CVE-2012-1015
published 2012-08-06CVE-2012-1015: The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x before…
PriorityP345critical9.3CVSS 2.0
AVNACMAuNCCICAC
EPSS
4.81%
90.9th percentile
The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x before 1.10.3 attempts to calculate a checksum before verifying that the key type is appropriate for a checksum, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free, heap memory corruption, and daemon crash) via a crafted AS-REQ request.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.10.1+dfsg-2 (bookworm) | krb5 1.10.1+dfsg-2 (bookworm) |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | krb5 | >= 0 < 1.10.1+dfsg-2 | 1.10.1+dfsg-2 |
| mit | krb5 | >= 0 < 1.10.1+dfsg-2 | 1.10.1+dfsg-2 |
| mit | krb5 | >= 0 < 1.10.1+dfsg-2 | 1.10.1+dfsg-2 |
| mit | krb5 | >= 0 < 1.10.1+dfsg-2 | 1.10.1+dfsg-2 |
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
osv9.3CRITICAL
vendor_debian9.3CRITICAL
vendor_redhat9.3CRITICAL
vendor_ubuntu5.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Red Hat
krb5: KDC daemon crash via free() of an uninitialized pointer
vendor_redhat·2012-07-31·CVSS 9.3
CVE-2012-1015 [CRITICAL] krb5: KDC daemon crash via free() of an uninitialized pointer
krb5: KDC daemon crash via free() of an uninitialized pointer
The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x before 1.10.3 attempts to calculate a checksum before verifying that the key type is appropriate for a checksum, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free, heap memory corruption, and daemon crash) via a crafted AS-REQ request.
Statement: Not vulnerable. This issue did not affect the versions of krb5 as shipped with Red Hat Enterprise Linux 5.
Package: krb5 (Red Hat Enterprise Linux 5) - Not affected
Ubuntu
Kerberos vulnerabilities
vendor_ubuntu·2012-07-31·CVSS 5.5
CVE-2012-1012 [MEDIUM] Kerberos vulnerabilities
Title: Kerberos vulnerabilities
Summary: Several security issues were fixed in Kerberos.
Emmanuel Bouillon discovered that the MIT krb5 Key Distribution Center
(KDC) daemon could free an uninitialized pointer when handling a
malformed AS-REQ message. A remote unauthenticated attacker could
use this to cause a denial of service or possibly execute arbitrary
code. (CVE-2012-1015)
Emmanuel Bouillon discovered that the MIT krb5 Key Distribution Center
(KDC) daemon could dereference an uninitialized pointer while handling
a malformed AS-REQ message. A remote unauthenticated attacker could
use this to cause a denial of service or possibly execute arbitrary
code. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1014)
Simo Sorce discovered that the MIT krb5 Key Distribution Center (KDC)
da
Debian
CVE-2012-1015: krb5 - The kdc_handle_protected_negotiation function in the Key Distribution Center (KD...
vendor_debian·2012·CVSS 9.3
CVE-2012-1015 [CRITICAL] CVE-2012-1015: krb5 - The kdc_handle_protected_negotiation function in the Key Distribution Center (KD...
The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x before 1.10.3 attempts to calculate a checksum before verifying that the key type is appropriate for a checksum, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free, heap memory corruption, and daemon crash) via a crafted AS-REQ request.
Scope: local
bookworm: resolved (fixed in 1.10.1+dfsg-2)
bullseye: resolved (fixed in 1.10.1+dfsg-2)
forky: resolved (fixed in 1.10.1+dfsg-2)
sid: resolved (fixed in 1.10.1+dfsg-2)
trixie: resolved (fixed in 1.10.1+dfsg-2)
GHSA
GHSA-phxm-4gpx-94fr: The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
ghsa_unreviewed·2022-05-13
CVE-2012-1015 [HIGH] CWE-20 GHSA-phxm-4gpx-94fr: The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x before 1.10.3 attempts to calculate a checksum before verifying that the key type is appropriate for a checksum, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free, heap memory corruption, and daemon crash) via a crafted AS-REQ request.
OSV
CVE-2012-1015: The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
osv·2012-08-06·CVSS 9.3
CVE-2012-1015 [CRITICAL] CVE-2012-1015: The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1
The kdc_handle_protected_negotiation function in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) 1.8.x, 1.9.x before 1.9.5, and 1.10.x before 1.10.3 attempts to calculate a checksum before verifying that the key type is appropriate for a checksum, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized pointer free, heap memory corruption, and daemon crash) via a crafted AS-REQ request.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2012-1015 krb5: KDC daemon crash via free() of an uninitialized pointer [fedora-all]
bugzilla·2012-07-31·CVSS 9.3
CVE-2012-1015 [CRITICAL] CVE-2012-1015 krb5: KDC daemon crash via free() of an uninitialized pointer [fedora-all]
CVE-2012-1015 krb5: KDC daemon crash via free() of an uninitialized pointer [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected Fedora
versions.
For comments that are specific to the vulnerability please use bugs filed
against "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When creating a Bodhi update request, please include this bug ID and the
bug IDs of this bug's parent bugs filed against the "Security Response"
product (the top-level CVE bugs). Please mention the CVE IDs being fixed
in the RPM changelog when available.
Bodhi update submission link:
https://admin.fedoraproject.org/updates/new/?t
Bugzilla
CVE-2012-1015 krb5: KDC daemon crash via free() of an uninitialized pointer
bugzilla·2012-07-06·CVSS 9.3
CVE-2012-1015 [CRITICAL] CVE-2012-1015 krb5: KDC daemon crash via free() of an uninitialized pointer
CVE-2012-1015 krb5: KDC daemon crash via free() of an uninitialized pointer
The MIT krb5 KDC (Key Distribution Center) daemon can free an uninitialized pointer while processing an unusual AS-REQ, corrupting the process heap and possibly causing the daemon to abnormally terminate.
An attacker could use this vulnerability to execute malicious code, but exploiting frees of uninitialized pointers to execute code is believed to be difficult. It is possible that a legitimate client that is misconfigured in an unusual way could trigger this vulnerability.
Note: Current glibc protections will cause invalid pointer frees to be reduced to crash only.
The KDC in releases krb5-1.8 and later is vulnerable to this flaw.
Reference: http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txt
Patch:
http://lists.opensuse.org/opensuse-updates/2012-08/msg00016.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1131.htmlhttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txthttp://www.debian.org/security/2012/dsa-2518http://www.mandriva.com/security/advisories?name=MDVSA-2012:120http://lists.opensuse.org/opensuse-updates/2012-08/msg00016.htmlhttp://rhn.redhat.com/errata/RHSA-2012-1131.htmlhttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2012-001.txthttp://www.debian.org/security/2012/dsa-2518http://www.mandriva.com/security/advisories?name=MDVSA-2012:120
2012-08-06
Published