Mit · Krb5-Devel · CVE-2013-1416
**Name of the Vulnerable Software and Affected Versions**
krb5-server versions 1.10.3
krb5-devel versions 1.10.3
krb5-pkinit-openssl versions 1.10.3
krb5-debuginfo versions 1.10.3
krb5-workstation versions 1.10.3
krb5-server-ldap versions 1.10.3
krb5-libs versions 1.10.3
mit-krb5 versions prior to 1.11.4
**Description**
The vulnerability may lead to a disruption of confidentiality, integrity, and availability of protected information. It can be exploited remotely by an attacker who has passed the authentication procedure. The prep reprocess req function in do tgs req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request.
**Recommendations**
For krb5-server versions 1.10.3, update to a version later than 1.10.5.
For krb5-devel versions 1.10.3, update to a version later than 1.10.5.
For krb5-pkinit-openssl versions 1.10.3, update to a version later than 1.10.5.
For krb5-debuginfo versions 1.10.3, update to a version later than 1.10.5.
For krb5-workstation versions 1.10.3, update to a version later than 1.10.5.
For krb5-server-ldap versions 1.10.3, update to a version later than 1.10.5.
For krb5-libs versions 1.10.3, update to a version later than 1.10.5.
For mit-krb5 versions prior to 1.11.4, update to version 1.11.4 or later.
As a temporary workaround, consider disabling the `prep reprocess req` function until a patch is available.