CVE-2004-0642
published 2004-09-28CVE-2004-0642: Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT…
PriorityP335high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
8.26%
94.2th percentile
Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.
Affected
10 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | krb5 | < krb5 1.3.4-3 (bookworm) | krb5 1.3.4-3 (bookworm) |
| mit | kerberos_5 | <= 1.3.4 | — |
| mit | krb5 | >= 0 < 1.3.4-3 | 1.3.4-3 |
| mit | krb5 | >= 0 < 1.3.4-3 | 1.3.4-3 |
| mit | krb5 | >= 0 < 1.3.4-3 | 1.3.4-3 |
| mit | krb5 | >= 0 < 1.3.4-3 | 1.3.4-3 |
| redhat | enterprise_linux_desktop | — | — |
| redhat | enterprise_linux_server | — | — |
| redhat | enterprise_linux_workstation | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
security flaw
vendor_redhat·2004-08-31·CVSS 7.5
CVE-2004-0642 [HIGH] security flaw
security flaw
Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.
Cisco
Vulnerabilities in Kerberos 5 Implementation
vendor_cisco·2004-08-31
CVE-2004-0642 Vulnerabilities in Kerberos 5 Implementation
Vulnerabilities in Kerberos 5 Implementation
Two vulnerabilities in the
Massachusetts Institute
of Technology (MIT) Kerberos 5
implementation that affect Cisco VPN 3000
Series Concentrators have been announced by the MIT Kerberos Team.
Cisco VPN 3000 Series Concentrators authenticating users against a
Kerberos Key Distribution Center (KDC) may be vulnerable to remote code
execution and to Denial of Service (DoS) attacks. Cisco has made free software
available to address these problems.
Cisco VPN 3000 Series Concentrators not authenticating users against a
Kerberos Key Distribution Center (KDC) are not impacted.
No exploitations of these vulnerabilities have been reported.
This advisory is available at
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa
Debian
CVE-2004-0642: krb5 - Double free vulnerabilities in the error handling code for ASN.1 decoders in the...
vendor_debian·2004·CVSS 7.5
CVE-2004-0642 [HIGH] CVE-2004-0642: krb5 - Double free vulnerabilities in the error handling code for ASN.1 decoders in the...
Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.
Scope: local
bookworm: resolved (fixed in 1.3.4-3)
bullseye: resolved (fixed in 1.3.4-3)
forky: resolved (fixed in 1.3.4-3)
sid: resolved (fixed in 1.3.4-3)
trixie: resolved (fixed in 1.3.4-3)
Cisco
Vulnerabilities in Kerberos 5 Implementation
vendor_cisco
CVE-2004-0642 Vulnerabilities in Kerberos 5 Implementation
CVE-2004-0642: Vulnerabilities in Kerberos 5 Implementation
Two vulnerabilities in the Massachusetts Institute of Technology (MIT) Kerberos 5 implementation that affect Cisco VPN 3000 Series Concentrators have been announced by the MIT Kerberos Team. Cisco VPN 3000 Series Concentrators authenticating users against a Kerberos Key Distribution Center (KDC) may be vulnerable to remote code execution and to Denial of Service (DoS) attacks. Cisco has made free software available to address these problems. Cisco VPN 3000 Series Concentrators not authenticating users against a Kerberos Key Distribution Center (KDC) are not impacted. No exploitations of these vulnerabilities have been reported. This advisory is available at https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvis
GHSA
GHSA-9vx5-gccr-9gr3: Double free vulnerabilities in the error handling code for ASN
ghsa_unreviewed·2022-04-29
CVE-2004-0642 [HIGH] CWE-415 GHSA-9vx5-gccr-9gr3: Double free vulnerabilities in the error handling code for ASN
Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.
OSV
CVE-2004-0642: Double free vulnerabilities in the error handling code for ASN
osv·2004-09-28·CVSS 7.5
CVE-2004-0642 [HIGH] CVE-2004-0642: Double free vulnerabilities in the error handling code for ASN
Double free vulnerabilities in the error handling code for ASN.1 decoders in the (1) Key Distribution Center (KDC) library and (2) client library for MIT Kerberos 5 (krb5) 1.3.4 and earlier may allow remote attackers to execute arbitrary code.
No detection rules found.
No public exploits indexed.
http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000860http://marc.info/?l=bugtraq&m=109508872524753&w=2http://rhn.redhat.com/errata/RHSA-2004-350.htmlhttp://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txthttp://www.debian.org/security/2004/dsa-543http://www.gentoo.org/security/en/glsa/glsa-200409-09.xmlhttp://www.kb.cert.org/vuls/id/795632http://www.securityfocus.com/bid/11078http://www.trustix.net/errata/2004/0045/http://www.us-cert.gov/cas/techalerts/TA04-247A.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/17157https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10709https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4936http://distro.conectiva.com.br/atualizacoes/?id=a&anuncio=000860http://marc.info/?l=bugtraq&m=109508872524753&w=2http://rhn.redhat.com/errata/RHSA-2004-350.htmlhttp://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2004-002-dblfree.txthttp://www.debian.org/security/2004/dsa-543http://www.gentoo.org/security/en/glsa/glsa-200409-09.xmlhttp://www.kb.cert.org/vuls/id/795632http://www.securityfocus.com/bid/11078http://www.trustix.net/errata/2004/0045/http://www.us-cert.gov/cas/techalerts/TA04-247A.htmlhttps://exchange.xforce.ibmcloud.com/vulnerabilities/17157https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10709https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A4936
2004-09-28
Published