Vulnerabilities > CVE-2017-7562

047910
CVSS 6.5 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
LOW
Confidentiality impact
NONE
Integrity impact
HIGH
Availability impact
NONE
network
low complexity
redhat
mit
nessus

Summary

An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances.

Vulnerable Configurations

Part Description Count
OS
Redhat
4
Application
Mit
114

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-0666.NASL
    descriptionFrom Red Hat Security Advisory 2018:0666 : An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109104
    published2018-04-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109104
    titleOracle Linux 7 : krb5 (ELSA-2018-0666)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2018:0666 and 
    # Oracle Linux Security Advisory ELSA-2018-0666 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109104);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2017-11368", "CVE-2017-7562");
      script_xref(name:"RHSA", value:"2018:0666");
    
      script_name(english:"Oracle Linux 7 : krb5 (ELSA-2018-0666)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2018:0666 :
    
    An update for krb5 is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Kerberos is a network authentication system, which can improve the
    security of your network by eliminating the insecure practice of
    sending passwords over the network in unencrypted form. It allows
    clients and servers to authenticate to each other with the help of a
    trusted third party, the Kerberos key distribution center (KDC).
    
    Security Fix(es) :
    
    * krb5: Authentication bypass by improper validation of certificate
    EKU and SAN (CVE-2017-7562)
    
    * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure
    (CVE-2017-11368)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.5 Release Notes linked from the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007610.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected krb5 packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-pkinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-server-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-workstation");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libkadm5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-devel-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-libs-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-pkinit-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-server-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-server-ldap-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-workstation-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libkadm5-1.15.1-18.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-pkinit / krb5-server / etc");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180410_KRB5_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) - krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) Additional Changes :
    last seen2020-03-18
    modified2018-05-01
    plugin id109450
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109450
    titleScientific Linux Security Update : krb5 on SL7.x x86_64 (20180410)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1167.NASL
    descriptionAccording to the versions of the krb5 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An authentication bypass flaw was found in the way krb5
    last seen2020-03-19
    modified2019-04-09
    plugin id123853
    published2019-04-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123853
    titleEulerOS Virtualization 2.5.3 : krb5 (EulerOS-SA-2019-1167)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1425-1.NASL
    descriptionThis update for krb5 provides the following fixes: Security issues fixed : - CVE-2017-7562: Improper validation of certificate EKU and SAN could lead to authentication bypass. (bsc#1055851) Non-security issues fixed : - Set
    last seen2020-06-01
    modified2020-06-02
    plugin id110184
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110184
    titleSUSE SLES12 Security Update : krb5 (SUSE-SU-2018:1425-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1010.NASL
    descriptionAuthentication bypass by improper validation of certificate EKU and SAN An authentication bypass flaw was found in the way krb5
    last seen2020-06-01
    modified2020-06-02
    plugin id109689
    published2018-05-11
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109689
    titleAmazon Linux 2 : krb5 (ALAS-2018-1010)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1010.NASL
    descriptionA denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.(CVE-2017-11368) An authentication bypass flaw was found in the way krb5
    last seen2020-06-01
    modified2020-06-02
    plugin id117342
    published2018-09-07
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117342
    titleAmazon Linux AMI : krb5 (ALAS-2018-1010)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1361.NASL
    descriptionAccording to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.(CVE-2017-11368) - An authentication bypass flaw was found in the way krb5
    last seen2020-06-03
    modified2018-11-07
    plugin id118755
    published2018-11-07
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118755
    titleEulerOS 2.0 SP3 : krb5 (EulerOS-SA-2018-1361)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-0666.NASL
    descriptionAn update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109370
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109370
    titleCentOS 7 : krb5 (CESA-2018:0666)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0025_KRB5.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has krb5 packages installed that are affected by multiple vulnerabilities: - An authentication bypass flaw was found in the way krb5
    last seen2020-06-01
    modified2020-06-02
    plugin id127186
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127186
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : krb5 Multiple Vulnerabilities (NS-SA-2019-0025)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1408.NASL
    descriptionAccording to the versions of the krb5 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An authentication bypass flaw was found in the way krb5
    last seen2020-03-26
    modified2018-12-28
    plugin id119897
    published2018-12-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119897
    titleEulerOS Virtualization 2.5.2 : krb5 (EulerOS-SA-2018-1408)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0666.NASL
    descriptionAn update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108983
    published2018-04-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108983
    titleRHEL 7 : krb5 (RHSA-2018:0666)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1354.NASL
    descriptionAccording to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.(CVE-2017-11368) - An authentication bypass flaw was found in the way krb5
    last seen2020-05-31
    modified2018-11-06
    plugin id118737
    published2018-11-06
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118737
    titleEulerOS 2.0 SP2 : krb5 (EulerOS-SA-2018-1354)

Redhat

advisories
bugzilla
id1485510
titleCVE-2017-7562 krb5: Authentication bypass by improper validation of certificate EKU and SAN
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentkrb5-workstation is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666001
        • commentkrb5-workstation is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599008
      • AND
        • commentkrb5-libs is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666003
        • commentkrb5-libs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599014
      • AND
        • commentlibkadm5 is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666005
        • commentlibkadm5 is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599010
      • AND
        • commentkrb5-pkinit is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666007
        • commentkrb5-pkinit is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599012
      • AND
        • commentkrb5-server-ldap is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666009
        • commentkrb5-server-ldap is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599004
      • AND
        • commentkrb5-server is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666011
        • commentkrb5-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599006
      • AND
        • commentkrb5-devel is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666013
        • commentkrb5-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599002
rhsa
idRHSA-2018:0666
released2018-04-10
severityModerate
titleRHSA-2018:0666: krb5 security, bug fix, and enhancement update (Moderate)
rpms
  • krb5-debuginfo-0:1.15.1-18.el7
  • krb5-devel-0:1.15.1-18.el7
  • krb5-libs-0:1.15.1-18.el7
  • krb5-pkinit-0:1.15.1-18.el7
  • krb5-server-0:1.15.1-18.el7
  • krb5-server-ldap-0:1.15.1-18.el7
  • krb5-workstation-0:1.15.1-18.el7
  • libkadm5-0:1.15.1-18.el7