5

CVE-2009-0845

Exploit
The spnego_gss_accept_sec_context function in lib/gssapi/spnego/spnego_mech.c in MIT Kerberos 5 (aka krb5) 1.5 through 1.6.3, when SPNEGO is used, allows remote attackers to cause a denial of service (NULL pointer dereference and daemon crash) via invalid ContextFlags data in the reqFlags field in a negTokenInit token.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
MitKerberos Version5-1.6.3
MitKerberos 5 Version1.5
MitKerberos 5 Version1.5.1
MitKerberos 5 Version1.5.2
MitKerberos 5 Version1.5.3
MitKerberos 5 Version1.6
MitKerberos 5 Version1.6.1
MitKerberos 5 Version1.6.2
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 5.63% 0.919
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
nvd@nist.gov 5 10 2.9
AV:N/AC:L/Au:N/C:N/I:N/A:P
CWE-20 Improper Input Validation

The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

http://lists.apple.com/archives/security-announce/2009/May/msg00002.html
http://secunia.com/advisories/35074
Vendor Advisory
http://support.apple.com/kb/HT3549
http://www.us-cert.gov/cas/techalerts/TA09-133A.html
US Government Resource
http://www.vupen.com/english/advisories/2009/1297
http://krbdev.mit.edu/rt/Ticket/Display.html?user=guest&pass=guest&id=6402
http://secunia.com/advisories/34347
Vendor Advisory
http://secunia.com/advisories/34594
http://secunia.com/advisories/34617
http://secunia.com/advisories/34622
http://secunia.com/advisories/34628
http://secunia.com/advisories/34630
http://secunia.com/advisories/34637
http://secunia.com/advisories/34640
http://secunia.com/advisories/34734
http://security.gentoo.org/glsa/glsa-200904-09.xml
http://src.mit.edu/fisheye/browse/krb5/trunk/src/lib/gssapi/spnego/spnego_mech.c?r1=21875&r2=22084
Exploit
http://src.mit.edu/fisheye/changelog/krb5/?cs=22084
Vendor Advisory
http://sunsolve.sun.com/search/document.do?assetkey=1-26-256728-1
http://support.avaya.com/elmodocs2/security/ASA-2009-142.htm
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5047180.html
http://support.novell.com/docs/Readmes/InfoDocument/patchbuilder/readme_5047181.html
http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2009-001.txt
http://wiki.rpath.com/Advisories:rPSA-2009-0058
http://wiki.rpath.com/wiki/Advisories:rPSA-2009-0058
http://www-01.ibm.com/support/docview.wss?uid=swg21396120
http://www.kb.cert.org/vuls/id/662091
US Government Resource
http://www.mandriva.com/security/advisories?name=MDVSA-2009:082
http://www.redhat.com/support/errata/RHSA-2009-0408.html
http://www.securityfocus.com/archive/1/502526/100/0/threaded
http://www.securityfocus.com/archive/1/502546/100/0/threaded
http://www.securityfocus.com/bid/34257
http://www.securitytracker.com/id?1021867
http://www.ubuntu.com/usn/usn-755-1
http://www.vupen.com/english/advisories/2009/0847
Vendor Advisory
http://www.vupen.com/english/advisories/2009/0976
http://www.vupen.com/english/advisories/2009/1057
http://www.vupen.com/english/advisories/2009/1106
http://www.vupen.com/english/advisories/2009/2248
Vendor Advisory
https://exchange.xforce.ibmcloud.com/vulnerabilities/49448
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A10044
https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A6449
https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00205.html
https://www.redhat.com/archives/fedora-package-announce/2009-April/msg00206.html