Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-9421

Overview

Vulnerability Score 9.0 9.0
CVE Id CVE-2014-9421
Last Modified 13 Apr 2015 09:59:58
Published 19 Feb 2015 06:59:05
Confidentiality Impact COMPLETE COMPLETE
Integrity Impact COMPLETE COMPLETE
Availability Impact COMPLETE COMPLETE
Access Vector NETWORK
Access Complexity LOW
Authentication SINGLE_INSTANCE

CVE-2014-9421

Summary

The auth_gssapi_unwrap_data function in lib/rpc/auth_gssapi_misc.c in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 does not properly handle partial XDR deserialization, which allows remote authenticated users to cause a denial of service (use-after-free and double free, and daemon crash) or possibly execute arbitrary code via malformed XDR data, as demonstrated by data sent to kadmind.

Vulnerable Systems

Application

  • Mit Kerberos 5-1.11

  • Mit Kerberos 5-1.11.1

  • Mit Kerberos 5-1.11.2

  • Mit Kerberos 5-1.11.3

  • Mit Kerberos 5-1.11.4

  • Mit Kerberos 5-1.11.5

  • Mit Kerberos 5-1.12

  • Mit Kerberos 5-1.12.1

  • Mit Kerberos 5-1.12.2

  • Mit Kerberos 5-1.13


References

CONFIRM - https://github.com/krb5/krb5/commit/a197e92349a4aa2141b5dff12e9dd44c2a2166e3

CONFIRM - http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt

CONFIRM - http://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txt

UBUNTU - USN-2498-1

DEBIAN - DSA-3153

REDHAT - RHSA-2015:0439

SUSE - openSUSE-SU-2015:0255

SUSE - SUSE-SU-2015:0290

SUSE - SUSE-SU-2015:0257

FEDORA - FEDORA-2015-2382

FEDORA - FEDORA-2015-2347

MANDRIVA - MDVSA-2015:069

REDHAT - RHSA-2015:0794


Last Updated: 27 May 2016 11:08:02