CVE-2002-2443 — Improper Input Validation in Kerberos 5

CWE-20 — Improper Input Validation10 documents8 sources

Severity

5.0MEDIUMNVD

EPSS

15.0%

top 5.42%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

MIT Krb5 MIT Kerberos 5 Canonical Ubuntu Linux +8 more

Timeline

PublishedMay 29

Latest updateApr 30

Description

schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1.11.3 does not properly validate UDP packets before sending responses, which allows remote attackers to cause a denial of service (CPU and bandwidth consumption) via a forged packet that triggers a communication loop, as demonstrated by krb_pingpong.nasl, a related issue to CVE-1999-0103.

CVSS vector

AV:N/AC:L/C:N/I:N/A:PExploitability: 10.0 | Impact: 2.9

Affected Packages7 packages

▶NVDmit/kerberos_5< 1.11.3

▶Debianmit/krb5< 1.10.1+dfsg-6+3

▶Ubuntumit/krb5< 1.12+dfsg-2ubuntu5.2

▶NVDopensuse/opensuse11.4, 12.2, 12.3+2

▶NVDredhat/enterprise_linux_server5.0, 6.0+1

Also affects: Debian Linux 6.0, 7.0, 8.0, Fedora 17, 18, 19, Ubuntu Linux 12.04, 14.04, 15.04, 15.10, Enterprise Linux 5.9, 6.4

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

GHSA-cqf2-6q6w-6cqw: schpw↗2022-04-30

▶

OSV

krb5 vulnerabilities↗2015-11-12

▶

OSV

CVE-2002-2443: schpw↗2013-05-29

▶

CVEList

CVE-2002-2443: schpw↗2013-05-29

▶

📋Vendor Advisories

Ubuntu

Kerberos vulnerabilities↗2015-11-12

▶

Red Hat

krb5: UDP ping-pong flaw in kpasswd↗2002-06-16

▶

Debian

CVE-2002-2443: krb5 - schpw.c in the kpasswd service in kadmind in MIT Kerberos 5 (aka krb5) before 1....↗2002

▶

💬Community

Bugzilla

CVE-2002-2443 krb5: UDP ping-pong flaw in kpasswd↗2013-05-13

▶

Bugzilla

CVE-2002-2443 krb5: UDP ping-pong flaw in kpasswd [fedora-all]↗2013-05-13

▶