Greg Hudson

**Nome do software vulnerável e versões afetadas** Versões do MIT Kerberos 5 anteriores à 1.19.4 e versões 1.20.x anteriores à 1.20.1 Versões do Heimdal anteriores à 7.7.1 Versões do Samba anteriores à 4.15.12, 4.16.7 e 4.17.3 **Descrição** O problema está relacionado a estouros de inteiros na análise PAC no MIT Kerberos 5 e no Heimdal, o que pode levar à execução remota de código em plataformas de 32 bits e causar uma negação de serviço em outras plataformas. Isso ocorre na função `krb5 pac parse` em `lib/krb5/krb/pac.c`. A vulnerabilidade pode ser explorada enviando-se uma solicitação especialmente criada para um servidor KDC, permitindo que um invasor autenticado cause um estouro de buffer com dados controlados. A exploração bem-sucedida pode levar à negação de serviço ou à execução remota de código. **Recomendações** Para versões do MIT Kerberos 5 anteriores à 1.19.4 e do Heimdal anteriores à 1.20.1, atualize para a versão 1.19.4 ou 1.20.1 ou posterior. Para versões do Heimdal anteriores à 7.7.1, atualize para a versão 7.7.1 ou posterior. Para versões do Samba anteriores à 4.15.12, 4.16.7 e 4.17.3, atualize para a versão 4.15.12, 4.16.7 ou 4.17.3 ou posterior. Como solução alternativa temporária, considere restringir o acesso ao servidor KDC e limitar o uso da função `krb5 pac parse` até que um patch esteja disponível.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 63.0.3239.84 Opera (affected versions not specified) **Description** The issue is related to an inappropriate implementation in BoringSSL SPAKE2, which allows a remote attacker to leak the low-order bits of `SHA512(password)` by inspecting protocol traffic. This could potentially compromise the security of user passwords. **Recommendations** For Google Chrome versions prior to 63.0.3239.84, update to version 63.0.3239.84 or later to resolve the issue. For Opera, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 (krb5) versions prior to 1.13.4 MIT Kerberos 5 (krb5) versions 1.14.x prior to 1.14.1 **Description** The issue allows remote authenticated users to obtain sensitive information or cause a denial of service due to an out-of-bounds read. This is caused by the `xdr nullstring` function in `lib/kadm5/kadm rpc xdr.c` in kadmind not verifying whether '0' characters exist as expected, allowing exploitation via a crafted string. **Recommendations** For versions prior to 1.13.4, update to version 1.13.4 or later. For versions 1.14.x prior to 1.14.1, update to version 1.14.1 or later.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 (aka krb5) versions 1.12.x through 1.13.x before 1.13.4 MIT Kerberos 5 (aka krb5) versions 1.14.x before 1.14.1 **Description** The issue allows remote authenticated users to cause a denial of service, resulting in a daemon crash due to a NULL pointer dereference. This occurs when the `KADM5 POLICY` is specified with a NULL policy name, affecting the `kadm5 create principal 3` and `kadm5 modify principal` functions. **Recommendations** For versions 1.12.x through 1.13.x before 1.13.4, update to version 1.13.4 or later. For versions 1.14.x before 1.14.1, update to version 1.14.1 or later. As a temporary workaround, consider restricting access to the `kadm5 create principal 3` and `kadm5 modify principal` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 (aka krb5) version 1.14 pre-release 2015-09-14 **Description** The issue is related to the `iakerb gss export sec context` function in `lib/gssapi/krb5/iakerb.c`, which improperly accesses a certain pointer. This allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the `gss export sec context` function. **Recommendations** For MIT Kerberos 5 (aka krb5) version 1.14 pre-release 2015-09-14, consider updating to a newer version that correctly fixes the issue, as the current version contains an incorrect fix that introduces this problem. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 versions prior to 1.14 **Description** The issue allows remote authenticated users to cause a denial of service, resulting in an out-of-bounds read and KDC crash. This can be achieved by including an initial '0' character in a long realm field within a TGS request. **Recommendations** For versions prior to 1.14, update to version 1.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the `build principal va` function in lib/krb5/krb/bld princ.c to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 versions 1.12.x through 1.13.1 **Description** The issue allows remote attackers to bypass an intended preauthentication requirement. This can be achieved by providing either zero bytes of data or an arbitrary realm name. The problem is related to the kdcpreauth modules in MIT Kerberos 5, specifically in the plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit srv.c files. **Recommendations** For versions 1.12.x through 1.13.1, update to version 1.13.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the kdcpreauth modules until a patch is available.