Vigil@nce - MIT krb5: three vulnerabilities
January 2016 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can use several vulnerabilities of MIT krb5.
– Impacted products: Debian, Fedora, MIT krb5, openSUSE, openSUSE
Leap, SUSE Linux Enterprise Desktop, SLES, Ubuntu.
– Severity: 2/4.
– Creation date: 04/11/2015.
DESCRIPTION OF THE VULNERABILITY
Several vulnerabilities were announced in MIT krb5.
An attacker can force a read at an invalid address in SPNEGO
gss_inquire_context(), in order to trigger a denial of service.
[severity:2/4; CVE-2015-2695]
An attacker can force a read at an invalid address in IAKERB
gss_inquire_context(), in order to trigger a denial of service.
[severity:2/4; CVE-2015-2696]
An attacker can force a read at an invalid address in
build_principal_va(), in order to trigger a denial of service.
[severity:2/4; CVE-2015-2697]
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/MIT-krb5-three-vulnerabilities-18241