RT RT/krbdev.mit.edu: Ticket #8160 requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694] Signed in as guest.
[Logout]

[Home] [Search] [Configuration]

[Display] [History] [Basics] [Dates] [People] [Links] [Jumbo]

 
 

 The Basics  
Id
8160
Status
resolved
Worked
0 min
Priority
0/0
Queue
krb5
 

 Keyword Selections  
Component
Tags
Version_reported
Version_Fixed
  • 1.13.2
Target_Version
  • 1.13.2
 

 Relationships  
Depends on:
Depended on by:
Parents:
Children:

Refers to:
Referred to by:
  • 8194: (tlyu) requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694] [resolved]
 
 Dates  
Created: Mon Apr 27 16:49:19 2015
Starts: Not set
Started: Mon Apr 27 16:49:20 2015
Last Contact: Tue Apr 28 17:44:36 2015
Due: Not set
Updated: Wed Dec 16 18:03:03 2015 by tlyu
 

 People  
Owner
 ghudson
Requestors
 ghudson@mit.edu
Cc
 
AdminCc
 
 

 More about Greg Hudson  
Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:
 

History   Display mode: [Brief headers] [Full headers]
      Mon Apr 27 16:49:19 2015  ghudson - Ticket created    
     
From: ghudson@mit.edu
Subject: git commit


Prevent requires_preauth bypass [CVE-2015-2694]

In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
the request is successfully verified.  In the PKINIT kdcpreauth
module, don't respond with code 0 on empty input or an unconfigured
realm.  Together these bugs could cause the KDC preauth framework to
erroneously treat a request as pre-authenticated.

CVE-2015-2694:

In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key.  This ciphertext could be
used to conduct an off-line dictionary attack against the user's
password.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C

https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604
Author: Greg Hudson <ghudson@mit.edu>
Commit: e3b5a5e5267818c97750b266df50b6a3d4649604
Branch: master
 src/plugins/preauth/otp/main.c          |   10 +++++++---
 src/plugins/preauth/pkinit/pkinit_srv.c |    4 ++--
 2 files changed, 9 insertions(+), 5 deletions(-)


Download (untitled) 1.1k
      Mon Apr 27 16:49:20 2015  ghudson - Requestor ghudson@mit.edu added    
      Mon Apr 27 16:49:20 2015  ghudson - Status changed from new to review    
      Mon Apr 27 16:49:20 2015  ghudson - Tags pullup added    
      Mon Apr 27 16:49:20 2015  ghudson - Target_Version 1.13.2 added    
      Tue Apr 28 17:44:35 2015  tlyu - Status changed from review to resolved    
      Tue Apr 28 17:44:35 2015  tlyu - Version_Fixed 1.13.2 added    
      Tue Apr 28 17:44:35 2015  tlyu - Correspondence added    
     
From: tlyu@mit.edu
Subject: git commit


Prevent requires_preauth bypass [CVE-2015-2694]

In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
the request is successfully verified.  In the PKINIT kdcpreauth
module, don't respond with code 0 on empty input or an unconfigured
realm.  Together these bugs could cause the KDC preauth framework to
erroneously treat a request as pre-authenticated.

CVE-2015-2694:

In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key.  This ciphertext could be
used to conduct an off-line dictionary attack against the user's
password.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C

(cherry picked from commit e3b5a5e5267818c97750b266df50b6a3d4649604)

https://github.com/krb5/krb5/commit/df8afc60d970a7176a55ffe7ce21cfd57ba423cd
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: df8afc60d970a7176a55ffe7ce21cfd57ba423cd
Branch: krb5-1.13
 src/plugins/preauth/otp/main.c          |   10 +++++++---
 src/plugins/preauth/pkinit/pkinit_srv.c |    4 ++--
 2 files changed, 9 insertions(+), 5 deletions(-)


Download (untitled) 1.2k
      Wed Dec 16 18:03:03 2015  tlyu - Keyword pullup deleted