CVE-2014-9423
published 2015-02-19CVE-2014-9423: The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x…
PriorityP427medium5CVSS 2.0
AVNACLAuNCPINAN
EPSS
3.89%
88.9th percentile
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
Affected
16 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.12.1+dfsg-17 (bookworm) | krb5 1.12.1+dfsg-17 (bookworm) |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | krb5 | >= 0 < 1.12.1+dfsg-17 | 1.12.1+dfsg-17 |
| mit | krb5 | >= 0 < 1.12.1+dfsg-17 | 1.12.1+dfsg-17 |
| mit | krb5 | >= 0 < 1.12.1+dfsg-17 | 1.12.1+dfsg-17 |
| mit | krb5 | >= 0 < 1.12.1+dfsg-17 | 1.12.1+dfsg-17 |
| mit | krb5 | >= 0 < 1.12+dfsg-2ubuntu5.1 | 1.12+dfsg-2ubuntu5.1 |
CVSS provenance
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:P/I:N/A:N
osv5.0MEDIUM
vendor_debian5.0MEDIUM
vendor_redhat5.0MEDIUM
vendor_ubuntu2.1LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-c8r5-76c4-8w9w: The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss
ghsa_unreviewed·2022-05-13
CVE-2014-9423 [MEDIUM] CWE-200 GHSA-c8r5-76c4-8w9w: The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
OSV
CVE-2014-9423: The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss
osv·2015-02-19·CVSS 5.0
CVE-2014-9423 [MEDIUM] CVE-2014-9423: The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
OSV
krb5 vulnerabilities
osv·2015-02-10·CVSS 2.1
CVE-2014-5351 [LOW] krb5 vulnerabilities
krb5 vulnerabilities
It was discovered that Kerberos incorrectly sent old keys in response to a
-randkey -keepold request. An authenticated remote attacker could use this
issue to forge tickets by leveraging administrative access. This issue
only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-5351)
It was discovered that the libgssapi_krb5 library incorrectly processed
security context handles. A remote attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. (CVE-2014-5352)
Patrik Kis discovered that Kerberos incorrectly handled LDAP queries with
no results. An authenticated remote attacker could use this issue to cause
the KDC to crash, resulting in a denial of service. (CVE-2014-5353)
It was discovered that Kerberos
Ubuntu
Kerberos vulnerabilities
vendor_ubuntu·2015-02-10·CVSS 2.1
CVE-2014-5351 [LOW] Kerberos vulnerabilities
Title: Kerberos vulnerabilities
Summary: Several security issues were fixed in Kerberos.
It was discovered that Kerberos incorrectly sent old keys in response to a
-randkey -keepold request. An authenticated remote attacker could use this
issue to forge tickets by leveraging administrative access. This issue
only affected Ubuntu 10.04 LTS, Ubuntu 12.04 LTS and Ubuntu 14.04 LTS.
(CVE-2014-5351)
It was discovered that the libgssapi_krb5 library incorrectly processed
security context handles. A remote attacker could use this issue to cause
a denial of service, or possibly execute arbitrary code. (CVE-2014-5352)
Patrik Kis discovered that Kerberos incorrectly handled LDAP queries with
no results. An authenticated remote attacker could use this issue to cause
the KDC to crash, resulting in
Red Hat
krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
vendor_redhat·2015-02-03·CVSS 5.0
CVE-2014-9423 [MEDIUM] CWE-212 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
An information disclosure flaw was found in the way MIT Kerberos RPCSEC_GSS implementation (libgssrpc) handled certain requests. An attacker could send a specially crafted request to an application using libgssrpc to disclose a limited portion of uninitialized memory used by that application.
Statement: This issue did not affect the versions of krb5 a
Debian
CVE-2014-9423: krb5 - The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Ker...
vendor_debian·2014·CVSS 5.0
CVE-2014-9423 [MEDIUM] CVE-2014-9423: krb5 - The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Ker...
The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.
Scope: local
bookworm: resolved (fixed in 1.12.1+dfsg-17)
bullseye: resolved (fixed in 1.12.1+dfsg-17)
forky: resolved (fixed in 1.12.1+dfsg-17)
sid: resolved (fixed in 1.12.1+dfsg-17)
trixie: resolved (fixed in 1.12.1+dfsg-17)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2014-5352 CVE-2014-9421 CVE-2014-9423 CVE-2014-9422 krb5: various flaws [fedora-all]
bugzilla·2015-02-03·CVSS 9.0
CVE-2014-5352 [CRITICAL] CVE-2014-5352 CVE-2014-9421 CVE-2014-9423 CVE-2014-9422 krb5: various flaws [fedora-all]
CVE-2014-5352 CVE-2014-9421 CVE-2014-9423 CVE-2014-9422 krb5: various flaws [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported v
Bugzilla
CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
bugzilla·2015-01-07·CVSS 5.0
CVE-2014-9423 [MEDIUM] CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
CVE-2014-9423 krb5: libgssrpc server applications leak uninitialized bytes (MITKRB5-SA-2015-001)
Upstream reports that libgssrpc applications including kadmind output four or
eight bytes of uninitialized memory to the network as part of an
unused "handle" field in replies to clients.
An attacker could attempt to glean sensitive
information from the four or eight bytes of uninitialized data output
by kadmind or other libgssrpc server application. Because MIT krb5
generally sanitizes memory containing krb5 keys before freeing it, it
is unlikely that kadmind would leak Kerberos key information, but it
is not impossible.
RFC 2203 defines structures for the RPCSEC_GSS authentication flavor.
The rpc_gss_init_res structure which conveys responses to the client
contains an opaque "handle" field
Bugzilla
CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
bugzilla·2015-01-07·CVSS 9.0
CVE-2014-5352 [CRITICAL] CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
CVE-2014-5352 krb5: gss_process_context_token() incorrectly frees context (MITKRB5-SA-2015-001)
Upstream reports that in the MIT krb5 libgssapi_krb5 library, after
gss_process_context_token() is used to process a valid context
deletion token, the caller is left with a security context handle
containing a dangling pointer. Further uses of this handle will
result in use-after-free and double-free memory access violations.
libgssrpc server applications such as kadmind are vulnerable as they
can be instructed to call gss_process_context_token().
The krb5 mechanism implementation of gss_process_context_token(), upon
successfully validating a deletion token, frees the security context
structure. This behavior is incorrect as the API has no way to alert
the caller that the security context was
Bugzilla
CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
bugzilla·2015-01-07·CVSS 9.0
CVE-2014-9422 [CRITICAL] CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
CVE-2014-9422 krb5: kadmind incorrectly validates server principal name (MITKRB5-SA-2015-001)
Upstream reports that the MIT krb5 kadmind daemon incorrectly accepts
authentications to two-component server principals whose first
component is a left substring of "kadmin" or whose realm is a left
prefix of the default realm.
An attacker who possess the key of a particularly named
principal (such as "kad/root") could impersonate any user to kadmind
and perform administrative actions as that user.
When kadmind receives a request using the RPCSEC_GSS authentication
flavor, it queries the GSS-API security context for the server
principal name and attempts to verify that it is a two-component
principal name where the first component is "kadmin", the second
component is not "history", and the rea
Bugzilla
CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
bugzilla·2015-01-07·CVSS 9.0
CVE-2014-9421 [CRITICAL] CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
CVE-2014-9421 krb5: kadmind doubly frees partial deserialization results (MITKRB5-SA-2015-001)
Upstream reports that if the MIT krb5 kadmind daemon receives invalid XDR
data from an authenticated user, it may perform use-after-free and
double-free memory access violations while cleaning up the partial
deserialization results. Other libgssrpc server applications may also
be vulnerable if they contain insufficiently defensive XDR functions.
An authenticated attacker could cause kadmind or other
vulnerable server application to crash or to execute arbitrary code.
Exploiting a double-free event to execute arbitrary code is believed
to be difficult.
libgssrpc applications use the XDR serialization format. XDR data is
serialized, deserialized, and freed using an application function,
often ge
http://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00044.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0439.htmlhttp://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txthttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txthttp://www.debian.org/security/2015/dsa-3153http://www.mandriva.com/security/advisories?name=MDVSA-2015:069http://www.securityfocus.com/bid/72503http://www.ubuntu.com/usn/USN-2498-1https://github.com/krb5/krb5/commit/5bb8a6b9c9eb8dd22bc9526751610aaa255ead9chttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/151103.htmlhttp://lists.fedoraproject.org/pipermail/package-announce/2015-March/151437.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00011.htmlhttp://lists.opensuse.org/opensuse-security-announce/2015-02/msg00016.htmlhttp://lists.opensuse.org/opensuse-updates/2015-02/msg00044.htmlhttp://rhn.redhat.com/errata/RHSA-2015-0439.htmlhttp://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txthttp://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txthttp://www.debian.org/security/2015/dsa-3153http://www.mandriva.com/security/advisories?name=MDVSA-2015:069http://www.securityfocus.com/bid/72503http://www.ubuntu.com/usn/USN-2498-1https://github.com/krb5/krb5/commit/5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c
2015-02-19
Published