Vulmon Recent Vulnerabilities Research Posts Trends Blog About Contact

DSA-2518-1 krb5 -- denial of service and remote code execution

Related Vulnerabilities: CVE-2012-1014   CVE-2012-1015  

Emmanuel Bouillon from NCI Agency discovered multiple vulnerabilities in MIT Kerberos, a daemon implementing the network authentication protocol. CVE-2012-1014 By sending specially crafted AS-REQ (Authentication Service Request) to a KDC (Key Distribution Center), an attacker could make it free an uninitialized pointer, corrupting the heap. This can lead to process crash or even arbitrary code execution. This CVE only affects testing (wheezy) and unstable (sid) distributions. CVE-2012-1015 By sending specially crafted AS-REQ to a KDC, an attacker could make it dereference an uninitialized pointer, leading to process crash or even arbitrary code execution In both cases, arbitrary code execution is believed to be difficult to achieve, but might not be impossible. For the stable distribution (squeeze), this problem has been fixed in version 1.8.3+dfsg-4squeeze6. For the testing distribution (wheezy), this problem has been fixed in version 1.10.1+dfsg-2. For the unstable distribution (sid), this problem has been fixed in version 1.10.1+dfsg-2. We recommend that you upgrade your krb5 packages.

Source

Debian Security Advisory

DSA-2518-1 krb5 -- denial of service and remote code execution

Date Reported:
31 Jul 2012
Affected Packages:
krb5
Vulnerable:
Yes
Security database references:
In the Debian bugtracking system: Bug 683429.
In Mitre's CVE dictionary: CVE-2012-1014, CVE-2012-1015.
More information:

Emmanuel Bouillon from NCI Agency discovered multiple vulnerabilities in MIT Kerberos, a daemon implementing the network authentication protocol.

  • CVE-2012-1014

    By sending specially crafted AS-REQ (Authentication Service Request) to a KDC (Key Distribution Center), an attacker could make it free an uninitialized pointer, corrupting the heap. This can lead to process crash or even arbitrary code execution.

    This CVE only affects testing (wheezy) and unstable (sid) distributions.

  • CVE-2012-1015

    By sending specially crafted AS-REQ to a KDC, an attacker could make it dereference an uninitialized pointer, leading to process crash or even arbitrary code execution

In both cases, arbitrary code execution is believed to be difficult to achieve, but might not be impossible.

For the stable distribution (squeeze), this problem has been fixed in version 1.8.3+dfsg-4squeeze6.

For the testing distribution (wheezy), this problem has been fixed in version 1.10.1+dfsg-2.

For the unstable distribution (sid), this problem has been fixed in version 1.10.1+dfsg-2.

We recommend that you upgrade your krb5 packages.

Vulmon Search

Vulmon Search is a vulnerability search engine. It gives comprehensive vulnerability information through a very simple user interface.

About

Home Recent Vulnerabilities Research Posts Trends Blog About Contact

Products

Vulmon Search Vulmon Research Vulmon Alerts Vulmap

Connect

Twitter Reddit Linkedin Facebook

Vulnerability Notification Service
You don’t have to wait for vulnerability scanning results
Get Started