Greg Hudson

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 versions prior to 1.19.4 and 1.20.x prior to 1.20.1 Heimdal versions prior to 7.7.1 Samba versions prior to 4.15.12, 4.16.7, and 4.17.3 **Description** The issue is related to integer overflows in the PAC parsing in MIT Kerberos 5 and Heimdal, which may lead to remote code execution on 32-bit platforms and cause a denial of service on other platforms. This occurs in the `krb5 pac parse` function in `lib/krb5/krb/pac.c`. The vulnerability can be exploited by sending a specially crafted request to a KDC server, allowing an authenticated attacker to overflow a buffer with controlled data. Successful exploitation can lead to denial of service or remote code execution. **Recommendations** For MIT Kerberos 5 versions prior to 1.19.4 and 1.20.x prior to 1.20.1, update to version 1.19.4 or 1.20.1 or later. For Heimdal versions prior to 7.7.1, update to version 7.7.1 or later. For Samba versions prior to 4.15.12, 4.16.7, and 4.17.3, update to version 4.15.12, 4.16.7, or 4.17.3 or later. As a temporary workaround, consider restricting access to the KDC server and limiting the use of the `krb5 pac parse` function until a patch is available.

**Name of the Vulnerable Software and Affected Versions** Google Chrome versions prior to 63.0.3239.84 Opera (affected versions not specified) **Description** The issue is related to an inappropriate implementation in BoringSSL SPAKE2, which allows a remote attacker to leak the low-order bits of `SHA512(password)` by inspecting protocol traffic. This could potentially compromise the security of user passwords. **Recommendations** For Google Chrome versions prior to 63.0.3239.84, update to version 63.0.3239.84 or later to resolve the issue. For Opera, at the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 (krb5) versions prior to 1.13.4 MIT Kerberos 5 (krb5) versions 1.14.x prior to 1.14.1 **Description** The issue allows remote authenticated users to obtain sensitive information or cause a denial of service due to an out-of-bounds read. This is caused by the `xdr nullstring` function in `lib/kadm5/kadm rpc xdr.c` in kadmind not verifying whether '0' characters exist as expected, allowing exploitation via a crafted string. **Recommendations** For versions prior to 1.13.4, update to version 1.13.4 or later. For versions 1.14.x prior to 1.14.1, update to version 1.14.1 or later.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 (aka krb5) versions 1.12.x through 1.13.x before 1.13.4 MIT Kerberos 5 (aka krb5) versions 1.14.x before 1.14.1 **Description** The issue allows remote authenticated users to cause a denial of service, resulting in a daemon crash due to a NULL pointer dereference. This occurs when the `KADM5 POLICY` is specified with a NULL policy name, affecting the `kadm5 create principal 3` and `kadm5 modify principal` functions. **Recommendations** For versions 1.12.x through 1.13.x before 1.13.4, update to version 1.13.4 or later. For versions 1.14.x before 1.14.1, update to version 1.14.1 or later. As a temporary workaround, consider restricting access to the `kadm5 create principal 3` and `kadm5 modify principal` functions until a patch is available.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 (aka krb5) version 1.14 pre-release 2015-09-14 **Description** The issue is related to the `iakerb gss export sec context` function in `lib/gssapi/krb5/iakerb.c`, which improperly accesses a certain pointer. This allows remote authenticated users to cause a denial of service (memory corruption) or possibly have unspecified other impact by interacting with an application that calls the `gss export sec context` function. **Recommendations** For MIT Kerberos 5 (aka krb5) version 1.14 pre-release 2015-09-14, consider updating to a newer version that correctly fixes the issue, as the current version contains an incorrect fix that introduces this problem. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 versions prior to 1.14 **Description** The issue allows remote authenticated users to cause a denial of service, resulting in an out-of-bounds read and KDC crash. This can be achieved by including an initial '0' character in a long realm field within a TGS request. **Recommendations** For versions prior to 1.14, update to version 1.14 or later to resolve the issue. As a temporary workaround, consider restricting access to the `build principal va` function in lib/krb5/krb/bld princ.c to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** MIT Kerberos 5 versions 1.12.x through 1.13.1 **Description** The issue allows remote attackers to bypass an intended preauthentication requirement. This can be achieved by providing either zero bytes of data or an arbitrary realm name. The problem is related to the kdcpreauth modules in MIT Kerberos 5, specifically in the plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit srv.c files. **Recommendations** For versions 1.12.x through 1.13.1, update to version 1.13.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the kdcpreauth modules until a patch is available.