CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
99.3%
Package : krb5
Version : 1.10.1+dfsg-5+deb7u9
CVE ID : CVE-2013-1418 CVE-2014-5351 CVE-2014-5353
CVE-2014-5355 CVE-2016-3119 CVE-2016-3120
Debian Bug : 728845 762479 773226 778647 819468 832572
Kerberos, a system for authenticating users and services on a network,
was affected by several vulnerabilities. The Common Vulnerabilities
and Exposures project identifies the following issues.
CVE-2013-1418
Kerberos allows remote attackers to cause a denial of service
(NULL pointer dereference and daemon crash) via a crafted request
when multiple realms are configured.
CVE-2014-5351
Kerberos sends old keys in a response to a -randkey -keepold
request, which allows remote authenticated users to forge tickets by
leveraging administrative access.
CVE-2014-5353
When the KDC uses LDAP, allows remote authenticated users to cause a
denial of service (daemon crash) via a successful LDAP query with no
results, as demonstrated by using an incorrect object type for a
password policy.
CVE-2014-5355
Kerberos expects that a krb5_read_message data field is represented
as a string ending with a '\0' character, which allows remote
attackers to (1) cause a denial of service (NULL pointer
dereference) via a zero-byte version string or (2) cause a denial of
service (out-of-bounds read) by omitting the '\0' character,
CVE-2016-3119
Kerberos allows remote authenticated users to cause a denial of
service (NULL pointer dereference and daemon crash) via a crafted
request to modify a principal.
CVE-2016-3120
Kerberos allows remote authenticated users to cause a denial of
service (NULL pointer dereference and daemon crash) via an S4U2Self
request.
For Debian 7 "Wheezy", these problems have been fixed in version
1.10.1+dfsg-5+deb7u9.
We recommend that you upgrade your krb5 packages.
Further information about Debian LTS security advisories, how to apply
these updates to your system and frequently asked questions can be
found at: https://wiki.debian.org/LTS
OS | Version | Architecture | Package | Version | Filename |
---|---|---|---|---|---|
Debian | 7 | i386 | krb5-kdc | < 1.10.1+dfsg-5+deb7u9 | krb5-kdc_1.10.1+dfsg-5+deb7u9_i386.deb |
Debian | 7 | amd64 | krb5-admin-server | < 1.10.1+dfsg-5+deb7u9 | krb5-admin-server_1.10.1+dfsg-5+deb7u9_amd64.deb |
Debian | 7 | armhf | krb5-multidev | < 1.10.1+dfsg-5+deb7u9 | krb5-multidev_1.10.1+dfsg-5+deb7u9_armhf.deb |
Debian | 7 | i386 | krb5-user | < 1.10.1+dfsg-5+deb7u9 | krb5-user_1.10.1+dfsg-5+deb7u9_i386.deb |
Debian | 7 | armhf | krb5-user | < 1.10.1+dfsg-5+deb7u9 | krb5-user_1.10.1+dfsg-5+deb7u9_armhf.deb |
Debian | 7 | armel | libgssrpc4 | < 1.10.1+dfsg-5+deb7u9 | libgssrpc4_1.10.1+dfsg-5+deb7u9_armel.deb |
Debian | 7 | amd64 | libkdb5-6 | < 1.10.1+dfsg-5+deb7u9 | libkdb5-6_1.10.1+dfsg-5+deb7u9_amd64.deb |
Debian | 7 | amd64 | libkadm5srv-mit8 | < 1.10.1+dfsg-5+deb7u9 | libkadm5srv-mit8_1.10.1+dfsg-5+deb7u9_amd64.deb |
Debian | 7 | armhf | libkrb5-3 | < 1.10.1+dfsg-5+deb7u9 | libkrb5-3_1.10.1+dfsg-5+deb7u9_armhf.deb |
Debian | 7 | armhf | krb5-pkinit | < 1.10.1+dfsg-5+deb7u9 | krb5-pkinit_1.10.1+dfsg-5+deb7u9_armhf.deb |
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:N/I:N/A:P
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
AI Score
Confidence
High
EPSS
Percentile
99.3%