CVE-2014-9422
published 2015-02-19CVE-2014-9422: The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before…
PriorityP433medium6.1CVSS 2.0
AVNACHAuSCPIPAC
EPSS
2.73%
84.2th percentile
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.12.1+dfsg-17 (bookworm) | krb5 1.12.1+dfsg-17 (bookworm) |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | krb5 | >= 0 < 1.12.1+dfsg-17 | 1.12.1+dfsg-17 |
| mit | krb5 | >= 0 < 1.12.1+dfsg-17 | 1.12.1+dfsg-17 |
| mit | krb5 | >= 0 < 1.12.1+dfsg-17 | 1.12.1+dfsg-17 |
| mit | krb5 | >= 0 < 1.12.1+dfsg-17 | 1.12.1+dfsg-17 |
| mit | krb5 | >= 0 < 1.12+dfsg-2ubuntu5.1 | 1.12+dfsg-2ubuntu5.1 |
CVSS provenance
nvdv2.06.1MEDIUMAV:N/AC:H/Au:S/C:P/I:P/A:C
osv6.1MEDIUM
vendor_debian6.1MEDIUM
vendor_redhat6.1MEDIUM
vendor_ubuntu2.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Kerberos vulnerabilities
vendor_ubuntu·2015-02-10·CVSS 2.1
CVE-2014-5351 [LOW] Kerberos vulnerabilities
Title: Kerberos vulnerabilities
Summary: Several security issues were fixed in Kerberos.
It was discovered that Kerberos incorrectly sent old keys in response to a
-randkey -keepold request. An authenticated remote attacker could use this
issue to forge tickets by leveraging administrative access. This issue
only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-5351)
It was discovered that the libgssapi_krb5 library incorrectly processed
security context handles. A remote attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. (CVE-2014-5352)
Patrik Kis discovered that Kerberos incorrectly handled LDAP queries with
no results. An authenticated remote attacker could use this issue to cause
the KDC to crash, resulting in
Red Hat
krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
vendor_redhat·2015-02-03·CVSS 6.1
CVE-2014-9422 [MEDIUM] CWE-697 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
It was found that the MIT Kerberos administration server (kadmind) incorrectly accepted certain authentication requests for two-component server principal names. A remote attacker able to acquire a key with a particularly named principal (such as "kad/x") could use this flaw to impersonate any user to kadmind, and p
Debian
CVE-2014-9422: krb5 - The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT...
vendor_debian·2014·CVSS 6.1
CVE-2014-9422 [MEDIUM] CVE-2014-9422: krb5 - The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT...
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
Scope: local
bookworm: resolved (fixed in 1.12.1+dfsg-17)
bullseye: resolved (fixed in 1.12.1+dfsg-17)
forky: resolved (fixed in 1.12.1+dfsg-17)
sid: resolved (fixed in 1.12.1+dfsg-17)
trixie: resolved (fixed in 1.12.1+dfsg-17)
GHSA
GHSA-8qhp-h7xw-f46m: The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc
ghsa_unreviewed·2022-05-13
CVE-2014-9422 [MEDIUM] CWE-284 GHSA-8qhp-h7xw-f46m: The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
OSV
CVE-2014-9422: The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc
osv·2015-02-19·CVSS 6.1
CVE-2014-9422 [MEDIUM] CVE-2014-9422: The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc
The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.
OSV
krb5 vulnerabilities
osv·2015-02-10·CVSS 2.1
CVE-2014-5351 [LOW] krb5 vulnerabilities
krb5 vulnerabilities
It was discovered that Kerberos incorrectly sent old keys in response to a
-randkey -keepold request. An authenticated remote attacker could use this
issue to forge tickets by leveraging administrative access. This issue
only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-5351)
It was discovered that the libgssapi_krb5 library incorrectly processed
security context handles. A remote attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. (CVE-2014-5352)
Patrik Kis discovered that Kerberos incorrectly handled LDAP queries with
no results. An authenticated remote attacker could use this issue to cause
the KDC to crash, resulting in a denial of service. (CVE-2014-5353)
It was discovered that Kerberos
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-5352 CVE-2014-9421 CVE-2014-9423 CVE-2014-9422 krb5: various flaws [fedora-all]
bugzilla·2015-02-03·CVSS 9.0
CVE-2014-5352 [CRITICAL] CVE-2014-5352 CVE-2014-9421 CVE-2014-9423 CVE-2014-9422 krb5: various flaws [fedora-all]
CVE-2014-5352 CVE-2014-9421 CVE-2014-9423 CVE-2014-9422 krb5: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported v
Bugzilla
CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
bugzilla·2015-01-07·CVSS 5.0
CVE-2014-9423 [MEDIUM] CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
Upstream reports that libgssrpc applications including kadmind output four or
eight bytes of uninitialized memory to the network as part of an
unused "handle" field in replies to clients.
An attacker could attempt to glean sensitive
information from the four or eight bytes of uninitialized data output
by kadmind or other libgssrpc server application. Because MIT krb5
generally sanitizes memory containing krb5 keys before freeing it, it
is unlikely that kadmind would leak Kerberos key information, but it
is not impossible.
RFC 2203 defines structures for the RPCSEC_GSS authentication flavor.
The rpc_gss_init_res structure which conveys responses to the client
contains an opaque "handle" field
Bugzilla
CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
bugzilla·2015-01-07·CVSS 9.0
CVE-2014-5352 [CRITICAL] CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
Upstream reports that in the MIT krb5 libgssapi_krb5 library, after
gss_process_context_token() is used to process a valid context
deletion token, the caller is left with a security context handle
containing a dangling pointer. Further uses of this handle will
result in use-after-free and double-free memory access violations.
libgssrpc server applications such as kadmind are vulnerable as they
can be instructed to call gss_process_context_token().
The krb5 mechanism implementation of gss_process_context_token(), upon
successfully validating a deletion token, frees the security context
structure. This behavior is incorrect as the API has no way to alert
the caller that the security context was
Bugzilla
CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
bugzilla·2015-01-07·CVSS 9.0
CVE-2014-9422 [CRITICAL] CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
Upstream reports that the MIT krb5 kadmind daemon incorrectly accepts
authentications to two-component server principals whose first
component is a left substring of "kadmin" or whose realm is a left
prefix of the default realm.
An attacker who possess the key of a particularly named
principal (such as "kad/root") could impersonate any user to kadmind
and perform administrative actions as that user.
When kadmind receives a request using the RPCSEC_GSS authentication
flavor, it queries the GSS-API security context for the server
principal name and attempts to verify that it is a two-component
principal name where the first component is "kadmin", the second
component is not "history", and the rea
Bugzilla
CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
bugzilla·2015-01-07·CVSS 9.0
CVE-2014-9421 [CRITICAL] CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
Upstream reports that if the MIT krb5 kadmind daemon receives invalid XDR
data from an authenticated user, it may perform use-after-free and
double-free memory access violations while cleaning up the partial
deserialization results. Other libgssrpc server applications may also
be vulnerable if they contain insufficiently defensive XDR functions.
An authenticated attacker could cause kadmind or other
vulnerable server application to crash or to execute arbitrary code.
Exploiting a double-free event to execute arbitrary code is believed
to be difficult.
libgssrpc applications use the XDR serialization format. XDR data is
serialized, deserialized, and freed using an application function,
often ge
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00044.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0439.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0794.htmlhttp://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txthttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txthttp://www.debian.org/security/2015/dsa-3153http://www.mandriva.com/security/advisories?name=MDVSA-2015:069http://www.securityfocus.com/bid/72494http://www.ubuntu.com/usn/USN-2498-1https://github.com/krb5/krb5/commit/6609658db0799053fbef0d7d0aa2f1fd68ef32d8http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00044.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0439.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0794.htmlhttp://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txthttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txthttp://www.debian.org/security/2015/dsa-3153http://www.mandriva.com/security/advisories?name=MDVSA-2015:069http://www.securityfocus.com/bid/72494http://www.ubuntu.com/usn/USN-2498-1https://github.com/krb5/krb5/commit/6609658db0799053fbef0d7d0aa2f1fd68ef32d8
2015-02-19
Published