USN-2310-1
Vulnerability Summary
Timeline
Description
krb5 vulnerabilities It was discovered that Kerberos incorrectly handled certain crafted Draft 9 requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 12.04 LTS. (CVE-2012-1016) It was discovered that Kerberos incorrectly handled certain malformed KRB5_PADATA_PK_AS_REQ AS-REQ requests. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1415) It was discovered that Kerberos incorrectly handled certain crafted TGS-REQ requests. A remote authenticated attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1416) It was discovered that Kerberos incorrectly handled certain crafted requests when multiple realms were configured. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. This issue only affected Ubuntu 10.04 LTS and Ubuntu 12.04 LTS. (CVE-2013-1418, CVE-2013-6800) It was discovered that Kerberos incorrectly handled certain invalid tokens. If a remote attacker were able to perform a machine-in-the-middle attack, this flaw could be used to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4341, CVE-2014-4342) It was discovered that Kerberos incorrectly handled certain mechanisms when used with SPNEGO. If a remote attacker were able to perform a machine-in-the-middle attack, this flaw could be used to cause clients to crash, resulting in a denial of service. (CVE-2014-4343) It was discovered that Kerberos incorrectly handled certain continuation tokens during SPNEGO negotiations. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service. (CVE-2014-4344) Tomas Kuthan and Greg Hudson discovered that the Kerberos kadmind daemon incorrectly handled buffers when used with the LDAP backend. A remote attacker could use this issue to cause the daemon to crash, resulting in a denial of service, or possibly execute arbitrary code. (CVE-2014-4345)
Affected Systems
- ubuntu•krb5
< 1.12+dfsg-2ubuntu4.2
References (11)
- https://ubuntu.com/security/notices/USN-2310-1
- https://ubuntu.com/security/CVE-2012-1016
- https://ubuntu.com/security/CVE-2013-1415
- https://ubuntu.com/security/CVE-2013-1416
- https://ubuntu.com/security/CVE-2013-1418
- https://ubuntu.com/security/CVE-2013-6800
- https://ubuntu.com/security/CVE-2014-4341
- https://ubuntu.com/security/CVE-2014-4342
- https://ubuntu.com/security/CVE-2014-4343
- https://ubuntu.com/security/CVE-2014-4344
- https://ubuntu.com/security/CVE-2014-4345