SB2015121405 - Amazon Linux AMI update for krb5

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2015121405

SB2015121405 - Amazon Linux AMI update for krb5

Published: December 14, 2015 Updated: May 27, 2022

Security Bulletin ID SB2015121405
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Input validation error (CVE-ID: CVE-2014-5355)

The vulnerability allows remote attackers to perform a denial of service (DoS) attack.

The vulnerability exists due to insufficient validation of user-supplied input. A remote attacker can (1) cause a denial of service (NULL pointer dereference) via a zero-byte version string or (2) cause a denial of service (out-of-bounds read) by omitting the '' character, related to appl/user_user/server.c and lib/krb5/krb/recvauth.c.


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2015-2694)

The vulnerability allows a remote non-authenticated attacker to read and manipulate data.

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.


Remediation

Install update from vendor's website.

References