|
  |
Mon Apr 27 16:49:19 2015 |
ghudson - Ticket created
|
|
|
|
  |
From: ghudson@mit.edu
Subject: git commit
Prevent requires_preauth bypass [CVE-2015-2694]
In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
the request is successfully verified. In the PKINIT kdcpreauth
module, don't respond with code 0 on empty input or an unconfigured
realm. Together these bugs could cause the KDC preauth framework to
erroneously treat a request as pre-authenticated.
CVE-2015-2694:
In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key. This ciphertext could be
used to conduct an off-line dictionary attack against the user's
password.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604
Author: Greg Hudson <ghudson@mit.edu>
Commit: e3b5a5e5267818c97750b266df50b6a3d4649604
Branch: master
src/plugins/preauth/otp/main.c | 10 +++++++---
src/plugins/preauth/pkinit/pkinit_srv.c | 4 ++--
2 files changed, 9 insertions(+), 5 deletions(-)
|
Download (untitled) 1.1k
|
  |
  |
Mon Apr 27 16:49:20 2015 |
ghudson - Requestor ghudson@mit.edu added
|
|
|
  |
  |
Mon Apr 27 16:49:20 2015 |
ghudson - Status changed from new to review
|
|
|
  |
  |
Mon Apr 27 16:49:20 2015 |
ghudson - Tags pullup added
|
|
|
  |
  |
Mon Apr 27 16:49:20 2015 |
ghudson - Target_Version 1.13.2 added
|
|
|
  |
  |
Tue Apr 28 17:44:35 2015 |
tlyu - Status changed from review to resolved
|
|
|
  |
  |
Tue Apr 28 17:44:35 2015 |
tlyu - Version_Fixed 1.13.2 added
|
|
|
  |
  |
Tue Apr 28 17:44:35 2015 |
tlyu - Correspondence added
|
|
|
|
  |
From: tlyu@mit.edu
Subject: git commit
Prevent requires_preauth bypass [CVE-2015-2694]
In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
the request is successfully verified. In the PKINIT kdcpreauth
module, don't respond with code 0 on empty input or an unconfigured
realm. Together these bugs could cause the KDC preauth framework to
erroneously treat a request as pre-authenticated.
CVE-2015-2694:
In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key. This ciphertext could be
used to conduct an off-line dictionary attack against the user's
password.
CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
(cherry picked from commit e3b5a5e5267818c97750b266df50b6a3d4649604)
https://github.com/krb5/krb5/commit/df8afc60d970a7176a55ffe7ce21cfd57ba423cd
Author: Greg Hudson <ghudson@mit.edu>
Committer: Tom Yu <tlyu@mit.edu>
Commit: df8afc60d970a7176a55ffe7ce21cfd57ba423cd
Branch: krb5-1.13
src/plugins/preauth/otp/main.c | 10 +++++++---
src/plugins/preauth/pkinit/pkinit_srv.c | 4 ++--
2 files changed, 9 insertions(+), 5 deletions(-)
|
Download (untitled) 1.2k
|
  |
  |
Wed Dec 16 18:03:03 2015 |
tlyu - Keyword pullup deleted
|
|
|