MIT Kerberos up to 5-1.8 kg_accept_krb5 null pointer dereference
CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
---|---|---|
6.2 | $0-$5k | 0.00 |
A vulnerability has been found in MIT Kerberos up to 5-1.8 (Network Authentication Software) and classified as critical. Affected by this vulnerability is the function kg_accept_krb5
of the component Kerberos. The manipulation with an unknown input leads to a null pointer dereference vulnerability. The CWE definition for the vulnerability is CWE-476. A NULL pointer dereference occurs when the application dereferences a pointer that it expects to be valid, but is NULL, typically causing a crash or exit. As an impact it is known to affect availability. The summary by CVE is:
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator s checksum field is missing.
The weakness was disclosed 05/18/2010 with Oracle (Website). The advisory is shared at us-cert.gov. This vulnerability is known as CVE-2010-1321 since 04/08/2010. The exploitation appears to be easy. The attack can be launched remotely. The successful exploitation needs a single authentication. Technical details are known, but no exploit is available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 09/13/2021).
It is declared as proof-of-concept. The vulnerability scanner Nessus provides a plugin with the ID 68041 (Oracle Linux 3 / 4 / 5 : krb5 (ELSA-2010-0423)), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Oracle Linux Local Security Checks. The commercial vulnerability scanner Qualys is able to test this issue with plugin 216010 (VMWare ESXi 4.1.0 Patch Release ESXi410-201010001 Missing (KB1027753)).
There is no information about possible countermeasures known. It may be suggested to replace the affected object with an alternative product.
The vulnerability is also documented in the vulnerability database at Tenable (68041). The entries 3948, 47630, 47629 and 51532 are pretty similar.
Product
Type
Vendor
Name
Version
License
CPE 2.3
CPE 2.2
CVSSv4
VulDB CVSS-B Score: 🔍VulDB CVSS-BT Score: 🔍
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 6.5VulDB Meta Temp Score: 6.2
VulDB Base Score: 6.5
VulDB Temp Score: 6.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
CVSSv2
AV | AC | Au | C | I | A |
---|---|---|---|---|---|
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
---|---|---|---|---|---|
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
unlock | unlock | unlock | unlock | unlock | unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Class: Null pointer dereferenceCWE: CWE-476 / CWE-404
CAPEC: 🔍
ATT&CK: 🔍
Local: No
Remote: Yes
Availability: 🔍
Status: Proof-of-Concept
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
0-Day | unlock | unlock | unlock | unlock |
---|---|---|---|---|
Today | unlock | unlock | unlock | unlock |
Nessus ID: 68041
Nessus Name: Oracle Linux 3 / 4 / 5 : krb5 (ELSA-2010-0423)
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Port: 🔍
OpenVAS ID: 67405
OpenVAS Name: Debian Security Advisory DSA 2052-1 (krb5)
OpenVAS File: 🔍
OpenVAS Family: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: no mitigation knownStatus: 🔍
0-Day Time: 🔍
Timeline
04/08/2010 🔍05/18/2010 🔍
05/18/2010 🔍
05/18/2010 🔍
05/19/2010 🔍
05/19/2010 🔍
05/19/2010 🔍
05/23/2010 🔍
07/12/2013 🔍
03/19/2015 🔍
09/13/2021 🔍
Sources
Vendor: mit.eduAdvisory: RHSA-2010:0423
Organization: Oracle
Status: Confirmed
Confirmation: 🔍
CVE: CVE-2010-1321 (🔍)
OVAL: 🔍
IAVM: 🔍
Vulnerability Center: 25818 - MIT Kerberos 5 GSS-API Library Remote DoS via an AP-REQ Message, Medium
SecurityFocus: 40235 - MIT Kerberos GSS-API Checksum NULL Pointer Dereference Denial Of Service Vulnerability
Secunia: 39762 - Kerberos GSS-API NULL Pointer Dereference Vulnerability, Less Critical
OSVDB: 64744 - Kerberos GSS-API AP-REQ Authenticator NULL Dereference Remote DoS
Vupen: ADV-2010-1177
See also: 🔍
Entry
Created: 03/19/2015 12:22Updated: 09/13/2021 23:15
Changes: 03/19/2015 12:22 (71), 02/24/2017 21:42 (14), 09/13/2021 22:48 (3), 09/13/2021 23:02 (1), 09/13/2021 23:15 (2)
Complete: 🔍
No comments yet. Languages: en.
Please log in to comment.