Flaws were found in the way MIT Kerberos handled RFC 1964 tokens. A man-in-the-middle attacker able to inject packets into an application's GSS-API session could use this flaw to crash the application. References: http://diswww.mit.edu:8008/menelaus.mit.edu/cvs-krb5/28388 https://github.com/krb5/krb5/commit/fb99962cbd063ac04c9a9d2cc7c75eab73f3533d
Created krb5 tracking bugs for this issue: Affects: fedora-all [bug 1116181]
There are two distinct flaws in krb5: CVE-2014-4341: Affects all shipped versions of krb5 package. CVE-2014-4342: Affects only krb5-1.7 and later. Hence it makes more sense to split this bug into two parts. We will use this flaw for CVE-2014-4341. In MIT krb5, an unauthenticated remote attacker with the ability to inject packets into a legitimately established GSSAPI application session can cause a program crash due to invalid memory references when attempting to read beyond the end of a buffer.
CVE-2014-4342 is now filed as https://bugzilla.redhat.com/show_bug.cgi?id=1120581
A remote unauthenticated attacker is able to send a specially crafted packet to crash a Kerberos server. The kg_unseal_v1 and kg_unseal_v1_iov functions in GSSAPI are reachable externally and do not handle issues like checking for header length less than 22 bytes, shorter ciphertext than the confounder and declared padding length longer than the plaintext.
Statement: (none)
krb5-1.11.3-24.fc19 has been pushed to the Fedora 19 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.11.5-10.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
IssueDescription: A buffer over-read flaw was found in the way MIT Kerberos handled certain requests. A remote, unauthenticated attacker who is able to inject packets into a client or server application's GSSAPI session could use this flaw to crash the application.
This issue has been addressed in the following products: Red Hat Enterprise Linux 5 Via RHSA-2014:1245 https://rhn.redhat.com/errata/RHSA-2014-1245.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Via RHSA-2014:1389 https://rhn.redhat.com/errata/RHSA-2014-1389.html
This issue has been addressed in the following products: Red Hat Enterprise Linux 7 Via RHSA-2015:0439 https://rhn.redhat.com/errata/RHSA-2015-0439.html