Vulnerability Details : CVE-2014-5354
plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.1, when the KDC uses LDAP, allows remote authenticated users to cause a denial of service (NULL pointer dereference and daemon crash) by creating a database entry for a keyless principal, as demonstrated by a kadmin "add_principal -nokey" or "purgekeys -all" command.
Vulnerability category: Memory CorruptionDenial of service
Products affected by CVE-2014-5354
- cpe:2.3:a:mit:kerberos:5_1.13:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.12:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.12.1:*:*:*:*:*:*:*
- cpe:2.3:a:mit:kerberos_5:1.12.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2014-5354
0.56%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 66 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2014-5354
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
3.5
|
LOW | AV:N/AC:M/Au:S/C:N/I:N/A:P |
6.8
|
2.9
|
NIST |
References for CVE-2014-5354
-
http://www.securitytracker.com/id/1031376
MIT Kerberos Null Pointer Dereference Bugs Let Remote Authenticated Users Deny Service - SecurityTracker
-
http://www.ubuntu.com/usn/USN-2498-1
USN-2498-1: Kerberos vulnerabilities | Ubuntu security notices
-
http://www.securityfocus.com/bid/71680
MIT Kerberos 5 CVE-2014-5354 NULL Pointer Dereference Remote Denial of Service Vulnerability
-
http://lists.opensuse.org/opensuse-updates/2015-03/msg00061.html
openSUSE-SU-2015:0542-1: moderate: Security update for krb5
-
https://github.com/krb5/krb5/commit/04038bf3633c4b909b5ded3072dc88c8c419bf16
Support keyless principals in LDAP [CVE-2014-5354] · krb5/krb5@04038bf · GitHub
Jump to