Vulnerability CVE-2018-20217


Published: 2018-12-26

Description:
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

Type:

CWE-20

(Improper Input Validation)

Vendor: Debian
Product: Debian linux 
Version: 8.0;
Vendor: MIT
Product: Kerberos 
Version:
5-1.9.4
5-1.9.3
5-1.9.2
5-1.9.1
5-1.9
5-1.8.6
5-1.8.5
5-1.8.4
5-1.8.3
5-1.8.2
5-1.8.1
5-1.8
5-1.7.1
5-1.7
5-1.6.2
5-1.6.1
5-1.6
5-1.5.3
5-1.5.2
5-1.5.1
5-1.5
5-1.4.4
5-1.4.3
5-1.4.2
5-1.4.1
5-1.4
5-1.3.6
5-1.3.5
5-1.3.4
5-1.3.3
5-1.3.2
5-1.3.1
5-1.3
5-1.2.8
5-1.2.7
5-1.2.6
5-1.2.5
5-1.2.4
5-1.2.3
5-1.2.2
5-1.2.1
5-1.2
5-1.15.1
5-1.15
5-1.14.5
5-1.14.4
5-1.14.3
5-1.14.2
5-1.14
5-1.13.6
5-1.13.5
5-1.13.3
5-1.13.2
5-1.13.1
5-1.13
5-1.12.3
5-1.12.2
5-1.12.1
5-1.12
5-1.11.5
5-1.11.4
5-1.11.3
5-1.11.2
5-1.11.1
5-1.11
5-1.10.4
5-1.10.3
5-1.10.2
5-1.10.1
5-1.10
5-1.1
5
4.0

CVSS2 => (AV:N/AC:M/Au:S/C:N/I:N/A:P)

CVSS Base Score
Impact Subscore
Exploitability Subscore
3.5/10
2.9/10
6.8/10
Exploit range
Attack complexity
Authentication
Remote
Medium
Single time
Confidentiality impact
Integrity impact
Availability impact
None
None
Partial

 References:
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763
https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086
https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/
https://security.netapp.com/advisory/ntap-20190416-0006/

Related CVE
CVE-2017-7562
An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary prin...
CVE-2018-5730
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to circumvent a DN containership check by supplying both a "linkdn" and "containerdn" database argument, or by supplying a DN string w...
CVE-2018-5729
MIT krb5 1.6 or later allows an authenticated kadmin with permission to add principals to an LDAP Kerberos database to cause a denial of service (NULL pointer dereference) or bypass a DN container check by supplying tagged data that is internal to th...
CVE-2018-5710
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. The pre-defined function "strlen" is getting a "NULL" string as a parameter value in plugins/kdb/ldap/libkdb_ldap/ldap_principal2.c in the Key Distribution Center (KDC), which allows ...
CVE-2018-5709
An issue was discovered in MIT Kerberos 5 (aka krb5) through 1.16. There is a variable "dbentry->n_key_data" in kadmin/dbutil/dump.c that can store 16-bit data but unknowingly the developer has assigned a "u4" variable to it, which is for 32-bit data...
CVE-2017-15088
plugins/preauth/pkinit/pkinit_crypto_openssl.c in MIT Kerberos 5 (aka krb5) through 1.15.2 mishandles Distinguished Name (DN) fields, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applicatio...
CVE-2017-11462
Double free vulnerability in MIT Kerberos 5 (aka krb5) allows attackers to have unspecified impact via vectors involving automatic deletion of security contexts on error.
CVE-2017-11368
In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.

Copyright 2019, cxsecurity.com

 

Back to Top