Ubuntu 14.04 — krb5 — multiple vulnerabilities (20 CVEs) — patch and remediation guide

📖 ~4 min read  •  Source: Ubuntu Security Notice USN-7542-1

Related CVEs: CVE-2025-3576 CVE-2024-3596 CVE-2024-37370 CVE-2024-37371 CVE-2023-36054 CVE-2018-20217 CVE-2022-42898 CVE-2020-28196  +12 more

Upstream summary: It was discovered that Kerberos allowed the usage of weak cryptographic
standards. An attacker could possibly use this issue to expose sensitive
information.

This update introduces the allow_rc4 and allow_des3 configuration options,
and disables the usage of RC4 and 3DES ciphers by default. Users are
advised to discontinue their usage and upgrade to stronger encryption
protocols. If the use of the insecure RC4 and 3DES algorithms is necessary,
they can be enabled with the af

Table of contents

1. Symptom & Impact
2. Environment & Reproduction
3. Root Cause Analysis
4. Quick Triage
5. Step-by-Step Diagnosis
6. Solution – Primary Fix
7. Solution – Alternative Approaches
8. Verification & Acceptance Criteria
9. Rollback Plan
10. Prevention & Hardening
11. Related Errors & Cross-Refs
12. References & Further Reading

Symptom & Impact

On Ubuntu 14.04 (trusty) hosts that have krb5 installed, administrators report behaviour consistent with Ubuntu Security Notice USN-7542-1: apt reports pending security updates, services backed by krb5 fail or restart unexpectedly, AppArmor denials appear in the kernel log, and — for security-rated advisories — the host is exposed to the vulnerability set above. Impact ranges from a single service-restart loop to wider availability incidents whenever krb5 sits on the serving path.

Environment & Reproduction

Reproduction targets Ubuntu 14.04 (trusty). Confirm release and installed package:

lsb_release -a
cat /etc/os-release
dpkg -l krb5 | tail -2
apt-cache policy krb5
uname -r

Trigger the workflow that exposes krb5 — multiple vulnerabilities (20 CVEs) — patch and remediation guide while collecting:

sudo tail -200 /var/log/syslog | grep -i krb5
sudo tail -200 /var/log/syslog
sudo tail -200 /var/log/apt/history.log
sudo tail -200 /var/log/kern.log | grep -i apparmor

Root Cause Analysis

Root cause is documented in Ubuntu Security Notice USN-7542-1. Canonical security maintainers shipped fixes in the corresponding krb5 update for Ubuntu 14.04; running an outdated build leaves the host exposed to the failure modes described in the advisory. On this release the fix typically arrives via the Ubuntu Pro ESM (esm-infra / esm-apps) channels rather than the standard archive. Correlate apt history with the journal:

grep -A2 -B2 krb5 /var/log/apt/history.log
zgrep -A2 -B2 krb5 /var/log/apt/history.log.*.gz 2>/dev/null
cat /proc/sys/kernel/tainted   # non-zero = tainted kernel / out-of-tree modules

Quick Triage

Run these on Ubuntu 14.04 to capture the current state of krb5:

dpkg -l krb5 | tail -1                  # installed version
dpkg -V krb5                             # verify shipped files
sudo apt update && apt list --upgradable 2>/dev/null | grep -i security
sudo service krb5 status
sudo ufw status verbose 2>/dev/null | head -20
sudo aa-status 2>/dev/null | head -20
# If krb5 ships a service unit (unit/job name often differs from pkg name, e.g.
# bind9→named, apache2→apache2, postgresql-NN→postgresql@NN-main):
initctl list 2>/dev/null | grep krb5

On trusty the standard archive no longer ships security fixes. Verify Ubuntu Pro ESM coverage:

# `pro` CLI not available on this release; check the older `ubuntu-advantage-tools`:
sudo ua status --format=json 2>/dev/null | head
apt-cache policy | grep -i esm

Step-by-Step Diagnosis

1. List failing services.

   initctl list | grep -v running

2. Tail the journal / syslog for krb5.

   sudo tail -f /var/log/upstart/krb5.log
   sudo tail -f /var/log/syslog

3. Inspect UFW (Uncomplicated Firewall) state.

   sudo ufw status numbered
   sudo ufw show added
   sudo iptables -L -n -v | head -30

4. Surface AppArmor denials and switch the profile to complain mode if needed.

   sudo journalctl -k 2>/dev/null | grep -i 'apparmor="DENIED"' | tail -30
   sudo aa-status
   # /etc/apparmor.d/usr.bin.krb5 or usr.sbin.krb5 — inspect first
   sudo aa-complain /etc/apparmor.d/usr.bin.krb5 2>/dev/null || true

5. Verify krb5 integrity and reinstall if anything is altered.

   sudo dpkg -V krb5
   sudo debsums -c krb5 2>/dev/null
   sudo apt install --reinstall -y krb5

6. Correlate findings with /var/log/apt/history.log, /var/log/dpkg.log, and Ubuntu Security Notice USN-7542-1 to pin the change that introduced krb5 — multiple vulnerabilities (20 CVEs) — patch and remediation guide.

Solution – Primary Fix

Apply the corrective apt transaction referenced by Ubuntu Security Notice USN-7542-1, then reload the affected service:

sudo apt update
sudo apt -y install --only-upgrade krb5
# upstart uses initctl, not systemctl:
# Service name may differ from pkg name; check first:
initctl list 2>/dev/null | grep krb5
sudo service krb5 restart
dpkg -l krb5 | tail -1            # confirm new version
sudo service krb5 status

On trusty the standard archive is past EoL for security; enable Ubuntu Pro ESM to receive the fix:

# Older releases use the `ua` command:
sudo ua attach <token>
sudo ua enable esm-infra
sudo ua enable esm-apps
sudo apt update
sudo apt -y install --only-upgrade krb5

For kernel / glibc / systemd / openssl advisories a reboot (or Livepatch) is required:

sudo apt install -y needrestart
sudo needrestart -r l       # list units that need restart
sudo systemctl reboot       # or: sudo shutdown -r now

Solution – Alternative Approaches

If the primary upgrade is not viable, pick from these:

• Hold the package so apt cannot upgrade it:

  sudo apt-mark hold krb5
  apt-mark showhold | grep krb5
  # Release the hold later with:
  sudo apt-mark unhold krb5

• Pin a known-good version via apt preferences:

  # /etc/apt/preferences.d/krb5.pref
  Package: krb5
  Pin: version <good-version>
  Pin-Priority: 1001

• Downgrade to an older version if a regression is suspected:

  apt-cache madison krb5
  sudo apt install --allow-downgrades -y krb5=<older-version>

• Investigate AppArmor blocking the new binary; switch to complain briefly, capture denials, then re-enforce:

  sudo aa-complain /etc/apparmor.d/usr.bin.krb5 2>/dev/null
  # reproduce the failure
  sudo journalctl -k | grep apparmor | tail
  sudo aa-enforce /etc/apparmor.d/usr.bin.krb5 2>/dev/null

• Take only the security pocket update and defer the full point-release upgrade:

  sudo apt -y install --only-upgrade -t trusty-security krb5

Verification & Acceptance Criteria

All of these should pass after the fix is applied:

dpkg -l krb5 | tail -1                                  # expected fixed version
apt list --upgradable 2>/dev/null | grep -i security || echo OK
sudo service krb5 status
sudo tail -50 /var/log/syslog | grep krb5 || echo OK
sudo ufw status numbered | head
sudo aa-status 2>/dev/null | head -5

The original reproduction for krb5 — multiple vulnerabilities (20 CVEs) — patch and remediation guide must not trigger across two consecutive runs.

Rollback Plan

Capture state before any change:

apt list --installed 2>/dev/null > /root/apt-pre.txt
dpkg --get-selections > /root/dpkg-pre.txt
# ZFS-on-root (Ubuntu 20.04+ default installer option):
sudo zfs snapshot rpool/ROOT/ubuntu@pre-krb5
# LVM-on-root:
sudo lvcreate -L 4G -s -n root_pre_patch /dev/<vg>/<root-lv>

To revert:

sudo apt install --allow-downgrades -y krb5=<old-version>
sudo service krb5 restart
sudo service krb5 restart
# Kernel rollback: pick the prior kernel from the GRUB menu, then:
sudo systemctl reboot
# ZFS rollback (rolls the whole root dataset):
sudo zfs rollback -r rpool/ROOT/ubuntu@pre-krb5

Prevention & Hardening

Reduce the chance of this recurring on Ubuntu 14.04 (trusty):

• Enable scheduled security updates via unattended-upgrades:

  sudo apt install -y unattended-upgrades update-notifier-common
  sudo dpkg-reconfigure -plow unattended-upgrades
  # /etc/apt/apt.conf.d/50unattended-upgrades:
  Unattended-Upgrade::Allowed-Origins { "${distro_id}:${distro_codename}-security"; };

• Install needrestart so services restart automatically after library upgrades:

  sudo apt install -y needrestart
  # /etc/needrestart/needrestart.conf -> $nrconf{restart} = 'a';

• Attach Ubuntu Pro for ESM (mandatory on this past-EoL release) and Livepatch where supported:

  sudo ua attach <token>
  sudo ua enable esm-infra
  sudo ua enable esm-apps

• Subscribe to ubuntu-security-announce and watch ubuntu.com/security/cves.

• Monitor file integrity with debsums and AIDE:

  sudo apt install -y debsums aide
  sudo debsums -ca
  sudo aideinit && sudo mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
  sudo aide --check

• For estate-wide patching, manage with Canonical Landscape:

  sudo apt install -y landscape-client
  sudo landscape-config

• Keep AppArmor profiles in enforce mode and apply CIS Ubuntu Linux Benchmark hardening.

Related Errors & Cross-Refs

Issues that commonly surface alongside krb5 — multiple vulnerabilities (20 CVEs) — patch and remediation guide: apt lock contention, broken dpkg state, systemd ordering cycles, AppArmor denials, and UFW rule drift. Useful triage:

sudo dpkg --configure -a
sudo apt --fix-broken install
initctl list | head
sudo journalctl -k 2>/dev/null | grep -i apparmor | tail
cat /proc/sys/kernel/tainted

View all ubuntu-14-04 tutorials on the Tutorials Hub →

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Primary reference: Ubuntu Security Notice USN-7542-1. Manual pages useful on Ubuntu 14.04:

man apt
man apt-get
man apt-mark
man dpkg
man initctl
# journald not present on this release
man ufw
man apparmor
man aa-status
man unattended-upgrades
man ua

Other resources: Ubuntu Security Notices, Ubuntu CVE Tracker, Ubuntu upgrade notes, and per-package notes in /usr/share/doc/krb5/ for components implicated in krb5 — multiple vulnerabilities (20 CVEs) — patch and remediation guide.