Arch Linux Security Advisory ASA-201507-11
=========================================
Severity: Medium
Date    : 2015-07-12
CVE-ID  : CVE-2014-5355 CVE-2015-2694
Package : lib32-krb5
Type    : multiple issues
Remote  : Yes
Link    : https://wiki.archlinux.org/title/CVE

Summary
======
The package lib32-krb5 before version 1.13.2-2 is vulnerable to multiple
issues including denial of service and preauthentication requirement bypass.

Resolution
=========
Upgrade to 1.13.2-2.

# pacman -Syu "lib32-krb5>=1.13.2-2"

The problems have been fixed upstream in version 1.13.2.

Workaround
=========
None.

Description
==========
- CVE-2014-5355 (denial of service)

When a server process uses the krb5_recvauth function, an
unauthenticated remote attacker can cause a NULL dereference by sending
a zero-byte version string, or a read beyond the end of allocated
storage by sending a non-null-terminated version string. The example
user-to-user server application (uuserver) is similarly vulnerable to a
zero-length or non-null-terminated principal name string.

The krb5_recvauth function reads two version strings from the client
using krb5_read_message(), which produces a krb5_data structure
containing a length and a pointer to an octet sequence. krb5_recvaut
assumes that the data pointer is a valid C string and passes it to
strcmp() to verify the versions.  If the client sends an empty octet
sequence, the data pointer will be NULL and strcmp() will dereference a
NULL pointer, causing the process to crash.  If the client sends a
non-null-terminated octet sequence, strcmp() will read beyond the end of
the allocated storage, possibly causing the process to crash.

- CVE-2015-2694 (preauthentication requirement bypass)

It has been discovered that, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key. This ciphertext could be
used to conduct an off-line dictionary attack against the user's password.

Impact
=====
A remote attacker is able to send specially crafted packets to perform a
denial of service attack or bypass the requires_preauth flag and obtain
ciphertext that could be used to conduct an off-line dictionary attack
against the user's password.

References
=========
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8050
https://krbdev.mit.edu/rt/Ticket/Display.html?id=8160
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5355
https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2694
https://bugs.archlinux.org/task/45575

ArchLinux: 201507-11: lib32-krb5: multiple issues

July 12, 2015

Summary

- CVE-2014-5355 (denial of service) When a server process uses the krb5_recvauth function, an unauthenticated remote attacker can cause a NULL dereference by sending a zero-byte version string, or a read beyond the end of allocated storage by sending a non-null-terminated version string. The example user-to-user server application (uuserver) is similarly vulnerable to a zero-length or non-null-terminated principal name string.
The krb5_recvauth function reads two version strings from the client using krb5_read_message(), which produces a krb5_data structure containing a length and a pointer to an octet sequence. krb5_recvaut assumes that the data pointer is a valid C string and passes it to strcmp() to verify the versions. If the client sends an empty octet sequence, the data pointer will be NULL and strcmp() will dereference a NULL pointer, causing the process to crash. If the client sends a non-null-terminated octet sequence, strcmp() will read beyond the end of the allocated storage, possibly causing the process to crash.
- CVE-2015-2694 (preauthentication requirement bypass)
It has been discovered that, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.

Resolution

Upgrade to 1.13.2-2. # pacman -Syu "lib32-krb5>=1.13.2-2"
The problems have been fixed upstream in version 1.13.2.

References

https://krbdev.mit.edu/rt/Ticket/Display.html?id=8050 https://krbdev.mit.edu/rt/Ticket/Display.html?id=8160 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-5355 https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2694 https://bugs.archlinux.org/task/45575

Severity
Package : lib32-krb5
Type : multiple issues
Remote : Yes
Link : https://wiki.archlinux.org/title/CVE

Workaround

None.

Related News

Parrot OS 6.3: Elevating Security with Enhanced Features & Tools
3 - 5 min read
Parrot OS 6.3 has just arrived , bringing crucial updates that security admins should note. This latest version of the popular secure Linux
Linux Kernel 6.14 Released: Top Security Features You Need to Know
3 - 6 min read
With the release of Linux kernel 6.14 , admins and Linux users have many new features and enhancements to look forward to - especially in the realm
Don
2 - 4 min read
Google recently issued a crucial Chrome update that those using a version of the browser prior to version 132.0.6834.110 should implement
Intel Brings Next-Level Security to Linux with Partner Security Engine
3 - 6 min read
Intel recently introduced a game-changer in hardware security with its new Partner Security Engine integrated into the Core Ultra Series 2. This
A Tiny Linux Kernel Tweak with Massive Implications for Datacenter Efficiency
3 - 6 min read
In a groundbreaking development, security researchers have introduced a small but mighty tweak to the Linux kernel that promises to cut data center
Best Practices for Securing Linux Systems Against Malicious Bots
3 - 6 min read
Linux systems have long been an indispensable asset to businesses and individuals alike. From running servers and cloud infrastructure to powering
Securing Open-Source Projects with Automated Testing on Linux
4 - 7 min read
Open-source project security testing focuses on many components, ensuring there are no safety vulnerabilities. These components include physical
KaOS Linux 2025.01: Merging Security with Practicality
3 - 6 min read
As the realm of Linux distribution expands, security admins find themselves faced with choosing a system that fits operational needs and upholds

Get the Latest News & Insights

Sign up to get the latest security news affecting Linux and open source delivered straight to your inbox.

© 2024 Guardian Digital, Inc All Rights Reserved