CVE-2014-9421

Name of the Vulnerable Software and Affected Versions MIT Kerberos 5 versions 1.11.5 and earlier MIT Kerberos 5 versions 1.12.x through 1.12.2 MIT Kerberos 5 versions 1.13.x before 1.13.1

Description The issue is related to the auth gssapi unwrap data function, which does not properly handle partial XDR deserialization. This allows remote authenticated users to cause a denial of service, including use-after-free and double free, and daemon crash, or possibly execute arbitrary code via malformed XDR data. The vulnerability can be exploited by sending malformed data to kadmind.

Recommendations For MIT Kerberos 5 versions 1.11.5 and earlier, update to version 1.11.6 or later. For MIT Kerberos 5 versions 1.12.x through 1.12.2, update to version 1.12.3 or later. For MIT Kerberos 5 versions 1.13.x before 1.13.1, update to version 1.13.1 or later. As a temporary workaround, consider restricting access to the kadmind service until a patch is available.