Vulnerabilities > CVE-2019-12098
Attack vector
NETWORK Attack complexity
HIGH Privileges required
NONE Confidentiality impact
HIGH Integrity impact
HIGH Availability impact
NONE Summary
In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.
Vulnerable Configurations
Nessus
NASL family Debian Local Security Checks NASL id DEBIAN_DSA-4455.NASL description Several vulnerabilities were discovered in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos. - CVE-2018-16860 Isaac Boukris and Andrew Bartlett discovered that Heimdal was susceptible to man-in-the-middle attacks caused by incomplete checksum validation. Details on the issue can be found in the Samba advisory at https://www.samba.org/samba/security/CVE-2018-16860.html . - CVE-2019-12098 It was discovered that failure of verification of the PA-PKINIT-KX key exchange client-side could permit to perform man-in-the-middle attack. last seen 2020-06-01 modified 2020-06-02 plugin id 125709 published 2019-06-05 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/125709 title Debian DSA-4455-1 : heimdal - security update NASL family Fedora Local Security Checks NASL id FEDORA_2019-F3046B6BFB.NASL description Security fix for CVE-2019-12098 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132663 published 2020-01-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132663 title Fedora 31 : heimdal (2019-f3046b6bfb) NASL family Fedora Local Security Checks NASL id FEDORA_2019-2FA7D6405B.NASL description Security fix for CVE-2019-12098 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues. last seen 2020-06-01 modified 2020-06-02 plugin id 132642 published 2020-01-06 reporter This script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/132642 title Fedora 30 : heimdal (2019-2fa7d6405b) NASL family SuSE Local Security Checks NASL id OPENSUSE-2019-1682.NASL description This update for libheimdal fixes the following issues : libheimdal was updated to version 7.7.0 : + Bug fixes : - PKCS#11 hcrypto back-end : + initialize the p11_module_load function list + verify that not only is a mechanism present but that its mechanism info states that it offers the required encryption, decryption or digest services - krb5 : + Starting with 7.6, Heimdal permitted requesting authenticated anonymous tickets. However, it did not verify that a KDC in fact returned an anonymous ticket when one was requested. + Cease setting the KDCOption reaquest_anonymous flag when issuing S4UProxy (constrained delegation) TGS requests. + when the Win2K PKINIT compatibility option is set, do not require krbtgt otherName to match when validating KDC certificate. + set PKINIT_BTMM flag per Apple implementation + use memset_s() instead of memset() - kdc : + When generating KRB5SignedPath in the AS, use the reply client name rather than the one from the request, so validation will work correctly in the TGS. + allow checksum of PA-FOR-USER to be HMAC_MD5. Even if TGT used an enctype with a different checksum. Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always HMAC_MD5, and that last seen 2020-05-31 modified 2019-07-02 plugin id 126437 published 2019-07-02 reporter This script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof. source https://www.tenable.com/plugins/nessus/126437 title openSUSE Security Update : libheimdal (openSUSE-2019-1682)
References
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00002.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2019-07/msg00003.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00026.html
- http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00026.html
- http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
- http://www.h5l.org/pipermail/heimdal-announce/2019-May/000009.html
- https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
- https://github.com/heimdal/heimdal/commit/2f7f3d9960aa6ea21358bdf3687cee5149aa35cf
- https://github.com/heimdal/heimdal/compare/3e58559...bbafe72
- https://github.com/heimdal/heimdal/compare/3e58559...bbafe72
- https://github.com/heimdal/heimdal/releases/tag/heimdal-7.6.0
- https://github.com/heimdal/heimdal/releases/tag/heimdal-7.6.0
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIXEDVVMPD6ZAJSMI2EZ7FNEIVNWE5PD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/GIXEDVVMPD6ZAJSMI2EZ7FNEIVNWE5PD/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLXXIF4LOQEAEDAF4UGP2AO6WDNTDFUB/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SLXXIF4LOQEAEDAF4UGP2AO6WDNTDFUB/
- https://seclists.org/bugtraq/2019/Jun/1
- https://seclists.org/bugtraq/2019/Jun/1
- https://www.debian.org/security/2019/dsa-4455
- https://www.debian.org/security/2019/dsa-4455