CVE-2013-1416 — MEDIUM (4.0)

Q: How severe is CVE-2013-1416?

CVE-2013-1416 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2013-1416?

Check the references section above for vendor advisories and patch information. Affected products include: Mit Kerberos 5, Opensuse Opensuse, Fedoraproject Fedora, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Eus.

Vulnerability Description

The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) via a crafted TGS-REQ request.

CVSS Score

4.0

MEDIUM

AV:N/AC:L/Au:S/C:N/I:N/A:P

Confidentiality

NONE

Integrity

NONE

Availability

PARTIAL

Affected Products

Vendor	Product	Versions
Mit	Kerberos 5	< 1.10.5
Opensuse	Opensuse	11.4
Fedoraproject	Fedora	17
Redhat	Enterprise Linux Desktop	6.0
Redhat	Enterprise Linux Eus	6.4
Redhat	Enterprise Linux Server	6.0
Redhat	Enterprise Linux Server Aus	6.4
Redhat	Enterprise Linux Workstation	6.0

Related Weaknesses (CWE)

CWE-476

References

http://krbdev.mit.edu/rt/Ticket/Display.html?id=7600Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102058.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102074.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-05/msg00011.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-06/msg00041.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-06/msg00102.htmlMailing ListThird Party Advisory
http://rhn.redhat.com/errata/RHSA-2013-0748.htmlThird Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:157Third Party Advisory
http://www.mandriva.com/security/advisories?name=MDVSA-2013:158Third Party Advisory
https://github.com/krb5/krb5/commit/8ee70ec63931d1e38567905387ab9b1d45734d81PatchThird Party Advisory
http://krbdev.mit.edu/rt/Ticket/Display.html?id=7600Vendor Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102058.htmlThird Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2013-April/102074.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-05/msg00011.htmlMailing ListThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2013-06/msg00041.htmlMailing ListThird Party Advisory

FAQ

What is CVE-2013-1416?

CVE-2013-1416 is a vulnerability with a CVSS score of 4.0 (MEDIUM). The prep_reprocess_req function in do_tgs_req.c in the Key Distribution Center (KDC) in MIT Kerberos 5 (aka krb5) before 1.10.5 does not properly perform service-principal realm referral, which allows...

How severe is CVE-2013-1416?

CVE-2013-1416 has been rated MEDIUM with a CVSS base score of 4.0/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2013-1416?

Check the references section above for vendor advisories and patch information. Affected products include: Mit Kerberos 5, Opensuse Opensuse, Fedoraproject Fedora, Redhat Enterprise Linux Desktop, Redhat Enterprise Linux Eus.