CVE-2010-1321
UnknownEPSS 6.88%
Last modified
CVE-2010-1321 is a vulnerability of currently unknown severity. The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.. EPSS estimates a 6.88% chance of exploitation in the next 30 days.
Description
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.
Metrics
Weakness Enumeration
Affected Software
| Vendor | Product | Versions | Update |
|---|---|---|---|
| Mit | Kerberos 5 | <= 1.7.1 | — |
| Mit | Kerberos 5 | >= 1.8, < 1.8.2 | — |
| Debian | Debian Linux | 5.0 | — |
| Debian | Debian Linux | 6.0 | — |
| Canonical | Ubuntu Linux | 6.06 | — |
| Canonical | Ubuntu Linux | 8.04 | — |
| Canonical | Ubuntu Linux | 9.04 | — |
| Canonical | Ubuntu Linux | 9.10 | — |
| Canonical | Ubuntu Linux | 10.04 | — |
| Oracle | Database Server | All versions | — |
| Opensuse | Opensuse | 11.0 | — |
| Opensuse | Opensuse | 11.1 | — |
| Opensuse | Opensuse | 11.2 | — |
| Opensuse | Opensuse | 11.3 | — |
| Suse | Linux Enterprise Server | 10 | Sp3 |
| Suse | Linux Enterprise Server | 11 | — |
| Fedoraproject | Fedora | 11 | — |
| Fedoraproject | Fedora | 12 | — |
| Fedoraproject | Fedora | 13 | — |
References
- http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041615.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041645.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041654.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00002.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00010.htmlMailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=134254866602253&w=2Issue Tracking, Third Party Advisory
- http://osvdb.org/64744Broken Link
- http://secunia.com/advisories/39762Third Party Advisory
- http://secunia.com/advisories/39784Third Party Advisory
- http://secunia.com/advisories/39799Third Party Advisory
- http://secunia.com/advisories/39818Third Party Advisory
- http://secunia.com/advisories/39849Third Party Advisory
- http://secunia.com/advisories/40346Third Party Advisory
- http://secunia.com/advisories/40685Third Party Advisory
- http://secunia.com/advisories/41967Third Party Advisory
- http://secunia.com/advisories/42432Third Party Advisory
- http://secunia.com/advisories/42974Third Party Advisory
- http://secunia.com/advisories/43335Third Party Advisory
- http://secunia.com/advisories/44954Third Party Advisory
- http://support.avaya.com/css/P8/documents/100114315Third Party Advisory
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txtPatch, Vendor Advisory
- http://www.debian.org/security/2010/dsa-2052Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:100Third Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0423.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0770.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0807.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0873.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0935.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0987.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0152.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0880.htmlThird Party Advisory
- http://www.securityfocus.com/archive/1/511331/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/516397/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/40235Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-940-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-940-2Third Party Advisory
- http://www.us-cert.gov/cas/techalerts/TA10-287A.htmlThird Party Advisory, US Government Resource
- http://www.us-cert.gov/cas/techalerts/TA11-201A.htmlThird Party Advisory, US Government Resource
- http://www.vmware.com/security/advisories/VMSA-2011-0003.htmlThird Party Advisory
- http://www.vupen.com/english/advisories/2010/1177Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1192Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1193Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1196Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1222Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1574Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1882Third Party Advisory
- http://www.vupen.com/english/advisories/2010/3112Third Party Advisory
- http://www.vupen.com/english/advisories/2011/0134Third Party Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11604Broken Link, Third Party Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7198Broken Link, Third Party Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7450Broken Link, Third Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041615.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041645.htmlThird Party Advisory
- http://lists.fedoraproject.org/pipermail/package-announce/2010-May/041654.htmlThird Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-06/msg00001.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-08/msg00001.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2010-10/msg00006.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00002.htmlMailing List, Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2012-01/msg00010.htmlMailing List, Third Party Advisory
- http://marc.info/?l=bugtraq&m=134254866602253&w=2Issue Tracking, Third Party Advisory
- http://osvdb.org/64744Broken Link
- http://secunia.com/advisories/39762Third Party Advisory
- http://secunia.com/advisories/39784Third Party Advisory
- http://secunia.com/advisories/39799Third Party Advisory
- http://secunia.com/advisories/39818Third Party Advisory
- http://secunia.com/advisories/39849Third Party Advisory
- http://secunia.com/advisories/40346Third Party Advisory
- http://secunia.com/advisories/40685Third Party Advisory
- http://secunia.com/advisories/41967Third Party Advisory
- http://secunia.com/advisories/42432Third Party Advisory
- http://secunia.com/advisories/42974Third Party Advisory
- http://secunia.com/advisories/43335Third Party Advisory
- http://secunia.com/advisories/44954Third Party Advisory
- http://support.avaya.com/css/P8/documents/100114315Third Party Advisory
- http://web.mit.edu/kerberos/advisories/MITKRB5-SA-2010-005.txtPatch, Vendor Advisory
- http://www.debian.org/security/2010/dsa-2052Third Party Advisory
- http://www.mandriva.com/security/advisories?name=MDVSA-2010:100Third Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpujan2011-194091.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpujuly2011-313328.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/cpuoct2010-175626.htmlThird Party Advisory
- http://www.oracle.com/technetwork/topics/security/javacpuoct2010-176258.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0423.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0770.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0807.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0873.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0935.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2010-0987.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0152.htmlThird Party Advisory
- http://www.redhat.com/support/errata/RHSA-2011-0880.htmlThird Party Advisory
- http://www.securityfocus.com/archive/1/511331/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/archive/1/516397/100/0/threadedThird Party Advisory, VDB Entry
- http://www.securityfocus.com/bid/40235Third Party Advisory, VDB Entry
- http://www.ubuntu.com/usn/USN-940-1Third Party Advisory
- http://www.ubuntu.com/usn/USN-940-2Third Party Advisory
- http://www.us-cert.gov/cas/techalerts/TA10-287A.htmlThird Party Advisory, US Government Resource
- http://www.us-cert.gov/cas/techalerts/TA11-201A.htmlThird Party Advisory, US Government Resource
- http://www.vmware.com/security/advisories/VMSA-2011-0003.htmlThird Party Advisory
- http://www.vupen.com/english/advisories/2010/1177Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1192Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1193Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1196Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1222Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1574Third Party Advisory
- http://www.vupen.com/english/advisories/2010/1882Third Party Advisory
- http://www.vupen.com/english/advisories/2010/3112Third Party Advisory
- http://www.vupen.com/english/advisories/2011/0134Third Party Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11604Broken Link, Third Party Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7198Broken Link, Third Party Advisory
- https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A7450Broken Link, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2010-1321?
The kg_accept_krb5 function in krb5/accept_sec_context.c in the GSS-API library in MIT Kerberos 5 (aka krb5) through 1.7.1 and 1.8 before 1.8.2, as used in kadmind and other applications, does not properly check for invalid GSS-API tokens, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via an AP-REQ message in which the authenticator's checksum field is missing.
How severe is CVE-2010-1321?
Severity scoring for CVE-2010-1321 is pending analysis. The EPSS model estimates a 6.88% probability of exploitation in the next 30 days.
How do I fix CVE-2010-1321?
Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.
Are you affected by CVE-2010-1321?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST