SB2015120913 - Credentials management in krb5 (Alpine package)
Published: December 9, 2015
Security Bulletin ID
SB2015120913
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Credentials management (CVE-ID: CVE-2014-5351)
The vulnerability allows a remote #AU# to gain access to sensitive information.
The kadm5_randkey_principal_3 function in lib/kadm5/srv/svr_principal.c in kadmind in MIT Kerberos 5 (aka krb5) before 1.13 sends old keys in a response to a -randkey -keepold request, which allows remote authenticated users to forge tickets by leveraging administrative access.
Remediation
Install update from vendor's website.