credentials. This update     fixes this issue. (BZ#489015)

  - failure to verify TGT because of wrong keytab handling.
    (BZ#450776)

This updates the pam_krb5 package from version 2.3.2 to 2.3.5, fixing CVE-2009-1384: in certain configurations, the password prompt could vary depending on whether or not the user account was known to the system or the KDC. It also fixes a bug which prevented password change attempts from working if the KDC denied requests for password-changing credentials with settings which would be used for login credentials, and makes the '-n' option for the 'afs5log' command work as advertised.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

a. Service Console update for COS kernel

   Updated COS package 'kernel' addresses the security issues that are    fixed through versions 2.6.18-164.11.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-2695, CVE-2009-2908, CVE-2009-3228,    CVE-2009-3286, CVE-2009-3547, CVE-2009-3613 to the security issues    fixed in kernel 2.6.18-164.6.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2009-3612, CVE-2009-3620, CVE-2009-3621,    CVE-2009-3726 to the security issues fixed in kernel 2.6.18-164.9.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2007-4567, CVE-2009-4536, CVE-2009-4537,    CVE-2009-4538 to the security issues fixed in kernel 2.6.18-164.10.1

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2006-6304, CVE-2009-2910, CVE-2009-3080,    CVE-2009-3556, CVE-2009-3889, CVE-2009-3939, CVE-2009-4020,    CVE-2009-4021, CVE-2009-4138, CVE-2009-4141, and CVE-2009-4272 to    the security issues fixed in kernel 2.6.18-164.11.1.

b. ESXi userworld update for ntp

   The Network Time Protocol (NTP) is used to synchronize the time of    a computer client or server to another server or reference time    source.

   A vulnerability in ntpd could allow a remote attacker to cause a    denial of service (CPU and bandwidth consumption) by using    MODE_PRIVATE to send a spoofed (1) request or (2) response packet    that triggers a continuous exchange of MODE_PRIVATE error responses    between two NTP daemons.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-3563 to this issue.

c. Service Console package openssl updated to 0.9.8e-12.el5_4.1

   OpenSSL is a toolkit implementing SSL v2/v3 and TLS protocols with    full-strength cryptography world-wide.

   A memory leak in the zlib could allow a remote attacker to cause a    denial of service (memory consumption) via vectors that trigger    incorrect calls to the CRYPTO_cleanup_all_ex_data function.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-4355 to this issue.

   A vulnerability was discovered which may allow remote attackers to    spoof certificates by using MD2 design flaws to generate a hash    collision in less than brute-force time. NOTE: the scope of this    issue is currently limited because the amount of computation    required is still large.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-2409 to this issue.

   This update also includes security fixes that were first addressed    in version openssl-0.9.8e-12.el5.i386.rpm.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the names CVE-2009-0590, CVE-2009-1377, CVE-2009-1378,    CVE-2009-1379, CVE-2009-1386 and CVE-2009-1387 to these issues.

d. Service Console update for krb5 to 1.6.1-36.el5_4.1 and pam_krb5 to    2.2.14-15.

   Kerberos is a network authentication protocol. It is designed to    provide strong authentication for client/server applications by    using secret-key cryptography.

   Multiple integer underflows in the AES and RC4 functionality in the    crypto library could allow remote attackers to cause a denial of    service (daemon crash) or possibly execute arbitrary code by    providing ciphertext with a length that is too short to be valid.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-4212 to this issue.

   The service console package for pam_krb5 is updated to version    pam_krb5-2.2.14-15. This update fixes a flaw found in pam_krb5. In    some non-default configurations (specifically, where pam_krb5 would    be the first module to prompt for a password), a remote attacker    could use this flaw to recognize valid usernames, which would aid a    dictionary-based password guess attack.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-1384 to this issue.

e. Service Console package bind updated to 9.3.6-4.P1.el5_4.2

   BIND (Berkeley Internet Name Daemon) is by far the most widely used    Domain Name System (DNS) software on the Internet.

   A vulnerability was discovered which could allow remote attacker to    add the Authenticated Data (AD) flag to a forged NXDOMAIN response    for an existing domain.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0097 to this issue.

   A vulnerability was discovered which could allow remote attackers    to conduct DNS cache poisoning attacks by receiving a recursive    client query and sending a response that contains CNAME or DNAME    records, which do not have the intended validation before caching.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0290 to this issue.

   A vulnerability was found in the way that bind handles out-of-    bailiwick data accompanying a secure response without re-fetching    from the original source, which could allow remote attackers to    have an unspecified impact via a crafted response.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0382 to this issue.

   NOTE: ESX does not use the BIND name service daemon by default.

f. Service Console package gcc updated to 3.2.3-60

   The GNU Compiler Collection includes front ends for C, C++,    Objective-C, Fortran, Java, and Ada, as well as libraries for these    languages

   GNU Libtool's ltdl.c attempts to open .la library files in the    current working directory.  This could allow a local user to gain    privileges via a Trojan horse file.  The GNU C Compiler collection    (gcc) provided in ESX contains a statically linked version of the    vulnerable code, and is being replaced.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2009-3736 to this issue.

g. Service Console package gzip update to 1.3.3-15.rhel3

   gzip is a software application used for file compression

   An integer underflow in gzip's unlzw function on 64-bit platforms    may allow a remote attacker to trigger an array index error    leading to a denial of service (application crash) or possibly    execute arbitrary code via a crafted LZW compressed file.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0001 to this issue.

h. Service Console package sudo updated to 1.6.9p17-6.el5_4

   Sudo (su 'do') allows a system administrator to delegate authority    to give certain users (or groups of users) the ability to run some    (or all) commands as root or another user while providing an audit    trail of the commands and their arguments.

   When a pseudo-command is enabled, sudo permits a match between the    name of the pseudo-command and the name of an executable file in an    arbitrary directory, which allows local users to gain privileges    via a crafted executable file.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0426 to this issue.

   When the runas_default option is used, sudo does not properly set    group memberships, which allows local users to gain privileges via    a sudo command.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-0427 to this issue.

The remote Oracle Linux 5 host has a package installed that is affected by a vulnerability as referenced in the ELSA-2010-0258 advisory.

  - pam_krb5 2.2.14 through 2.3.4, as used in Red Hat Enterprise Linux (RHEL) 5, generates different password     prompts depending on whether the user account exists, which allows remote attackers to enumerate valid     usernames. (CVE-2009-1384)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several third-party components and libraries :

  - Apache Tomcat 
  - Apache Tomcat Manager
  - cURL 
  - Java Runtime Environment (JRE)
  - Kernel 
  - Microsoft SQL Express
  - OpenSSL
  - pam_krb5

The remote VMware ESX / ESXi host is missing a security-related patch.
It is, therefore, affected by multiple vulnerabilities, including remote code execution vulnerabilities, in several components and third-party libraries :

  - libpng
  - VMnc Codec
  - vmrun
  - VMware Remote Console (VMrc)
  - VMware Tools
  - vmware-authd

This updates the pam_krb5 package from version 2.3.4 to 2.3.5, fixing CVE-2009-1384: in certain configurations, the password prompt could vary depending on whether or not the user account was known to the system or the KDC.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

This updates the pam_krb5 package from version 2.3.2 to 2.3.5, fixing CVE-2009-1384: in certain configurations, the password prompt could vary depending on whether or not the user account was known to the system or the KDC. It also fixes a bug which prevented password change attempts from working if the KDC denied requests for password-changing credentials with settings which would be used for login credentials.

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Pam_krb5 2.2.14 through 2.3.4 generates different password prompts depending on whether the user account exists, which allows remote attackers to enumerate valid usernames (CVE-2009-1384).

This update provides the version 2.3.5 of pam_krb5, which is not vulnerable to this issue.

a. vCenter Server and vCenter Update Manager update Microsoft    SQL Server 2005 Express Edition to Service Pack 3

   Microsoft SQL Server 2005 Express Edition (SQL Express)    distributed with vCenter Server 4.1 Update 1 and vCenter Update    Manager 4.1 Update 1 is upgraded from  SQL Express Service Pack 2    to SQL Express Service Pack 3, to address multiple security    issues that exist in the earlier releases of Microsoft SQL Express.

   Customers using other database solutions need not update for    these issues.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2008-5416, CVE-2008-0085, CVE-2008-0086,    CVE-2008-0107 and CVE-2008-0106 to the issues addressed in MS SQL    Express Service Pack 3.

b. vCenter Apache Tomcat Management Application Credential Disclosure

   The Apache Tomcat Manager application configuration file contains    logon credentials that can be read by unprivileged local users.

   The issue is resolved by removing the Manager application in    vCenter 4.1 Update 1.

   If vCenter 4.1 is updated to vCenter 4.1 Update 1 the logon    credentials are not present in the configuration file after the    update.

   VMware would like to thank Claudio Criscione of Secure Networking    for reporting this issue to us.

   The Common Vulnerabilities and Exposures Project (cve.mitre.org)    has assigned the name CVE-2010-2928 to this issue.

c. vCenter Server and ESX, Oracle (Sun) JRE is updated to version    1.6.0_21

   Oracle (Sun) JRE update to version 1.6.0_21, which addresses    multiple security issues that existed in earlier releases of    Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Oracle (Sun) JRE 1.6.0_19: CVE-2009-3555, CVE-2010-0082,    CVE-2010-0084, CVE-2010-0085, CVE-2010-0087, CVE-2010-0088,    CVE-2010-0089, CVE-2010-0090, CVE-2010-0091, CVE-2010-0092,    CVE-2010-0093, CVE-2010-0094, CVE-2010-0095, CVE-2010-0837,    CVE-2010-0838, CVE-2010-0839, CVE-2010-0840, CVE-2010-0841,    CVE-2010-0842, CVE-2010-0843, CVE-2010-0844, CVE-2010-0845,    CVE-2010-0846, CVE-2010-0847, CVE-2010-0848, CVE-2010-0849,    CVE-2010-0850.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following name to the security issue fixed in    Oracle (Sun) JRE 1.6.0_20: CVE-2010-0886.

d. vCenter Update Manager Oracle (Sun) JRE is updated to version   1.5.0_26

   Oracle (Sun) JRE update to version 1.5.0_26, which addresses    multiple security issues that existed in earlier releases of    Oracle (Sun) JRE.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Oracle (Sun) JRE 1.5.0_26: CVE-2010-3556, CVE-2010-3566,    CVE-2010-3567, CVE-2010-3550, CVE-2010-3561, CVE-2010-3573,    CVE-2010-3565,CVE-2010-3568, CVE-2010-3569,  CVE-2009-3555,    CVE-2010-1321, CVE-2010-3548, CVE-2010-3551, CVE-2010-3562,    CVE-2010-3571, CVE-2010-3554, CVE-2010-3559, CVE-2010-3572,    CVE-2010-3553, CVE-2010-3549, CVE-2010-3557, CVE-2010-3541,    CVE-2010-3574.

e. vCenter Server and ESX Apache Tomcat updated to version 6.0.28

   Apache Tomcat updated to version 6.0.28, which addresses multiple    security issues that existed in earlier releases of Apache Tomcat

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Apache Tomcat 6.0.24: CVE-2009-2693, CVE-2009-2901, CVE-2009-2902,i    and CVE-2009-3548.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the following names to the security issues fixed in    Apache Tomcat 6.0.28: CVE-2010-2227, CVE-2010-1157.

f. vCenter Server third-party component OpenSSL updated to version    0.9.8n

   The version of the OpenSSL library in vCenter Server is updated to    0.9.8n.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-0740 and CVE-2010-0433 to the    issues addressed in this version of OpenSSL.

g. ESX third-party component OpenSSL updated to version 0.9.8p

   The version of the ESX OpenSSL library is updated to 0.9.8p.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-3864 and CVE-2010-2939 to the    issues addressed in this update.

h. ESXi third-party component cURL updated

   The version of cURL library in ESXi is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the name CVE-2010-0734 to the issues addressed in    this update.

i. ESX third-party component pam_krb5 updated

   The version of pam_krb5 library is updated.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2008-3825 and CVE-2009-1384 to the    issues addressed in the update.

j. ESX third-party update for Service Console kernel

   The Service Console kernel is updated to include kernel version    2.6.18-194.11.1.

   The Common Vulnerabilities and Exposures project (cve.mitre.org)    has assigned the names CVE-2010-1084, CVE-2010-2066, CVE-2010-2070,    CVE-2010-2226, CVE-2010-2248, CVE-2010-2521, CVE-2010-2524,    CVE-2010-0008, CVE-2010-0415, CVE-2010-0437, CVE-2009-4308,    CVE-2010-0003, CVE-2010-0007, CVE-2010-0307, CVE-2010-1086,    CVE-2010-0410, CVE-2010-0730, CVE-2010-1085, CVE-2010-0291,    CVE-2010-0622, CVE-2010-1087, CVE-2010-1173, CVE-2010-1437,    CVE-2010-1088, CVE-2010-1187, CVE-2010-1436, CVE-2010-1641, and    CVE-2010-3081 to the issues addressed in the update.

   Notes :
   - The update also addresses the 64-bit compatibility mode    stack pointer underflow issue identified by CVE-2010-3081. This    issue was patched in an ESX 4.1 patch prior to the release of    ESX 4.1 Update 1 and in a previous ESX 4.0 patch release.
   - The update also addresses CVE-2010-2240 for ESX 4.0.

Updated pam_krb5 packages that fix one security issue and various bugs are now available for Red Hat Enterprise Linux 5.

The Red Hat Security Response Team has rated this update as having low security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

The pam_krb5 module allows Pluggable Authentication Modules (PAM) aware applications to use Kerberos to verify user identities by obtaining user credentials at log in time.

A flaw was found in pam_krb5. In some non-default configurations (specifically, those where pam_krb5 would be the first module to prompt for a password), the text of the password prompt varied based on whether or not the username provided was a username known to the system. A remote attacker could use this flaw to recognize valid usernames, which would aid a dictionary-based password guess attack.
(CVE-2009-1384)

This update also fixes the following bugs :

* certain applications which do not properly implement PAM conversations may fail to authenticate users whose passwords have expired and must be changed, or may succeed without forcing the user's password to be changed. This bug is triggered by a previously-applied fix to pam_krb5 which makes it comply more closely to PAM specifications. If an application misbehaves, enabling the 'chpw_prompt' option for its service should restore the old behavior.
(BZ#509092)

* pam_krb5 does not allow the user to change an expired password in cases where the Key Distribution Center (KDC) is configured to refuse attempts to obtain forwardable password-changing credentials. This update fixes this issue. (BZ#489015)

* failure to verify TGT because of wrong keytab handling. (BZ#450776)

Users of pam_krb5 are advised to upgrade to these updated packages, which resolve these issues.

ID	Name	Product	Family	Published	Updated	Severity
60772	Scientific Linux Security Update : pam_krb5 on SL5.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	8/1/2012	1/14/2021	medium
39541	Fedora 9 : pam_krb5-2.3.5-1.fc9 (2009-6279)	Nessus	Fedora Local Security Checks	6/28/2009	1/11/2021	medium
46765	VMSA-2010-0009 : ESXi ntp and ESX Service Console third-party updates	Nessus	VMware ESX Local Security Checks	6/1/2010	1/6/2021	high
181070	Oracle Linux 5 : pam_krb5 (ELSA-2010-0258)	Nessus	Oracle Linux Local Security Checks	9/7/2023	9/7/2023	medium
89674	VMware ESX / ESXi Third-Party Libraries Multiple Vulnerabilities (VMSA-2011-0003) (remote check)	Nessus	Misc.	3/4/2016	5/25/2022	high
89740	VMware ESX / ESXi Third-Party Libraries and Components (VMSA-2010-0009) (remote check)	Nessus	VMware ESX Local Security Checks	3/8/2016	1/6/2021	critical
39539	Fedora 11 : pam_krb5-2.3.5-1.fc11 (2009-5983)	Nessus	Fedora Local Security Checks	6/28/2009	1/11/2021	medium
39540	Fedora 10 : pam_krb5-2.3.5-1.fc10 (2009-6255)	Nessus	Fedora Local Security Checks	6/28/2009	1/11/2021	medium
44989	Mandriva Linux Security Advisory : pam_krb5 (MDVSA-2010:054)	Nessus	Mandriva Local Security Checks	3/5/2010	1/6/2021	medium
51971	VMSA-2011-0003 : Third-party component updates for VMware vCenter Server, vCenter Update Manager, ESXi and ESX	Nessus	VMware ESX Local Security Checks	2/14/2011	5/25/2022	high
46287	RHEL 5 : pam_krb5 (RHSA-2010:0258)	Nessus	Red Hat Local Security Checks	5/11/2010	1/14/2021	medium

Detections

Analytics

Plugins Search

medium

medium

high

medium

high

critical

medium

medium

medium

high

medium