git.ipfire.org Git - thirdparty/krb5.git/commit

author	Greg Hudson <ghudson@mit.edu>
	Tue, 24 Mar 2015 16:02:37 +0000 (12:02 -0400)
committer	Greg Hudson <ghudson@mit.edu>
	Mon, 27 Apr 2015 20:22:04 +0000 (16:22 -0400)
commit	e3b5a5e5267818c97750b266df50b6a3d4649604
tree	9bb7654fe3da958596762a5f37cf4a88e5304ba8	tree
parent	527edfaadb648a0dd2a42cd39a5a02a4ac37d7e3	commit \| diff

Prevent requires_preauth bypass [CVE-2015-2694]

In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
the request is successfully verified.  In the PKINIT kdcpreauth
module, don't respond with code 0 on empty input or an unconfigured
realm.  Together these bugs could cause the KDC preauth framework to
erroneously treat a request as pre-authenticated.

CVE-2015-2694:

In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
support, an unauthenticated remote attacker can bypass the
requires_preauth flag on a client principal and obtain a ciphertext
encrypted in the principal's long-term key.  This ciphertext could be
used to conduct an off-line dictionary attack against the user's
password.

    CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C

ticket: 8160 (new)
target_version: 1.13.2
tags: pullup
subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]

src/plugins/preauth/otp/main.c		diff \| blob \| blame \| history
src/plugins/preauth/pkinit/pkinit_srv.c		diff \| blob \| blame \| history