CVE-2014-9422

Publication date 3 February 2015

Last updated 24 July 2024


Ubuntu priority

The check_rpcsec_auth function in kadmin/server/kadm_rpc_svc.c in kadmind in MIT Kerberos 5 (aka krb5) through 1.11.5, 1.12.x through 1.12.2, and 1.13.x before 1.13.1 allows remote authenticated users to bypass a kadmin/* authorization check and obtain administrative access by leveraging access to a two-component principal with an initial "kadmind" substring, as demonstrated by a "ka/x" principal.

Status

Package Ubuntu Release Status
krb5 14.10 utopic
Fixed 1.12.1+dfsg-10ubuntu0.1
14.04 LTS trusty
Fixed 1.12+dfsg-2ubuntu5.1
12.04 LTS precise
Fixed 1.10+dfsg~beta1-2ubuntu0.6
10.04 LTS lucid
Fixed 1.8.1+dfsg-2ubuntu0.14

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package Patch details
krb5

References

Related Ubuntu Security Notices (USN)

    • USN-2498-1
    • Kerberos vulnerabilities
    • 10 February 2015

Other references