CVE-2011-0285
published 2011-04-15CVE-2011-0285: The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid…
PriorityP263critical10CVSS 2.0
AVNACLAuNCCICAC
EXPLOIT
EPSS
17.95%
96.8th percentile
The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.
Affected
12 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.9.1+dfsg-1 (bookworm) | krb5 1.9.1+dfsg-1 (bookworm) |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | krb5 | >= 0 < 1.9.1+dfsg-1 | 1.9.1+dfsg-1 |
| mit | krb5 | >= 0 < 1.9.1+dfsg-1 | 1.9.1+dfsg-1 |
| mit | krb5 | >= 0 < 1.9.1+dfsg-1 | 1.9.1+dfsg-1 |
| mit | krb5 | >= 0 < 1.9.1+dfsg-1 | 1.9.1+dfsg-1 |
Detection & IOCsextracted from sources · hover to see the quote
- →Target service is kadmind's password-changing functionality (process_chpw_request in schpw.c); monitor for unauthenticated crafted requests to kadmind that trigger error conditions leading to free() of an invalid pointer and process crash. ↗
- →Only krb5 versions 1.7 and higher are vulnerable; earlier releases do not contain the affected password-changing code path. Scope detection to hosts running krb5 1.7 through 1.9. ↗
- →On systems with glibc protections, exploitation results in a crash only (no arbitrary code execution); unexpected kadmind termination should be treated as a potential exploitation attempt. ↗
- →Exploit is unauthenticated — no valid Kerberos credentials are required to trigger the vulnerability; alert on anomalous/malformed password-change requests to kadmind from unknown sources. ↗
- ·Red Hat Enterprise Linux 5 ships a version of krb5 that is NOT affected; detection/patching efforts should focus on RHEL 6 and systems running krb5 1.7–1.9. ↗
- ·Debian fixed the issue in krb5 package version 1.9.1+dfsg-1; systems running earlier Debian krb5 packages across all current suites (bookworm, bullseye, sid, trixie, forky) were vulnerable. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
osv10.0CRITICAL
vendor_debian10.0CRITICAL
vendor_redhat10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Kerberos vulnerability
vendor_ubuntu·2011-04-19
CVE-2011-0285 Kerberos vulnerability
Title: Kerberos vulnerability
Summary: An unauthenticated remote user could crash the Kerberos service.
Felipe Ortega discovered that kadmind did not correctly handle password
changing error conditions. An unauthenticated remote attacker could exploit
this to crash kadmind, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
krb5: kadmind invalid pointer free() (MITKRB5-SA-004)
vendor_redhat·2011-04-08·CVSS 10.0
CVE-2011-0285 [CRITICAL] krb5: kadmind invalid pointer free() (MITKRB5-SA-004)
krb5: kadmind invalid pointer free() (MITKRB5-SA-004)
The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.
Statement: This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5.
Package: krb5 (Red Hat Enterprise Linux 5) - Not affected
Debian
CVE-2011-0285: krb5 - The process_chpw_request function in schpw.c in the password-changing functional...
vendor_debian·2011·CVSS 10.0
CVE-2011-0285 [CRITICAL] CVE-2011-0285: krb5 - The process_chpw_request function in schpw.c in the password-changing functional...
The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.
Scope: local
bookworm: resolved (fixed in 1.9.1+dfsg-1)
bullseye: resolved (fixed in 1.9.1+dfsg-1)
forky: resolved (fixed in 1.9.1+dfsg-1)
sid: resolved (fixed in 1.9.1+dfsg-1)
trixie: resolved (fixed in 1.9.1+dfsg-1)
GHSA
GHSA-rh86-pqp5-j43v: The process_chpw_request function in schpw
ghsa_unreviewed·2022-05-13
CVE-2011-0285 [HIGH] CWE-20 GHSA-rh86-pqp5-j43v: The process_chpw_request function in schpw
The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.
OSV
CVE-2011-0285: The process_chpw_request function in schpw
osv·2011-04-15·CVSS 10.0
CVE-2011-0285 [CRITICAL] CVE-2011-0285: The process_chpw_request function in schpw
The process_chpw_request function in schpw.c in the password-changing functionality in kadmind in MIT Kerberos 5 (aka krb5) 1.7 through 1.9 frees an invalid pointer, which allows remote attackers to execute arbitrary code or cause a denial of service (daemon crash) via a crafted request that triggers an error condition.
No detection rules found.
Exploit-DB
stoneware webnetwork6 - Multiple Vulnerabilities
exploitdb·2012-01-24·CVSS 4.3
CVE-2012-0286 [MEDIUM] stoneware webnetwork6 - Multiple Vulnerabilities
stoneware webnetwork6 - Multiple Vulnerabilities
---
Stoneware WebNetwork6 Vulnerability Assessment
* CVE-2012-0285 – XSS
* CVE-2012-0286 - CSRF
Conducted by:
* Leland Public Schools (Stoneware Customer)
* Jacob Holcomb (Network Engineer for LPS)
Conducted for:
* Leland Public Schools (Purchaser of WebNetwork product. Test was to assure cloud security)
* Stoneware INC. (Discovered Zero Day vulnerabilities reported to support in 11/2011 & 12/2011)
Date(s) Conducted:
* 11/2011 – Started initial Web application penetration testing
* 12/29/2011 – Started testing of Stoneware’s beta SP8 patch to resolve zero day vulnerabilities
- Executive Summary
The following reports details the findings from the security assessment performed by Jacob Holcomb of Leland Public Schools for the clients l
Exploit-DB
MIT Kerberos 5 - kadmind Change Password Feature Remote Code Execution
exploitdb·2011-04-11
CVE-2011-0285 MIT Kerberos 5 - kadmind Change Password Feature Remote Code Execution
MIT Kerberos 5 - kadmind Change Password Feature Remote Code Execution
---
source: https://www.securityfocus.com/bid/47310/info
MIT Kerberos is prone to a remote code-execution vulnerability in 'kadmind'.
An attacker may exploit this issue to execute arbitrary code with superuser privileges. Failed attempts will cause the affected application to crash, denying service to legitimate users. A successful exploit will completely compromise affected computers.
MIT Kerberos 5 1.7 and later are vulnerable.
NOTE (April 13, 2011): This BID was originally titled 'MIT Kerberos kadmind Version String Processing Remote Denial Of Service Vulnerability', but has been renamed to better reflect the nature of the issue.
# nmap -n -sV krb01
Bugzilla
CVE-2011-0285 krb5: kadmind invalid pointer free() (MITKRB5-SA-004) [fedora-all]
bugzilla·2011-04-13·CVSS 10.0
CVE-2011-0285 [CRITICAL] CVE-2011-0285 krb5: kadmind invalid pointer free() (MITKRB5-SA-004) [fedora-all]
CVE-2011-0285 krb5: kadmind invalid pointer free() (MITKRB5-SA-004) [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include the bug IDs of the
respective parent bugs filed against the "Security Response" product.
Please mention CVE ids in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?type_=security&bugs=696334
Please note: this issue affects mu
Bugzilla
CVE-2011-0285 krb5: kadmind invalid pointer free() (MITKRB5-SA-004)
bugzilla·2011-04-13·CVSS 10.0
CVE-2011-0285 [CRITICAL] CVE-2011-0285 krb5: kadmind invalid pointer free() (MITKRB5-SA-004)
CVE-2011-0285 krb5: kadmind invalid pointer free() (MITKRB5-SA-004)
A bug was discovered [1],[2] in the password-changing capability of the MIT krb5 administration daemon (kadmind) that can cause it to attempt to free() an invalid pointer under certain error conditions. This could allow an unauthenticated remote attacker to cause the kadmind process to terminate, resulting in a denial of service.
Only krb5 1.7 and higher are vulnerable to this flaw; earlier releases to do not contain the functionality that the vulnerable code implements.
Upcoming krb5 releases will correct the flaw, but patches are available for 1.7.x/1.8.x [3] and 1.9.x [4].
[1] http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621726
[2] http://web.mit.edu/Kerberos/advisories/MITKRB5-SA-2011-004.txt
[3] http://web.mit
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621726http://krbdev.mit.edu/rt/Ticket/Display.html?id=6899http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058181.htmlhttp://osvdb.org/71789http://secunia.com/advisories/44125http://secunia.com/advisories/44181http://secunia.com/advisories/44196http://securityreason.com/securityalert/8200http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txthttp://www.mandriva.com/security/advisories?name=MDVSA-2011:077http://www.redhat.com/support/errata/RHSA-2011-0447.htmlhttp://www.securityfocus.com/archive/1/517484/100/0/threadedhttp://www.securityfocus.com/bid/47310http://www.securitytracker.com/id?1025320http://www.vupen.com/english/advisories/2011/0936http://www.vupen.com/english/advisories/2011/0986http://www.vupen.com/english/advisories/2011/0997https://hermes.opensuse.org/messages/8086843http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=621726http://krbdev.mit.edu/rt/Ticket/Display.html?id=6899http://lists.fedoraproject.org/pipermail/package-announce/2011-April/058181.htmlhttp://osvdb.org/71789http://secunia.com/advisories/44125http://secunia.com/advisories/44181http://secunia.com/advisories/44196http://securityreason.com/securityalert/8200http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2011-004.txthttp://www.mandriva.com/security/advisories?name=MDVSA-2011:077http://www.redhat.com/support/errata/RHSA-2011-0447.htmlhttp://www.securityfocus.com/archive/1/517484/100/0/threadedhttp://www.securityfocus.com/bid/47310http://www.securitytracker.com/id?1025320http://www.vupen.com/english/advisories/2011/0936http://www.vupen.com/english/advisories/2011/0986http://www.vupen.com/english/advisories/2011/0997https://hermes.opensuse.org/messages/8086843
2011-04-15
Published