CVE-2014-5354

Name of the Vulnerable Software and Affected Versions MIT Kerberos 5 (aka krb5) versions 1.12.x through 1.13.0

Description The issue allows remote authenticated users to cause a denial of service, resulting in a daemon crash due to a NULL pointer dereference. This can be achieved by creating a database entry for a keyless principal. The estimated number of potentially affected devices worldwide is not specified. Real-world incidents where this issue was exploited are not mentioned.

Recommendations For MIT Kerberos 5 (aka krb5) versions 1.12.x through 1.13.0, update to version 1.13.1 or later to resolve the issue. As a temporary workaround, consider restricting the use of the add principal and purgekeys commands in kadmin to minimize the risk of exploitation. Avoid creating database entries for keyless principals until the issue is resolved.