CVE-2014-4344: Null Pointer Dereference
First published: Tue Jul 22 2014(Updated: )
A NULL pointer dereference flaw was found in the MIT Kerberos SPNEGO acceptor for continuation tokens. An unauthenticated attacker could use this flaw to crash the server acceptor. It is reported that this issue affects version 1.5 and later. Upstream commit and further details: <a href="https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b">https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b</a>
Credit: cve@mitre.org
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Debian | =7.0 | |
| redhat enterprise Linux desktop | =7.0 | |
| Red Hat Enterprise Linux HPC Node | =7.0 | |
| redhat enterprise Linux server | =7.0 | |
| redhat enterprise Linux workstation | =7.0 | |
| Kerberos 5 (libkrb5) | =1.10 | |
| Kerberos 5 (libkrb5) | =1.10.1 | |
| Kerberos 5 (libkrb5) | =1.10.2 | |
| Kerberos 5 (libkrb5) | =1.10.3 | |
| Kerberos 5 (libkrb5) | =1.10.4 | |
| Kerberos 5 (libkrb5) | =1.11 | |
| Kerberos 5 (libkrb5) | =1.11.1 | |
| Kerberos 5 (libkrb5) | =1.11.2 | |
| Kerberos 5 (libkrb5) | =1.11.3 | |
| Kerberos 5 (libkrb5) | =1.11.4 | |
| Kerberos 5 (libkrb5) | =1.11.5 | |
| Kerberos 5 (libkrb5) | =1.12 | |
| Kerberos 5 (libkrb5) | =1.12.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://github.com/krb5/krb5/commit/524688ce87a15fc75f87efc8c039ba4c7d5c197b
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=1121879
- https://rhn.redhat.com/errata/RHSA-2014-1245.html
- https://rhn.redhat.com/errata/RHSA-2014-1389.html
- https://rhn.redhat.com/errata/RHSA-2015-0439.html
- https://bugzilla.redhat.com/show_bug.cgi?id=1121877
- http://advisories.mageia.org/MGASA-2014-0345.html
- http://aix.software.ibm.com/aix/efixes/security/nas_advisory1.asc
- http://krbdev.mit.edu/rt/Ticket/Display.html?id=7970
- http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136360.html
- http://rhn.redhat.com/errata/RHSA-2015-0439.html
- http://secunia.com/advisories/59102
- http://secunia.com/advisories/60082
- http://secunia.com/advisories/60448
- http://secunia.com/advisories/61051
- http://support.f5.com/kb/en-us/solutions/public/15000/500/sol15561.html
- http://www.debian.org/security/2014/dsa-3000
- http://www.mandriva.com/security/advisories?name=MDVSA-2014:165
- http://www.osvdb.org/109389
- http://www.securityfocus.com/bid/69160
- http://www.securitytracker.com/id/1030706
- https://exchange.xforce.ibmcloud.com/vulnerabilities/95210
- https://github.com/krb5/krb5/commit/a7886f0ed1277c69142b14a2c6629175a6331edc
Frequently Asked Questions
What is the severity of CVE-2014-4344?
CVE-2014-4344 has a medium severity rating, as it allows an unauthenticated attacker to crash the server acceptor.
How do I fix CVE-2014-4344?
To fix CVE-2014-4344, you should upgrade to the patched version of MIT Kerberos 5 or apply the relevant security patches provided by your operating system vendor.
Which versions of MIT Kerberos are affected by CVE-2014-4344?
CVE-2014-4344 affects all versions of MIT Kerberos 5 starting from 1.5 and later.
What impact does CVE-2014-4344 have on a server?
The impact of CVE-2014-4344 is that an attacker can exploit the NULL pointer dereference flaw to crash the server acceptor, leading to a denial of service.
What systems are impacted by CVE-2014-4344?
CVE-2014-4344 impacts Debian GNU/Linux 7.0 and several versions of Red Hat Enterprise Linux, including server, desktop, HPC node, and workstation.
- collector/redhat-bugzilla
- alias/CVE-2014-4344
- agent/type
- agent/first-publish-date
- agent/last-modified-date
- agent/description
- agent/references
- agent/author
- agent/remedy
- agent/severity
- agent/weakness
- agent/event
- agent/tags
- agent/softwarecombine
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/debian
- canonical/debian
- version/debian/7.0
- vendor/redhat
- canonical/redhat enterprise linux desktop
- version/redhat enterprise linux desktop/7.0
- canonical/red hat enterprise linux hpc node
- version/red hat enterprise linux hpc node/7.0
- canonical/redhat enterprise linux server
- version/redhat enterprise linux server/7.0
- canonical/redhat enterprise linux workstation
- version/redhat enterprise linux workstation/7.0
- vendor/mit
- canonical/kerberos 5 (libkrb5)
- version/kerberos 5 (libkrb5)/1.10
- version/kerberos 5 (libkrb5)/1.10.1
- version/kerberos 5 (libkrb5)/1.10.2
- version/kerberos 5 (libkrb5)/1.10.3
- version/kerberos 5 (libkrb5)/1.10.4
- version/kerberos 5 (libkrb5)/1.11
- version/kerberos 5 (libkrb5)/1.11.1
- version/kerberos 5 (libkrb5)/1.11.2
- version/kerberos 5 (libkrb5)/1.11.3
- version/kerberos 5 (libkrb5)/1.11.4
- version/kerberos 5 (libkrb5)/1.11.5
- version/kerberos 5 (libkrb5)/1.12
- version/kerberos 5 (libkrb5)/1.12.1