Rapid7 Vulnerability & Exploit Database

RHSA-2011:0200: krb5 security update

Back to Search

RHSA-2011:0200: krb5 security update

Severity
5
CVSS
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Published
02/10/2011
Created
07/25/2018
Added
02/10/2011
Modified
07/04/2017

Description

Kerberos is a network authentication system which allows clients andservers to authenticate to each other using symmetric encryption and atrusted third-party, the Key Distribution Center (KDC).A NULL pointer dereference flaw was found in the way the MIT Kerberos KDCprocessed principal names that were not null terminated, when the KDC wasconfigured to use an LDAP back end. A remote attacker could use this flawto crash the KDC via a specially-crafted request. (CVE-2011-0282)A denial of service flaw was found in the way the MIT Kerberos KDCprocessed certain principal names when the KDC was configured to use anLDAP back end. A remote attacker could use this flaw to cause the KDC tohang via a specially-crafted request. (CVE-2011-0281)A denial of service flaw was found in the way the MIT Kerberos V5 slave KDCupdate server (kpropd) processed certain update requests for KDC databasepropagation. A remote attacker could use this flaw to terminate the kpropddaemon via a specially-crafted update request. (CVE-2010-4022)Red Hat would like to thank the MIT Kerberos Team for reporting theCVE-2011-0282 and CVE-2011-0281 issues. Upstream acknowledges KevinLongfellow of Oracle Corporation as the original reporter of theCVE-2011-0281 issue.All krb5 users should upgrade to these updated packages, which containbackported patches to correct these issues. After installing the updatedpackages, the krb5kdc daemon will be restarted automatically.

Solution(s)

  • redhat-upgrade-krb5-debuginfo
  • redhat-upgrade-krb5-devel
  • redhat-upgrade-krb5-libs
  • redhat-upgrade-krb5-pkinit-openssl
  • redhat-upgrade-krb5-server
  • redhat-upgrade-krb5-server-ldap
  • redhat-upgrade-krb5-workstation

With Rapid7 live dashboards, I have a clear view of all the assets on my network, which ones can be exploited, and what I need to do in order to reduce the risk in my environment in real-time. No other tool gives us that kind of value and insight.

– Scott Cheney, Manager of Information Security, Sierra View Medical Center

;