Vulnerabilities > CVE-2017-7562 - Improper Certificate Validation vulnerability in multiple products
Attack vector
NETWORK Attack complexity
LOW Privileges required
LOW Confidentiality impact
NONE Integrity impact
HIGH Availability impact
NONE Summary
An authentication bypass flaw was found in the way krb5's certauth interface before 1.16.1 handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances.
Vulnerable Configurations
Common Weakness Enumeration (CWE)
Common Attack Pattern Enumeration and Classification (CAPEC)
- Creating a Rogue Certificate Authority Certificate An attacker exploits a weakness in the MD5 hash algorithm (weak collision resistance) to generate a certificate signing request (CSR) that contains collision blocks in the "to be signed" part. The attacker specially crafts two different, but valid X.509 certificates that when hashed with the MD5 algorithm would yield the same value. The attacker then sends the CSR for one of the certificates to the Certification Authority which uses the MD5 hashing algorithm. That request is completely valid and the Certificate Authority issues an X.509 certificate to the attacker which is signed with its private key. An attacker then takes that signed blob and inserts it into another X.509 certificate that the attacker generated. Due to the MD5 collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the attackers' second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority. To make the attack more interesting, the second certificate could be not just a regular certificate, but rather itself a signing certificate. Thus the attacker is able to start their own Certification Authority that is anchored in its root of trust in the legitimate Certification Authority that has signed the attackers' first X.509 certificate. If the original Certificate Authority was accepted by default by browsers, so will now the Certificate Authority set up by the attacker and of course any certificates that it signs. So the attacker is now able to generate any SSL certificates to impersonate any web server, and the user's browser will not issue any warning to the victim. This can be used to compromise HTTPS communications and other types of systems where PKI and X.509 certificates may be used (e.g., VPN, IPSec) .
Nessus
NASL family Oracle Linux Local Security Checks NASL id ORACLELINUX_ELSA-2018-0666.NASL description From Red Hat Security Advisory 2018:0666 : An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 109104 published 2018-04-18 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109104 title Oracle Linux 7 : krb5 (ELSA-2018-0666) code # # (C) Tenable Network Security, Inc. # # The descriptive text and package checks in this plugin were # extracted from Red Hat Security Advisory RHSA-2018:0666 and # Oracle Linux Security Advisory ELSA-2018-0666 respectively. # include("compat.inc"); if (description) { script_id(109104); script_version("1.2"); script_cvs_date("Date: 2019/09/27 13:00:38"); script_cve_id("CVE-2017-11368", "CVE-2017-7562"); script_xref(name:"RHSA", value:"2018:0666"); script_name(english:"Oracle Linux 7 : krb5 (ELSA-2018-0666)"); script_summary(english:"Checks rpm output for the updated packages"); script_set_attribute( attribute:"synopsis", value:"The remote Oracle Linux host is missing one or more security updates." ); script_set_attribute( attribute:"description", value: "From Red Hat Security Advisory 2018:0666 : An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section." ); script_set_attribute( attribute:"see_also", value:"https://oss.oracle.com/pipermail/el-errata/2018-April/007610.html" ); script_set_attribute(attribute:"solution", value:"Update the affected krb5 packages."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:P"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"); script_set_attribute(attribute:"plugin_type", value:"local"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-devel"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-libs"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-pkinit"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-server"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-server-ldap"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:krb5-workstation"); script_set_attribute(attribute:"cpe", value:"p-cpe:/a:oracle:linux:libkadm5"); script_set_attribute(attribute:"cpe", value:"cpe:/o:oracle:linux:7"); script_set_attribute(attribute:"vuln_publication_date", value:"2017/08/09"); script_set_attribute(attribute:"patch_publication_date", value:"2018/04/17"); script_set_attribute(attribute:"plugin_publication_date", value:"2018/04/18"); script_set_attribute(attribute:"generated_plugin", value:"current"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_copyright(english:"This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof."); script_family(english:"Oracle Linux Local Security Checks"); script_dependencies("ssh_get_info.nasl"); script_require_keys("Host/local_checks_enabled", "Host/OracleLinux", "Host/RedHat/release", "Host/RedHat/rpm-list"); exit(0); } include("audit.inc"); include("global_settings.inc"); include("rpm.inc"); if (!get_kb_item("Host/local_checks_enabled")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED); if (!get_kb_item("Host/OracleLinux")) audit(AUDIT_OS_NOT, "Oracle Linux"); release = get_kb_item("Host/RedHat/release"); if (isnull(release) || !pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux)", string:release)) audit(AUDIT_OS_NOT, "Oracle Linux"); os_ver = pregmatch(pattern: "Oracle (?:Linux Server|Enterprise Linux) .*release ([0-9]+(\.[0-9]+)?)", string:release); if (isnull(os_ver)) audit(AUDIT_UNKNOWN_APP_VER, "Oracle Linux"); os_ver = os_ver[1]; if (! preg(pattern:"^7([^0-9]|$)", string:os_ver)) audit(AUDIT_OS_NOT, "Oracle Linux 7", "Oracle Linux " + os_ver); if (!get_kb_item("Host/RedHat/rpm-list")) audit(AUDIT_PACKAGE_LIST_MISSING); cpu = get_kb_item("Host/cpu"); if (isnull(cpu)) audit(AUDIT_UNKNOWN_ARCH); if ("x86_64" >!< cpu && cpu !~ "^i[3-6]86$") audit(AUDIT_LOCAL_CHECKS_NOT_IMPLEMENTED, "Oracle Linux", cpu); if ("x86_64" >!< cpu) audit(AUDIT_ARCH_NOT, "x86_64", cpu); flag = 0; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-devel-1.15.1-18.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-libs-1.15.1-18.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-pkinit-1.15.1-18.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-server-1.15.1-18.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-server-ldap-1.15.1-18.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"krb5-workstation-1.15.1-18.el7")) flag++; if (rpm_check(release:"EL7", cpu:"x86_64", reference:"libkadm5-1.15.1-18.el7")) flag++; if (flag) { if (report_verbosity > 0) security_warning(port:0, extra:rpm_report_get()); else security_warning(0); exit(0); } else { tested = pkg_tests_get(); if (tested) audit(AUDIT_PACKAGE_NOT_AFFECTED, tested); else audit(AUDIT_PACKAGE_NOT_INSTALLED, "krb5-devel / krb5-libs / krb5-pkinit / krb5-server / etc"); }NASL family Scientific Linux Local Security Checks NASL id SL_20180410_KRB5_ON_SL7_X.NASL description Security Fix(es) : - krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) - krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) Additional Changes : last seen 2020-03-18 modified 2018-05-01 plugin id 109450 published 2018-05-01 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109450 title Scientific Linux Security Update : krb5 on SL7.x x86_64 (20180410) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2019-1167.NASL description According to the versions of the krb5 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An authentication bypass flaw was found in the way krb5 last seen 2020-03-19 modified 2019-04-09 plugin id 123853 published 2019-04-09 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/123853 title EulerOS Virtualization 2.5.3 : krb5 (EulerOS-SA-2019-1167) NASL family SuSE Local Security Checks NASL id SUSE_SU-2018-1425-1.NASL description This update for krb5 provides the following fixes: Security issues fixed : - CVE-2017-7562: Improper validation of certificate EKU and SAN could lead to authentication bypass. (bsc#1055851) Non-security issues fixed : - Set last seen 2020-06-01 modified 2020-06-02 plugin id 110184 published 2018-05-29 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/110184 title SUSE SLES12 Security Update : krb5 (SUSE-SU-2018:1425-1) NASL family Amazon Linux Local Security Checks NASL id AL2_ALAS-2018-1010.NASL description Authentication bypass by improper validation of certificate EKU and SAN An authentication bypass flaw was found in the way krb5 last seen 2020-06-01 modified 2020-06-02 plugin id 109689 published 2018-05-11 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109689 title Amazon Linux 2 : krb5 (ALAS-2018-1010) NASL family Amazon Linux Local Security Checks NASL id ALA_ALAS-2018-1010.NASL description A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.(CVE-2017-11368) An authentication bypass flaw was found in the way krb5 last seen 2020-06-01 modified 2020-06-02 plugin id 117342 published 2018-09-07 reporter This script is Copyright (C) 2018 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/117342 title Amazon Linux AMI : krb5 (ALAS-2018-1010) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1361.NASL description According to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.(CVE-2017-11368) - An authentication bypass flaw was found in the way krb5 last seen 2020-06-03 modified 2018-11-07 plugin id 118755 published 2018-11-07 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118755 title EulerOS 2.0 SP3 : krb5 (EulerOS-SA-2018-1361) NASL family CentOS Local Security Checks NASL id CENTOS_RHSA-2018-0666.NASL description An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 109370 published 2018-04-27 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/109370 title CentOS 7 : krb5 (CESA-2018:0666) NASL family NewStart CGSL Local Security Checks NASL id NEWSTART_CGSL_NS-SA-2019-0025_KRB5.NASL description The remote NewStart CGSL host, running version CORE 5.04 / MAIN 5.04, has krb5 packages installed that are affected by multiple vulnerabilities: - An authentication bypass flaw was found in the way krb5 last seen 2020-06-01 modified 2020-06-02 plugin id 127186 published 2019-08-12 reporter This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/127186 title NewStart CGSL CORE 5.04 / MAIN 5.04 : krb5 Multiple Vulnerabilities (NS-SA-2019-0025) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1408.NASL description According to the versions of the krb5 packages installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : - An authentication bypass flaw was found in the way krb5 last seen 2020-03-26 modified 2018-12-28 plugin id 119897 published 2018-12-28 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/119897 title EulerOS Virtualization 2.5.2 : krb5 (EulerOS-SA-2018-1408) NASL family Red Hat Local Security Checks NASL id REDHAT-RHSA-2018-0666.NASL description An update for krb5 is now available for Red Hat Enterprise Linux 7. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section. Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center (KDC). Security Fix(es) : * krb5: Authentication bypass by improper validation of certificate EKU and SAN (CVE-2017-7562) * krb5: Invalid S4U2Self or S4U2Proxy request causes assertion failure (CVE-2017-11368) For more details about the security issue(s), including the impact, a CVSS score, and other related information, refer to the CVE page(s) listed in the References section. Additional Changes : For detailed information on changes in this release, see the Red Hat Enterprise Linux 7.5 Release Notes linked from the References section. last seen 2020-06-01 modified 2020-06-02 plugin id 108983 published 2018-04-11 reporter This script is Copyright (C) 2018-2019 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/108983 title RHEL 7 : krb5 (RHSA-2018:0666) NASL family Huawei Local Security Checks NASL id EULEROS_SA-2018-1354.NASL description According to the versions of the krb5 packages installed, the EulerOS installation on the remote host is affected by the following vulnerabilities : - A denial of service flaw was found in MIT Kerberos krb5kdc service. An authenticated attacker could use this flaw to cause krb5kdc to exit with an assertion failure by making an invalid S4U2Self or S4U2Proxy request.(CVE-2017-11368) - An authentication bypass flaw was found in the way krb5 last seen 2020-05-31 modified 2018-11-06 plugin id 118737 published 2018-11-06 reporter This script is Copyright (C) 2018-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/118737 title EulerOS 2.0 SP2 : krb5 (EulerOS-SA-2018-1354)
Redhat
| advisories |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| rpms |
|
References
- https://github.com/krb5/krb5/pull/694/commits/b7af544e50a4d8291524f590e20dd44430bf627d
- https://github.com/krb5/krb5/pull/694/commits/50fe4074f188c2d4da0c421e96553acea8378db2
- https://github.com/krb5/krb5/pull/694/commits/1de6ca2f2eb1fdbab51f1549a25a6903aefcc196
- https://github.com/krb5/krb5/pull/694
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2017-7562
- https://access.redhat.com/errata/RHSA-2018:0666
- http://www.securityfocus.com/bid/100511