CVE-2016-3120
published 2016-08-01CVE-2016-3120: The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when…
PriorityP432medium6.5CVSS 3.0
AVNACLPRLUINSUCNINAH
EPSS
4.62%
90.5th percentile
The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | krb5 | < krb5 1.14.3+dfsg-1 (bookworm) | krb5 1.14.3+dfsg-1 (bookworm) |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | kerberos_5 | — | — |
| mit | krb5 | >= 0 < 1.14.3+dfsg-1 | 1.14.3+dfsg-1 |
| mit | krb5 | >= 0 < 1.14.3+dfsg-1 | 1.14.3+dfsg-1 |
| mit | krb5 | >= 0 < 1.14.3+dfsg-1 | 1.14.3+dfsg-1 |
| mit | krb5 | >= 0 < 1.14.3+dfsg-1 | 1.14.3+dfsg-1 |
CVSS provenance
nvdv3.06.5MEDIUMCVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
nvdv2.04.0MEDIUMAV:N/AC:L/Au:S/C:N/I:N/A:P
osv6.5MEDIUM
vendor_debian6.5MEDIUM
vendor_redhat6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-8q8p-vxj6-fg2g: The validate_as_request function in kdc_util
ghsa_unreviewed·2022-05-13
CVE-2016-3120 [MEDIUM] CWE-476 GHSA-8q8p-vxj6-fg2g: The validate_as_request function in kdc_util
The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.
OSV
CVE-2016-3120: The validate_as_request function in kdc_util
osv·2016-08-01·CVSS 6.5
CVE-2016-3120 [MEDIUM] CVE-2016-3120: The validate_as_request function in kdc_util
The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.
Red Hat
krb5: S4U2Self KDC crash when anon is restricted
vendor_redhat·2016-07-19·CVSS 6.5
CVE-2016-3120 [MEDIUM] CWE-476 krb5: S4U2Self KDC crash when anon is restricted
krb5: S4U2Self KDC crash when anon is restricted
The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.
A NULL pointer dereference flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to dereference a null pointer and crash by making an S4U2Self request, if the restrict_anonymous_to_tgt option was set to true.
Package: krb5 (Red Hat Enterprise Linux 5) - Not affected
Package: krb5 (Red Hat Enterprise Linux 6) - Will
Debian
CVE-2016-3120: krb5 - The validate_as_request function in kdc_util.c in the Key Distribution Center (K...
vendor_debian·2016·CVSS 6.5
CVE-2016-3120 [MEDIUM] CVE-2016-3120: krb5 - The validate_as_request function in kdc_util.c in the Key Distribution Center (K...
The validate_as_request function in kdc_util.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.13.6 and 1.4.x before 1.14.3, when restrict_anonymous_to_tgt is enabled, uses an incorrect client data structure, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an S4U2Self request.
Scope: local
bookworm: resolved (fixed in 1.14.3+dfsg-1)
bullseye: resolved (fixed in 1.14.3+dfsg-1)
forky: resolved (fixed in 1.14.3+dfsg-1)
sid: resolved (fixed in 1.14.3+dfsg-1)
trixie: resolved (fixed in 1.14.3+dfsg-1)
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted
bugzilla·2016-07-28·CVSS 6.5
CVE-2016-3120 [MEDIUM] CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted
CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted
It was found that in MIT krb5 1.9 and later, an authenticated attacker can cause krb5kdc to dereference a null pointer if the restrict_anonymous_to_tgt option is set to true, by making an S4U2Self request.
Upstream patch:
https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7
Discussion:
Created krb5 tracking bugs for this issue:
Affects: fedora-all [bug 1361051]
---
krb5-1.14.1-8.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.
---
krb5-1.14.3-4.fc23 has been pushed to the Fedora 23 stable repository. If problems still persist, please make note of it in this bug report.
---
krb5-1.14.3-8.fc23 has been pushed to the F
Bugzilla
CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted [fedora-all]
bugzilla·2016-07-28·CVSS 6.5
CVE-2016-3120 [MEDIUM] CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted [fedora-all]
CVE-2016-3120 krb5: S4U2Self KDC crash when anon is restricted [fedora-all]
This is an automatically created tracking bug! It was created to ensure
that one or more security vulnerabilities are fixed in affected versions
of Fedora.
For comments that are specific to the vulnerability please use bugs filed
against the "Security Response" product referenced in the "Blocks" field.
For more information see:
http://fedoraproject.org/wiki/Security/TrackingBugs
When submitting as an update, use the fedpkg template provided in the next
comment(s). This will include the bug IDs of this tracking bug as well as
the relevant top-level CVE bugs.
Please also mention the CVE IDs being fixed in the RPM changelog and the
fedpkg commit message.
NOTE: this issue affects multiple supported versions of Fe
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8458http://lists.opensuse.org/opensuse-updates/2016-09/msg00035.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2591.htmlhttp://web.mit.edu/kerberos/krb5-1.13/http://web.mit.edu/kerberos/krb5-1.14/http://www.securityfocus.com/bid/92132http://www.securitytracker.com/id/1036442https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7https://lists.debian.org/debian-lts-announce/2018/01/msg00040.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWL3KYFRJIX37EAM4DKCQQIQP2WBKL35/http://krbdev.mit.edu/rt/Ticket/Display.html?id=8458http://lists.opensuse.org/opensuse-updates/2016-09/msg00035.htmlhttp://rhn.redhat.com/errata/RHSA-2016-2591.htmlhttp://web.mit.edu/kerberos/krb5-1.13/http://web.mit.edu/kerberos/krb5-1.14/http://www.securityfocus.com/bid/92132http://www.securitytracker.com/id/1036442https://github.com/krb5/krb5/commit/93b4a6306a0026cf1cc31ac4bd8a49ba5d034ba7https://lists.debian.org/debian-lts-announce/2018/01/msg00040.htmlhttps://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AWL3KYFRJIX37EAM4DKCQQIQP2WBKL35/
2016-08-01
Published