Published: 25/05/2015 Updated: 21/01/2020

CVSS v2 Base Score: 5.8 | Impact Score: 4.9 | Exploitability Score: 8.6

VMScore: 517

Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x prior to 1.13.2 do not properly track whether a client's request has been validated, which allows remote malicious users to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mit kerberos 5 1.13.1
mit kerberos 5 1.12.1
mit kerberos 5 1.12.2
mit kerberos 5 1.12.3
mit kerberos 5 1.13
mit kerberos 5 1.12

Synopsis Moderate: krb5 security, bug fix, and enhancement update Type/Severity Security Advisory: Moderate Topic Updated krb5 packages that fix two security issues, several bugs, and addvarious enhancements are now available for Red Hat Enterprise Linux 7Red Hat Product Security has rated this update as h ...

Several security issues were fixed in Kerberos ...

Debian Bug report logs - #819468 krb5: CVE-2016-3119: null pointer dereference in kadmin Package: src:krb5; Maintainer for src:krb5 is Sam Hartman <hartmans@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Tue, 29 Mar 2016 05:15:01 UTC Severity: important Tags: fixed-upstream, patch, security, ...

Debian Bug report logs - #832572 krb5: CVE-2016-3120: Fix S4U2Self KDC crash when anon is restricted Package: src:krb5; Maintainer for src:krb5 is Sam Hartman <hartmans@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Wed, 27 Jul 2016 05:48:01 UTC Severity: important Tags: patch, security, ups ...

Debian Bug report logs - #869260 CVE-2017-11368 Package: src:krb5; Maintainer for src:krb5 is Sam Hartman <hartmans@debianorg>; Reported by: Moritz Muehlenhoff <jmm@debianorg> Date: Sat, 22 Jul 2017 06:42:01 UTC Severity: grave Tags: fixed-upstream, security, upstream Found in version krb5/1101+dfsg-5 Fixed in v ...

Debian Bug report logs - #783557 CVE-2015-2694 in krb5-otp, krb5-pkinit Package: src:krb5; Maintainer for src:krb5 is Sam Hartman <hartmans@debianorg>; Reported by: Benjamin Kaduk <kaduk@MITEDU> Date: Mon, 27 Apr 2015 22:39:02 UTC Severity: normal Tags: fixed-upstream, security, upstream Found in version krb5/112 ...

A flaw was found in the OTP kdcpreauth module of MIT Kerberos A remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key This ciphertext could be used to conduct an off-line dictionary attack against the user's password It was found that the k ...

CWE-264 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8160 https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604 http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2015-2719645.html http://www.securityfocus.com/bid/74824 http://www.ubuntu.com/usn/USN-2810-1 https://access.redhat.com/errata/RHSA-2015:2154 https://usn.ubuntu.com/2810-1/https://nvd.nist.gov https://access.redhat.com/security/cve/cve-2015-2694

Get Started

CVE-2015-2694

Vulnerability Summary

Vendor Advisories

References

Vulmon Search

About

Products

Connect