ALAS-2015-624 --- krb5ID: oval:org.secpod.oval:def:1200161 | Date: (C)2016-01-04 (M)2021-09-11 |
Class: PATCH | Family: unix |
A flaw was found in the OTP kdcpreauth module of MIT Kerberos. A remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal"s long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user"s password.It was found that the krb5_read_message function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.
Platform: |
Amazon Linux AMI |