Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Vulnerabilities » CVE-2014-9423

Overview

Vulnerability Score 5.0 5.0
CVE Id CVE-2014-9423
Last Modified 31 Mar 2015 09:59:59
Published 19 Feb 2015 06:59:07
Confidentiality Impact PARTIAL PARTIAL
Integrity Impact NONE NONE
Availability Impact NONE NONE
Access Vector NETWORK
Access Complexity LOW
Authentication NONE

CVE-2014-9423

Summary

The svcauth_gss_accept_sec_context function in lib/rpc/svc_auth_gss.c in MIT Kerberos 5 (aka krb5) 1.11.x through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 transmits uninitialized interposer data to clients, which allows remote attackers to obtain sensitive information from process heap memory by sniffing the network for data in a handle field.

Vulnerable Systems

Application

  • Mit Kerberos 5-1.11

  • Mit Kerberos 5-1.11.1

  • Mit Kerberos 5-1.11.2

  • Mit Kerberos 5-1.11.3

  • Mit Kerberos 5-1.11.4

  • Mit Kerberos 5-1.11.5

  • Mit Kerberos 5-1.12

  • Mit Kerberos 5-1.12.1

  • Mit Kerberos 5-1.12.2

  • Mit Kerberos 5-1.13


References

CONFIRM - https://github.com/krb5/krb5/commit/5bb8a6b9c9eb8dd22bc9526751610aaa255ead9c

CONFIRM - http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2015-001.txt

CONFIRM - http://web.mit.edu/kerberos/advisories/2015-001-patch-r113.txt

UBUNTU - USN-2498-1

DEBIAN - DSA-3153

REDHAT - RHSA-2015:0439

SUSE - openSUSE-SU-2015:0255

SUSE - SUSE-SU-2015:0290

SUSE - SUSE-SU-2015:0257

FEDORA - FEDORA-2015-2382

FEDORA - FEDORA-2015-2347

MANDRIVA - MDVSA-2015:069


Last Updated: 27 May 2016 11:08:02