CVE-2010-1320
published 2010-04-22CVE-2010-1320: Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote…
PriorityP429medium4CVSS 2.0
AVNACLAuSCNINAP
EXPLOIT
EPSS
11.86%
95.6th percentile
Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.8.1+dfsg-2 (bookworm) | krb5 1.8.1+dfsg-2 (bookworm) |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | krb5 | >= 0 < 1.8.1+dfsg-2 | 1.8.1+dfsg-2 |
| mit | krb5 | >= 0 < 1.8.1+dfsg-2 | 1.8.1+dfsg-2 |
| mit | krb5 | >= 0 < 1.8.1+dfsg-2 | 1.8.1+dfsg-2 |
| mit | krb5 | >= 0 < 1.8.1+dfsg-2 | 1.8.1+dfsg-2 |
CVSS provenance
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv4.0MEDIUM
vendor_ubuntu10.0CRITICAL
vendor_debian4.0MEDIUM
vendor_redhat4.0MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Kerberos vulnerability
vendor_ubuntu·2010-07-21·CVSS 4.0
CVE-2010-1321 [MEDIUM] Kerberos vulnerability
Title: Kerberos vulnerability
Summary: An attacker could send crafted input to kadmind and cause it to crash.
USN-940-1 fixed vulnerabilities in Kerberos. This update provides the
corresponding updates for Ubuntu 10.04.
Original advisory details:
Joel Johnson, Brian Almeida, and Shawn Emery discovered that Kerberos
did not correctly verify certain packet structures. An unauthenticated
remote attacker could send specially crafted traffic to cause the KDC or
kadmind services to crash, leading to a denial of service. (CVE-2010-1320,
CVE-2010-1321)
Instructions: In general, a standard system update will make all the necessary changes.
Ubuntu
Kerberos vulnerabilities
vendor_ubuntu·2010-05-19·CVSS 10.0
CVE-2007-5971 [CRITICAL] Kerberos vulnerabilities
Title: Kerberos vulnerabilities
Summary: Unauthenticated remote attackers could cause Kerberos servers to crash,
leading to a denial of service.
It was discovered that Kerberos did not correctly free memory in the
GSSAPI and kdb libraries. If a remote attacker were able to manipulate
an application using these libraries carefully, the service could
crash, leading to a denial of service. (Only Ubuntu 6.06 LTS was
affected.) (CVE-2007-5902, CVE-2007-5971, CVE-2007-5972)
Joel Johnson, Brian Almeida, and Shawn Emery discovered that Kerberos
did not correctly verify certain packet structures. An unauthenticated
remote attacker could send specially crafted traffic to cause the KDC or
kadmind services to crash, leading to a denial of service. (CVE-2010-1320,
CVE-2010-1321)
Instructions: In ge
Red Hat
krb5: double-free vulnerability in 1.7+
vendor_redhat·2010-04-20·CVSS 4.0
CVE-2010-1320 [MEDIUM] CWE-416 krb5: double-free vulnerability in 1.7+
krb5: double-free vulnerability in 1.7+
Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation.
Statement: Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 3, 4, or 5.
Package: krb5 (Red Hat Enterprise Linux 6) - Not affected
Debian
CVE-2010-1320: krb5 - Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) i...
vendor_debian·2010·CVSS 4.0
CVE-2010-1320 [MEDIUM] CVE-2010-1320: krb5 - Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) i...
Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation.
Scope: local
bookworm: resolved (fixed in 1.8.1+dfsg-2)
bullseye: resolved (fixed in 1.8.1+dfsg-2)
forky: resolved (fixed in 1.8.1+dfsg-2)
sid: resolved (fixed in 1.8.1+dfsg-2)
trixie: resolved (fixed in 1.8.1+dfsg-2)
GHSA
GHSA-xrh6-gg74-rf7v: Double free vulnerability in do_tgs_req
ghsa_unreviewed·2022-05-02
CVE-2010-1320 [MEDIUM] GHSA-xrh6-gg74-rf7v: Double free vulnerability in do_tgs_req
Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation.
OSV
CVE-2010-1320: Double free vulnerability in do_tgs_req
osv·2010-04-22·CVSS 4.0
CVE-2010-1320 [MEDIUM] CVE-2010-1320: Double free vulnerability in do_tgs_req
Double free vulnerability in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.7.x and 1.8.x before 1.8.2 allows remote authenticated users to cause a denial of service (daemon crash) or possibly execute arbitrary code via a request associated with (1) renewal or (2) validation.
No detection rules found.
Exploit-DB
Network Associates PGP KeyServer 7 - LDAP Buffer Overflow (Metasploit)
exploitdb·2010-11-14
CVE-2001-1320 Network Associates PGP KeyServer 7 - LDAP Buffer Overflow (Metasploit)
Network Associates PGP KeyServer 7 - LDAP Buffer Overflow (Metasploit)
---
##
# $Id: pgp_keyserver7.rb 11039 2010-11-14 19:03:24Z jduck $
##
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
class Metasploit3 'Network Associates PGP KeyServer 7 LDAP Buffer Overflow',
'Description' => %q{
This module exploits a stack buffer overflow in the LDAP service that is
part of the NAI PGP Enterprise product suite. This module was tested
against PGP KeyServer v7.0. Due to space restrictions, egghunter is
used to find our payload - therefore you may wish to adjust WfsDelay.
}
Exploit-DB
MIT Kerberos 5 - 'src/kdc/do_tgs_req.c' Ticket Renewal Double-Free Memory Corruption
exploitdb·2010-04-20
CVE-2010-1320 MIT Kerberos 5 - 'src/kdc/do_tgs_req.c' Ticket Renewal Double-Free Memory Corruption
MIT Kerberos 5 - 'src/kdc/do_tgs_req.c' Ticket Renewal Double-Free Memory Corruption
---
source: https://www.securityfocus.com/bid/39599/info
MIT Kerberos is prone to a remote memory-corruption vulnerability.
An authenticated attacker can exploit this issue by sending specially crafted ticket-renewal requests to a vulnerable computer.
Successfully exploiting this issue can allow the attacker to execute arbitrary code with superuser privileges, completely compromising the affected computer. Failed exploit attempts will result in a denial-of-service condition.
The following proof-of-concept command is available:
% kinit -R
We currently are unaware of any exploits that result in code-execution.
Bugzilla
CVE-2011-0284 krb5 (krb5kdc): Double-free flaw by handling error messages upon receiving certain AS_REQ's (MITKRB5-SA-2011-003)
bugzilla·2011-02-01·CVSS 5.0
CVE-2011-0284 [MEDIUM] CVE-2011-0284 krb5 (krb5kdc): Double-free flaw by handling error messages upon receiving certain AS_REQ's (MITKRB5-SA-2011-003)
CVE-2011-0284 krb5 (krb5kdc): Double-free flaw by handling error messages upon receiving certain AS_REQ's (MITKRB5-SA-2011-003)
A double-free flaw was found in the way the MIT Kerberos
KDC handled initial authentication requests (AS-REQ), when
the KDC was configured to provide the PKINIT capability.
A remote attacker could use this flaw to cause the KDC
daemon to abort by using a specially-crafted AS-REQ request.
Different vulnerability than CVE-2010-1320 and CVE-2005-1174.
Discussion:
Created attachment 476397
Proposed patch from Nalin Dahyabhai to fix the issue
---
This issue did NOT affect the versions of the krb5 package, as shipped
with Red Hat Enterprise Linux 3, 4, or 5.
This issue affects the version of the krb5 package, as shipped
with Red Hat Enterprise Linux 6.
--
This i
Bugzilla
CVE-2010-1320 krb5: double-free vulnerability in 1.7+ [fedora-13]
bugzilla·2010-04-20·CVSS 4.0
CVE-2010-1320 [MEDIUM] CVE-2010-1320 krb5: double-free vulnerability in 1.7+ [fedora-13]
CVE-2010-1320 krb5: double-free vulnerability in 1.7+ [fedora-13]
fedora-13 tracking bug for krb5: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
krb5-1.7.1-8.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/krb5-1.7.1-8.fc13
---
krb5-1.7.1-7.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/krb5-1.7.1-7.fc12
---
krb5-1.7.1-8.fc13 has been pushed to the Fedora 13 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2010-1320 krb5: double-free vulnerability in 1.7+ [fedora-12]
bugzilla·2010-04-20·CVSS 4.0
CVE-2010-1320 [MEDIUM] CVE-2010-1320 krb5: double-free vulnerability in 1.7+ [fedora-12]
CVE-2010-1320 krb5: double-free vulnerability in 1.7+ [fedora-12]
fedora-12 tracking bug for krb5: see blocks bug list for full details of the security issue(s).
This bug is never intended to be made public, please put any public notes
in the 'blocks' bugs.
[bug automatically created by: add-tracking-bugs]
Discussion:
krb5-1.7.1-8.fc13 has been submitted as an update for Fedora 13.
http://admin.fedoraproject.org/updates/krb5-1.7.1-8.fc13
---
krb5-1.7.1-7.fc12 has been submitted as an update for Fedora 12.
http://admin.fedoraproject.org/updates/krb5-1.7.1-7.fc12
---
krb5-1.7.1-7.fc12 has been pushed to the Fedora 12 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2010-1320 krb5: double-free vulnerability in 1.7+
bugzilla·2010-04-13·CVSS 4.0
CVE-2010-1320 [MEDIUM] CVE-2010-1320 krb5: double-free vulnerability in 1.7+
CVE-2010-1320 krb5: double-free vulnerability in 1.7+
A double-free vulnerability was found in the KDC in MIT krb5 versions 1.7 and later. This flaw could allow an authenticated remote attacker to crash the KDC by inducing the KDC to perform a double-free, or to possibly allow for the execution of arbitrary code (although the latter is believed to be difficult).
This issue does not affect previous versions of MIT krb5.
From the upstream advisory (MITKRB5-SA-2010-004):
When process_tgs_req() handles renewal or validation of existing
tickets, it copies header_ticket->enc_part2 (from the ticket that is
being validated or renewed) to enc_tkt_reply (the new ticket being
generated for the reply). This causes
enc_tkt_reply.authorization_data to be an alias for memory that
belongs to the reque
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.htmlhttp://secunia.com/advisories/39656http://secunia.com/advisories/39784http://secunia.com/advisories/40220http://securitytracker.com/id?1023904http://support.apple.com/kb/HT4188http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txthttp://www.securityfocus.com/archive/1/510843/100/0/threadedhttp://www.securityfocus.com/bid/39599http://www.ubuntu.com/usn/USN-940-1http://www.vupen.com/english/advisories/2010/1001http://www.vupen.com/english/advisories/2010/1192http://www.vupen.com/english/advisories/2010/1481http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=577490http://lists.apple.com/archives/security-announce/2010//Jun/msg00001.htmlhttp://lists.opensuse.org/opensuse-security-announce/2010-04/msg00006.htmlhttp://secunia.com/advisories/39656http://secunia.com/advisories/39784http://secunia.com/advisories/40220http://securitytracker.com/id?1023904http://support.apple.com/kb/HT4188http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-004.txthttp://www.securityfocus.com/archive/1/510843/100/0/threadedhttp://www.securityfocus.com/bid/39599http://www.ubuntu.com/usn/USN-940-1http://www.vupen.com/english/advisories/2010/1001http://www.vupen.com/english/advisories/2010/1192http://www.vupen.com/english/advisories/2010/1481
2010-04-22
Published