Home Unlabelled USN-2310-1: Kerberos vulnerabilities

USN-2310-1: Kerberos vulnerabilities

By
Monday, August 11, 2014
Read
Add Comment

Ubuntu Security Notice USN-2310-1


11th August, 2014


krb5 vulnerabilities


A security issue affects these releases of Ubuntu and its derivatives:



  • Ubuntu 14.04 LTS

  • Ubuntu 12.04 LTS

  • Ubuntu 10.04 LTS


Summary


Several security issues were fixed in Kerberos.


Software description



  • krb5 - MIT Kerberos Network Authentication Protocol


Details


It was discovered that Kerberos incorrectly handled certain crafted Draft 9

requests. A remote attacker could use this issue to cause the daemon to

crash, resulting in a denial of service. This issue only affected Ubuntu

12.04 LTS. (CVE-2012-1016)


It was discovered that Kerberos incorrectly handled certain malformed

KRB5_PADATA_PK_AS_REQ AS-REQ requests. A remote attacker could use this

issue to cause the daemon to crash, resulting in a denial of service. This

issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1415)


It was discovered that Kerberos incorrectly handled certain crafted TGS-REQ

requests. A remote authenticated attacker could use this issue to cause the

daemon to crash, resulting in a denial of service. This issue only affected

Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1416)


It was discovered that Kerberos incorrectly handled certain crafted

requests when multiple realms were configured. A remote attacker could use

this issue to cause the daemon to crash, resulting in a denial of service.

This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS.

(CVE-2013-1418, CVE-2013-6800)


It was discovered that Kerberos incorrectly handled certain invalid tokens.

If a remote attacker were able to perform a man-in-the-middle attack, this

flaw could be used to cause the daemon to crash, resulting in a denial of

service. (CVE-2014-4341, CVE-2014-4342)


It was discovered that Kerberos incorrectly handled certain mechanisms when

used with SPNEGO. If a remote attacker were able to perform a

man-in-the-middle attack, this flaw could be used to cause clients to

crash, resulting in a denial of service. (CVE-2014-4343)


It was discovered that Kerberos incorrectly handled certain continuation

tokens during SPNEGO negotiations. A remote attacker could use this issue

to cause the daemon to crash, resulting in a denial of service.

(CVE-2014-4344)


Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon

incorrectly handled buffers when used with the LDAP backend. A remote

attacker could use this issue to cause the daemon to crash, resulting in a

denial of service, or possibly execute arbitrary code. (CVE-2014-4345)


Update instructions


The problem can be corrected by updating your system to the following package version:



Ubuntu 14.04 LTS:

libkadm5srv-mit9 1.12+dfsg-2ubuntu4.2

libk5crypto3 1.12+dfsg-2ubuntu4.2

krb5-kdc-ldap 1.12+dfsg-2ubuntu4.2

libkrad0 1.12+dfsg-2ubuntu4.2

krb5-otp 1.12+dfsg-2ubuntu4.2

libkdb5-7 1.12+dfsg-2ubuntu4.2

krb5-pkinit 1.12+dfsg-2ubuntu4.2

libkadm5clnt-mit9 1.12+dfsg-2ubuntu4.2

libkrb5-3 1.12+dfsg-2ubuntu4.2

krb5-user 1.12+dfsg-2ubuntu4.2

krb5-kdc 1.12+dfsg-2ubuntu4.2

libgssrpc4 1.12+dfsg-2ubuntu4.2

libkrb5support0 1.12+dfsg-2ubuntu4.2

libgssapi-krb5-2 1.12+dfsg-2ubuntu4.2

krb5-admin-server 1.12+dfsg-2ubuntu4.2

Ubuntu 12.04 LTS:

libkadm5srv-mit8 1.10+dfsg~beta1-2ubuntu0.5

libk5crypto3 1.10+dfsg~beta1-2ubuntu0.5

krb5-kdc-ldap 1.10+dfsg~beta1-2ubuntu0.5

libkdb5-6 1.10+dfsg~beta1-2ubuntu0.5

krb5-pkinit 1.10+dfsg~beta1-2ubuntu0.5

libkadm5clnt-mit8 1.10+dfsg~beta1-2ubuntu0.5

libkrb5-3 1.10+dfsg~beta1-2ubuntu0.5

krb5-user 1.10+dfsg~beta1-2ubuntu0.5

krb5-kdc 1.10+dfsg~beta1-2ubuntu0.5

libgssrpc4 1.10+dfsg~beta1-2ubuntu0.5

libkrb5support0 1.10+dfsg~beta1-2ubuntu0.5

libgssapi-krb5-2 1.10+dfsg~beta1-2ubuntu0.5

krb5-admin-server 1.10+dfsg~beta1-2ubuntu0.5

Ubuntu 10.04 LTS:

libk5crypto3 1.8.1+dfsg-2ubuntu0.13

krb5-kdc-ldap 1.8.1+dfsg-2ubuntu0.13

libkdb5-4 1.8.1+dfsg-2ubuntu0.13

libkadm5srv-mit7 1.8.1+dfsg-2ubuntu0.13

krb5-pkinit 1.8.1+dfsg-2ubuntu0.13

krb5-admin-server 1.8.1+dfsg-2ubuntu0.13

libkrb5-3 1.8.1+dfsg-2ubuntu0.13

krb5-user 1.8.1+dfsg-2ubuntu0.13

krb5-kdc 1.8.1+dfsg-2ubuntu0.13

libgssrpc4 1.8.1+dfsg-2ubuntu0.13

libkrb5support0 1.8.1+dfsg-2ubuntu0.13

libgssapi-krb5-2 1.8.1+dfsg-2ubuntu0.13

libkadm5clnt-mit7 1.8.1+dfsg-2ubuntu0.13


To update your system, please follow these instructions: http://bit.ly/1aJDvTw.


In general, a standard system update will make all the necessary changes.


References


CVE-2012-1016, CVE-2013-1415, CVE-2013-1416, CVE-2013-1418, CVE-2013-6800, CVE-2014-4341, CVE-2014-4342, CVE-2014-4343, CVE-2014-4344, CVE-2014-4345






from Ubuntu Security Notices http://bit.ly/1ymNZmt
Tags :

Created By Nexus · Powered by Blogger
© All Rights Reserved

Terms Of Service · Privacy Policy · Disclaimer · Contact Us · About Us