Vulnerabilities > CVE-2017-7562 - Improper Authentication vulnerability in multiple products

047910
CVSS 4.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
PARTIAL
Availability impact
NONE
network
low complexity
redhat
mit
CWE-287
nessus

Summary

An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances.

Vulnerable Configurations

Part Description Count
OS
Redhat
4
Application
Mit
111

Common Weakness Enumeration (CWE)

Common Attack Pattern Enumeration and Classification (CAPEC)

  • Authentication Abuse
    An attacker obtains unauthorized access to an application, service or device either through knowledge of the inherent weaknesses of an authentication mechanism, or by exploiting a flaw in the authentication scheme's implementation. In such an attack an authentication mechanism is functioning but a carefully controlled sequence of events causes the mechanism to grant access to the attacker. This attack may exploit assumptions made by the target's authentication procedures, such as assumptions regarding trust relationships or assumptions regarding the generation of secret values. This attack differs from Authentication Bypass attacks in that Authentication Abuse allows the attacker to be certified as a valid user through illegitimate means, while Authentication Bypass allows the user to access protected material without ever being certified as an authenticated user. This attack does not rely on prior sessions established by successfully authenticating users, as relied upon for the "Exploitation of Session Variables, Resource IDs and other Trusted Credentials" attack patterns.
  • Exploiting Trust in Client (aka Make the Client Invisible)
    An attack of this type exploits a programs' vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by placing themselves in the communication channel between client and server such that communication directly to the server is possible where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
  • Utilizing REST's Trust in the System Resource to Register Man in the Middle
    This attack utilizes a REST(REpresentational State Transfer)-style applications' trust in the system resources and environment to place man in the middle once SSL is terminated. Rest applications premise is that they leverage existing infrastructure to deliver web services functionality. An example of this is a Rest application that uses HTTP Get methods and receives a HTTP response with an XML document. These Rest style web services are deployed on existing infrastructure such as Apache and IIS web servers with no SOAP stack required. Unfortunately from a security standpoint, there frequently is no interoperable identity security mechanism deployed, so Rest developers often fall back to SSL to deliver security. In large data centers, SSL is typically terminated at the edge of the network - at the firewall, load balancer, or router. Once the SSL is terminated the HTTP request is in the clear (unless developers have hashed or encrypted the values, but this is rare). The attacker can utilize a sniffer such as Wireshark to snapshot the credentials, such as username and password that are passed in the clear once SSL is terminated. Once the attacker gathers these credentials, they can submit requests to the web service provider just as authorized user do. There is not typically an authentication on the client side, beyond what is passed in the request itself so once this is compromised, then this is generally sufficient to compromise the service's authentication scheme.
  • Man in the Middle Attack
    This type of attack targets the communication between two components (typically client and server). The attacker places himself in the communication channel between the two components. Whenever one component attempts to communicate with the other (data flow, authentication challenges, etc.), the data first goes to the attacker, who has the opportunity to observe or alter it, and it is then passed on to the other component as if it was never intercepted. This interposition is transparent leaving the two compromised components unaware of the potential corruption or leakage of their communications. The potential for Man-in-the-Middle attacks yields an implicit lack of trust in communication or identify between two components.

Nessus

  • NASL familyOracle Linux Local Security Checks
    NASL idORACLELINUX_ELSA-2018-0666.NASL
    descriptionFrom Red Hat Security Advisory 2018:0666 : An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109104
    published2018-04-18
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109104
    titleOracle Linux 7 : krb5 (ELSA-2018-0666)
    code
    #
    # (C) Tenable Network Security, Inc.
    #
    # The descriptive text and package checks in this plugin were
    # extracted from Red Hat Security Advisory RHSA-2018:0666 and 
    # Oracle Linux Security Advisory ELSA-2018-0666 respectively.
    #
    
    include("compat.inc");
    
    if (description)
    {
      script_id(109104);
      script_version("1.2");
      script_cvs_date("Date: 2019/09/27 13:00:38");
    
      script_cve_id("CVE-2017-11368", "CVE-2017-7562");
      script_xref(name:"RHSA", value:"2018:0666");
    
      script_name(english:"Oracle Linux 7 : krb5 (ELSA-2018-0666)");
      script_summary(english:"Checks rpm output for the updated packages");
    
      script_set_attribute(
        attribute:"synopsis", 
        value:"The remote Oracle Linux host is missing one or more security updates."
      );
      script_set_attribute(
        attribute:"description", 
        value:
    "From Red Hat Security Advisory 2018:0666 :
    
    An update for krb5 is now available for Red Hat Enterprise Linux 7.
    
    Red Hat Product Security has rated this update as having a security
    impact of Moderate. A Common Vulnerability Scoring System (CVSS) base
    score, which gives a detailed severity rating, is available for each
    vulnerability from the CVE link(s) in the References section.
    
    Kerberos is a network authentication system, which can improve the
    security of your network by eliminating the insecure practice of
    sending passwords over the network in unencrypted form. It allows
    clients and servers to authenticate to each other with the help of a
    trusted third party, the Kerberos key distribution center (KDC).
    
    Security Fix(es) :
    
    * krb5: Authentication bypass by improper validation of certificate
    EKU and SAN (CVE-2017-7562)
    
    * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure
    (CVE-2017-11368)
    
    For more details about the security issue(s), including the impact, a
    CVSS score, and other related information, refer to the CVE page(s)
    listed in the References section.
    
    Additional Changes :
    
    For detailed information on changes in this release, see the Red Hat
    Enterprise Linux 7.5 Release Notes linked from the References section."
      );
      script_set_attribute(
        attribute:"see_also",
        value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007610.html"
      );
      script_set_attribute(attribute:"solution", value:"Update the affected krb5 packages.");
      script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P");
      script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H");
    
      script_set_attribute(attribute:"plugin_type", value:"local");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-devel");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-libs");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-pkinit");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-server");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-server-ldap");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-workstation");
      script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libkadm5");
      script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7");
    
      script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/09");
      script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17");
      script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18");
      script_set_attribute(attribute:"generated_plugin", value:"current");
      script_end_attributes();
    
      script_category(ACT_GATHER_INFO);
      script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.");
      script_family(english:"Oracle Linux Local Security Checks");
    
      script_dependencies("ssh_get_info.nasl");
      script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list");
    
      exit(0);
    }
    
    
    include("audit.inc");
    include("global_settings.inc");
    include("rpm.inc");
    
    
    if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);
    if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux");
    release = get_kb_item("Host/RedHat/release");
    if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux");
    os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release);
    if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux");
    os_ver = os_ver[1];
    if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver);
    
    if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING);
    
    cpu = get_kb_item("Host/cpu");
    if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH);
    if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu);
    if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu);
    
    flag = 0;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-devel-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-libs-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-pkinit-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-server-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-server-ldap-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-workstation-1.15.1-18.el7")) flag++;
    if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libkadm5-1.15.1-18.el7")) flag++;
    
    
    if (flag)
    {
      if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get());
      else security_warning(0);
      exit(0);
    }
    else
    {
      tested = pkg_tests_get();
      if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested);
      else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-pkinit / krb5-server / etc");
    }
    
  • NASL familyScientific Linux Local Security Checks
    NASL idSL_20180410_KRB5_ON_SL7_X.NASL
    descriptionSecurity Fix(es) : - krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) - krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) Additional Changes :
    last seen2020-03-18
    modified2018-05-01
    plugin id109450
    published2018-05-01
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109450
    titleScientific Linux Security Update : krb5 on SL7.x x86_64 (20180410)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2019-1167.NASL
    descriptionAccording to the versions of the krb5 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An authentication bypass flaw was found in the way krb5
    last seen2020-03-19
    modified2019-04-09
    plugin id123853
    published2019-04-09
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/123853
    titleEulerOS Virtualization 2.5.3 : krb5 (EulerOS-SA-2019-1167)
  • NASL familySuSE Local Security Checks
    NASL idSUSE_SU-2018-1425-1.NASL
    descriptionThis update for krb5 provides the following fixes: Security issues fixed : - CVE-2017-7562: Improper validation of certificate EKU and SAN could lead to authentication bypass. (bsc#1055851) Non-security issues fixed : - Set
    last seen2020-06-01
    modified2020-06-02
    plugin id110184
    published2018-05-29
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/110184
    titleSUSE SLES12 Security Update : krb5 (SUSE-SU-2018:1425-1)
  • NASL familyAmazon Linux Local Security Checks
    NASL idAL2_ALAS-2018-1010.NASL
    descriptionAuthentication bypass by improper validation of certificate EKU and SAN An authentication bypass flaw was found in the way krb5
    last seen2020-06-01
    modified2020-06-02
    plugin id109689
    published2018-05-11
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109689
    titleAmazon Linux 2 : krb5 (ALAS-2018-1010)
  • NASL familyAmazon Linux Local Security Checks
    NASL idALA_ALAS-2018-1010.NASL
    descriptionA denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.(CVE-2017-11368) An authentication bypass flaw was found in the way krb5
    last seen2020-06-01
    modified2020-06-02
    plugin id117342
    published2018-09-07
    reporterThis script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/117342
    titleAmazon Linux AMI : krb5 (ALAS-2018-1010)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1361.NASL
    descriptionAccording to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.(CVE-2017-11368) - An authentication bypass flaw was found in the way krb5
    last seen2020-06-03
    modified2018-11-07
    plugin id118755
    published2018-11-07
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118755
    titleEulerOS 2.0 SP3 : krb5 (EulerOS-SA-2018-1361)
  • NASL familyCentOS Local Security Checks
    NASL idCENTOS_RHSA-2018-0666.NASL
    descriptionAn update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id109370
    published2018-04-27
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/109370
    titleCentOS 7 : krb5 (CESA-2018:0666)
  • NASL familyNewStart CGSL Local Security Checks
    NASL idNEWSTART_CGSL_NS-SA-2019-0025_KRB5.NASL
    descriptionThe remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has krb5 packages installed that are affected by multiple vulnerabilities: - An authentication bypass flaw was found in the way krb5
    last seen2020-06-01
    modified2020-06-02
    plugin id127186
    published2019-08-12
    reporterThis script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/127186
    titleNewStart CGSL CORE 5.04 / MAIN 5.04 : krb5 Multiple Vulnerabilities (NS-SA-2019-0025)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1408.NASL
    descriptionAccording to the versions of the krb5 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An authentication bypass flaw was found in the way krb5
    last seen2020-03-26
    modified2018-12-28
    plugin id119897
    published2018-12-28
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/119897
    titleEulerOS Virtualization 2.5.2 : krb5 (EulerOS-SA-2018-1408)
  • NASL familyRed Hat Local Security Checks
    NASL idREDHAT-RHSA-2018-0666.NASL
    descriptionAn update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section.
    last seen2020-06-01
    modified2020-06-02
    plugin id108983
    published2018-04-11
    reporterThis script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/108983
    titleRHEL 7 : krb5 (RHSA-2018:0666)
  • NASL familyHuawei Local Security Checks
    NASL idEULEROS_SA-2018-1354.NASL
    descriptionAccording to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.(CVE-2017-11368) - An authentication bypass flaw was found in the way krb5
    last seen2020-05-31
    modified2018-11-06
    plugin id118737
    published2018-11-06
    reporterThis script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/118737
    titleEulerOS 2.0 SP2 : krb5 (EulerOS-SA-2018-1354)

Redhat

advisories
bugzilla
id1485510
titleCVE-2017-7562 krb5: Authentication bypass by improper validation of certificate EKU and SAN
oval
OR
  • commentRed Hat Enterprise Linux must be installed
    ovaloval:com.redhat.rhba:tst:20070304026
  • AND
    • commentRed Hat Enterprise Linux 7 is installed
      ovaloval:com.redhat.rhba:tst:20150364027
    • OR
      • AND
        • commentkrb5-workstation is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666001
        • commentkrb5-workstation is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599008
      • AND
        • commentkrb5-libs is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666003
        • commentkrb5-libs is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599014
      • AND
        • commentlibkadm5 is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666005
        • commentlibkadm5 is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599010
      • AND
        • commentkrb5-pkinit is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666007
        • commentkrb5-pkinit is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599012
      • AND
        • commentkrb5-server-ldap is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666009
        • commentkrb5-server-ldap is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599004
      • AND
        • commentkrb5-server is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666011
        • commentkrb5-server is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599006
      • AND
        • commentkrb5-devel is earlier than 0:1.15.1-18.el7
          ovaloval:com.redhat.rhsa:tst:20180666013
        • commentkrb5-devel is signed with Red Hat redhatrelease2 key
          ovaloval:com.redhat.rhba:tst:20192599002
rhsa
idRHSA-2018:0666
released2018-04-10
severityModerate
titleRHSA-2018:0666: krb5 security, bug fix, and enhancement update (Moderate)
rpms
  • krb5-debuginfo-0:1.15.1-18.el7
  • krb5-devel-0:1.15.1-18.el7
  • krb5-libs-0:1.15.1-18.el7
  • krb5-pkinit-0:1.15.1-18.el7
  • krb5-server-0:1.15.1-18.el7
  • krb5-server-ldap-0:1.15.1-18.el7
  • krb5-workstation-0:1.15.1-18.el7
  • libkadm5-0:1.15.1-18.el7