Updated krb5 packages that fix one security issue are now available for Red Hat Enterprise Linux 6.

The Red Hat Security Response Team has rated this update as having important security impact. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available from the CVE link in the References section.

Kerberos is a network authentication system which allows clients and servers to authenticate to each other using symmetric encryption and a trusted third-party, the Key Distribution Center (KDC). The Public Key Cryptography for Initial Authentication in Kerberos (PKINIT) capability provides support for using public-key authentication with Kerberos.

A double-free flaw was found in the way the MIT Kerberos KDC handled initial authentication requests (AS-REQ), when the KDC was configured to provide the PKINIT capability. A remote attacker could use this flaw to cause the KDC daemon to abort by using a specially crafted AS-REQ request. (CVE-2011-0284)

All krb5 users should upgrade to these updated packages, which contain a backported patch to correct this issue. After installing the updated packages, the krb5kdc daemon will be restarted automatically.

This update incorporates upstream fixes for a double-free in the KDC which could occur if the KDC needed to send back typed-data along with an error (MITKRB5-SA-2011-003, CVE-2011-0284).

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

An advisory published by the MIT Kerberos team says :

The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult).

An unauthenticated remote attacker can induce a double-free event, causing the KDC daemon to crash (denial of service), or to execute arbitrary code. Exploiting a double-free event to execute arbitrary code is believed to be difficult.

A double-free issue in kdc when PKINIT is enabled allowed remote attackers to crash the daemon or potentially execute arbitrary code (CVE-2011-0284).

The remote Solaris system is missing necessary patches to address security updates :

  - The merge_authdata function in kdc_authdata.c in the Key     Distribution Center (KDC) in MIT Kerberos 5 (aka krb5)     1.8.x before 1.8.4 does not properly manage an index     into an authorization-data list, which allows remote     attackers to cause a denial of service (daemon crash),     or possibly obtain sensitive information, spoof     authorization, or execute arbitrary code, via a TGS     request that triggers an uninitialized pointer     dereference, as demonstrated by a request from a Windows     Active Directory client. (CVE-2010-1322)

  - MIT Kerberos 5 (aka krb5) 1.3.x, 1.4.x, 1.5.x, 1.6.x,     1.7.x, and 1.8.x through 1.8.3 does not properly     determine the acceptability of checksums, which might     allow remote attackers to modify user-visible prompt     text, modify a response to a Key Distribution Center     (KDC), or forge a KRB-SAFE message via certain checksums     that (1) are unkeyed or (2) use RC4 keys.
    (CVE-2010-1323)

  - MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x through 1.8.3     does not properly determine the acceptability of     checksums, which might allow remote attackers to forge     GSS tokens, gain privileges, or have unspecified other     impact via (1) an unkeyed checksum, (2) an unkeyed PAC     checksum, or (3) a KrbFastArmoredReq checksum based on     an RC4 key. (CVE-2010-1324)

  - MIT Kerberos 5 (aka krb5) 1.8.x through 1.8.3 does not     reject RC4 key-derivation checksums, which might allow     remote authenticated users to forge a (1) AD-SIGNEDPATH     or (2) AD-KDC-ISSUED signature, and possibly gain     privileges, by leveraging the small key space that     results from certain one-byte stream-cipher operations.
    (CVE-2010-4020)

  - The Key Distribution Center (KDC) in MIT Kerberos 5 (aka     krb5) 1.7 does not properly restrict the use of TGT     credentials for armoring TGS requests, which might allow     remote authenticated users to impersonate a client by     rewriting an inner request, aka a 'KrbFastReq forgery     issue.' (CVE-2010-4021)

  - Double free vulnerability in the prepare_error_as     function in do_as_req.c in the Key Distribution Center     (KDC) in MIT Kerberos 5 (aka krb5) 1.7 through 1.9, when     the PKINIT feature is enabled, allows remote attackers     to cause a denial of service (daemon crash) or possibly     execute arbitrary code via an e_data field containing     typed data. (CVE-2011-0284)

The remote host is affected by the vulnerability described in GLSA-201201-13 (MIT Kerberos 5: Multiple vulnerabilities)

    Multiple vulnerabilities have been discovered in MIT Kerberos 5. Please       review the CVE identifiers referenced below for details.
  Impact :

    A remote attacker may be able to execute arbitrary code with the       privileges of the administration daemon or the Key Distribution Center       (KDC) daemon, cause a Denial of Service condition, or possibly obtain       sensitive information. Furthermore, a remote attacker may be able to       spoof Kerberos authorization, modify KDC responses, forge user data       messages, forge tokens, forge signatures, impersonate a client, modify       user-visible prompt text, or have other unspecified impact.
  Workaround :

    There is no known workaround at this time.

The remote Oracle Linux 6 host has packages installed that are affected by a vulnerability as referenced in the ELSA-2011-0356 advisory.

    - add revised upstream patch to fix double-free in KDC while returning       typed-data with errors (CVE-2011-0284, #681564)

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

A vulnerability was discovered and corrected in krb5 :

The MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled, resulting in daemon crash or arbitrary code execution (which is believed to be difficult) (CVE-2011-0284).

The updated packages have been patched to correct this issue.

Cameron Meadors discovered that the MIT Kerberos 5 Key Distribution Center (KDC) daemon is vulnerable to a double-free condition if the Public Key Cryptography for Initial Authentication (PKINIT) capability is enabled. This could allow a remote attacker to cause a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Published	Updated	Severity
52700	RHEL 6 : krb5 (RHSA-2011:0356)	Nessus	Red Hat Local Security Checks	3/17/2011	1/14/2021	high
52964	Fedora 14 : krb5-1.8.2-9.fc14 (2011-3462)	Nessus	Fedora Local Security Checks	3/25/2011	1/11/2021	high
53443	FreeBSD : krb5 -- MITKRB5-SA-2011-003, KDC vulnerable to double-free when PKINIT enabled (7edac52a-66cd-11e0-9398-5d45f3aa24f0)	Nessus	FreeBSD Local Security Checks	4/15/2011	1/6/2021	high
53744	openSUSE Security Update : krb5 (krb5-4163)	Nessus	SuSE Local Security Checks	5/5/2011	1/14/2021	high
80653	Oracle Solaris Third-Party Patch Update : kerberos (cve_2010_1322_improper_input)	Nessus	Solaris Local Security Checks	1/19/2015	1/14/2021	medium
57655	GLSA-201201-13 : MIT Kerberos 5: Multiple vulnerabilities	Nessus	Gentoo Local Security Checks	1/24/2012	1/6/2021	medium
75883	openSUSE Security Update : krb5 (krb5-4163)	Nessus	SuSE Local Security Checks	6/13/2014	1/14/2021	high
75561	openSUSE Security Update : krb5 (krb5-4163)	Nessus	SuSE Local Security Checks	6/13/2014	1/14/2021	high
68230	Oracle Linux 6 : krb5 (ELSA-2011-0356)	Nessus	Oracle Linux Local Security Checks	7/12/2013	10/22/2024	critical
52730	Mandriva Linux Security Advisory : krb5 (MDVSA-2011:048)	Nessus	Mandriva Local Security Checks	3/21/2011	1/6/2021	high
52746	Fedora 15 : krb5-1.9-6.fc15 (2011-3547)	Nessus	Fedora Local Security Checks	3/22/2011	1/11/2021	high
52682	Ubuntu 9.10 / 10.04 LTS / 10.10 : krb5 vulnerability (USN-1088-1)	Nessus	Ubuntu Local Security Checks	3/16/2011	9/19/2019	high
52965	Fedora 13 : krb5-1.7.1-18.fc13 (2011-3464)	Nessus	Fedora Local Security Checks	3/25/2011	1/11/2021	high

Detections

Analytics

Plugins Search

high

high

high

high

medium

medium

high

high

critical

high

high

high

high