KDC Vulnerability in MIT Kerberos 5 Affects Multiple Encryption Types
CVE-2018-20217

5.3MEDIUM

Key Information:

Vendor

Mit

Status
Kerberos
Vendor
CVE Published:
26 December 2018

What is CVE-2018-20217?

A reachable assertion vulnerability has been identified in the Key Distribution Center (KDC) of MIT Kerberos 5 prior to version 1.17. This flaw can be exploited by an attacker who manages to retrieve a krbtgt ticket using older encryption types, specifically single-DES, triple-DES, or RC4. By initiating an S4U2Self request, the attacker can cause a crash of the KDC, thereby disrupting authentication services. Organizations utilizing MIT Kerberos 5 should address this vulnerability by updating to a newer version as a preventive measure.

References

https://lists.fedoraproject.org/archives/list/package-ann...
vendor-advisoryx_refsource_FEDORA
http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763
x_refsource_CONFIRM
https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc19...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.3
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.