RT/krbdev.mit.edu: Ticket #8160 requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]

RT/krbdev.mit.edu: Ticket #8160 requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]

Signed in as guest.
[Logout]

[Home]

[Search]

[Configuration]

[Display]

[History]

[Basics]

[Dates]

[People]

[Links]

[Jumbo]

The Basics

Id
8160

Status
resolved

Worked
0 min

Priority
0/0

Queue
krb5

Keyword Selections

Component
Tags
Version_reported
Version_Fixed	1.13.2
Target_Version	1.13.2

Relationships

Depends on:

Depended on by:

Parents:

Children:

Refers to:

Referred to by:

8194: (tlyu) requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694] [resolved]

Dates

Created:	Mon Apr 27 16:49:19 2015
Starts:	Not set
Started:	Mon Apr 27 16:49:20 2015
Last Contact:	Tue Apr 28 17:44:36 2015
Due:	Not set
Updated:	Wed Dec 16 18:03:03 2015 by tlyu

People

Owner
ghudson
Requestors
ghudson@mit.edu
Cc

AdminCc

More about Greg Hudson

Comments about this user:
No comment entered about this user
This user's 25 highest priority tickets:

438: login.c uses wrong criteria to set KRB_ENVIRON (new)
6641: Typed-in master passwords should use enctypes in K/M entry (new)
6782: Master KDC lookup can use SRV lookups despite profile KDC configuration (new)
6803: Config variable for default ccache directory (open)
6831: kadmin should use krb5int_locate_server, honor SRV records (open)
7004: get_creds should restore authdata for non-referral fallback (new)
7024: PAC resigning should support buffer resizing (open)
7044: gss_init_sec_context misbehaves on mismatched credentials (new)
7062: PKINIT pa_pk_as_req_draft9 encoding issues (open)
7071: PKINIT trusted_ca encoding issues (open)
7083: SPNEGO doesn't implement gss_inquire_cred_by_mech (open)
7090: krb5_gss_get_name_attribute minor cleanup issue (open)
7108: Move build system to top level (new)
7171: Multiple GSSAPI krb5 mechanism variants cause repeated operations (new)
7191: KDC should use encrypted-timestamp key for reply key (new)
7549: KDC name type return issues (new)
7672: KDC can emit PREAUTH_REQUIRED error with useless hint list (open)
7694: gsskrb5_extract_authz_data_from_sec_context misses AD-IF-RELEVANT containers (open)
7707: Credential cache API does not support atomic reinitialization (open)
7720: Set expiration times on keyring credentials (open)
7721: master_kdc is resolved sooner than necessary (open)
7743: kadmin cannot add principal and extract random key in one step (open)
7754: LDAP KDB module uses anonymous bind when following referrals (open)
7765: Some ccache functions not exported (open)
7766: Keyring last_change_time implementation isn't useful (open)

History

Display mode: [Brief headers] [Full headers]

Mon Apr 27 16:49:19 2015	ghudson - Ticket created
From: ghudson@mit.edu Subject: git commit Prevent requires_preauth bypass [CVE-2015-2694] In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until the request is successfully verified. In the PKINIT kdcpreauth module, don't respond with code 0 on empty input or an unconfigured realm. Together these bugs could cause the KDC preauth framework to erroneously treat a request as pre-authenticated. CVE-2015-2694: In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604 Author: Greg Hudson <ghudson@mit.edu> Commit: e3b5a5e5267818c97750b266df50b6a3d4649604 Branch: master src/plugins/preauth/otp/main.c \| 10 +++++++--- src/plugins/preauth/pkinit/pkinit_srv.c \| 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-)		Download (untitled) 1.1k
Mon Apr 27 16:49:20 2015	ghudson - Requestor ghudson@mit.edu added
Mon Apr 27 16:49:20 2015	ghudson - Status changed from new to review
Mon Apr 27 16:49:20 2015	ghudson - Tags pullup added
Mon Apr 27 16:49:20 2015	ghudson - Target_Version 1.13.2 added
Tue Apr 28 17:44:35 2015	tlyu - Status changed from review to resolved
Tue Apr 28 17:44:35 2015	tlyu - Version_Fixed 1.13.2 added
Tue Apr 28 17:44:35 2015	tlyu - Correspondence added
From: tlyu@mit.edu Subject: git commit Prevent requires_preauth bypass [CVE-2015-2694] In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until the request is successfully verified. In the PKINIT kdcpreauth module, don't respond with code 0 on empty input or an unconfigured realm. Together these bugs could cause the KDC preauth framework to erroneously treat a request as pre-authenticated. CVE-2015-2694: In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password. CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C (cherry picked from commit e3b5a5e5267818c97750b266df50b6a3d4649604) https://github.com/krb5/krb5/commit/df8afc60d970a7176a55ffe7ce21cfd57ba423cd Author: Greg Hudson <ghudson@mit.edu> Committer: Tom Yu <tlyu@mit.edu> Commit: df8afc60d970a7176a55ffe7ce21cfd57ba423cd Branch: krb5-1.13 src/plugins/preauth/otp/main.c \| 10 +++++++--- src/plugins/preauth/pkinit/pkinit_srv.c \| 4 ++-- 2 files changed, 9 insertions(+), 5 deletions(-)		Download (untitled) 1.2k
Wed Dec 16 18:03:03 2015	tlyu - Keyword pullup deleted