CVE-2013-1415

Name of the Vulnerable Software and Affected Versions MIT Kerberos 5 versions 1.10.3 through 1.10.4 and 1.11.x through 1.11.1

Description The issue is related to the PKINIT implementation in the Key Distribution Center (KDC) in MIT Kerberos 5. It does not properly handle errors during extraction of fields from an X.509 certificate, which allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via a malformed KRB5 PADATA PK AS REQ AS-REQ request. The vulnerability can be exploited by a remote attacker who has passed the authentication procedure, potentially leading to a violation of confidentiality, integrity, and availability of protected information.

Recommendations For versions 1.10.3 through 1.10.4, update to version 1.10.4 or later. For versions 1.11.x through 1.11.1, update to version 1.11.1 or later. As a temporary workaround, consider restricting access to the pkinit check kdc pkid function in the plugins/preauth/pkinit/pkinit crypto openssl.c file until a patch is available.