Vulnerabilities > CVE-2019-12098

047910
CVSS 7.4 - HIGH
Attack vector
NETWORK
Attack complexity
HIGH
Privileges required
NONE
Confidentiality impact
HIGH
Integrity impact
HIGH
Availability impact
NONE
network
high complexity
heimdal-project
fedoraproject
opensuse
debian
nessus

Summary

In the client side of Heimdal before 7.6.0, failure to verify anonymous PKINIT PA-PKINIT-KX key exchange permits a man-in-the-middle attack. This issue is in krb5_init_creds_step in lib/krb5/init_creds_pw.c.

Vulnerable Configurations

Part Description Count
Application
Heimdal_Project
123
Application
Opensuse
2
OS
Fedoraproject
2
OS
Opensuse
3
OS
Debian
1

Nessus

  • NASL familyDebian Local Security Checks
    NASL idDEBIAN_DSA-4455.NASL
    descriptionSeveral vulnerabilities were discovered in Heimdal, an implementation of Kerberos 5 that aims to be compatible with MIT Kerberos. - CVE-2018-16860 Isaac Boukris and Andrew Bartlett discovered that Heimdal was susceptible to man-in-the-middle attacks caused by incomplete checksum validation. Details on the issue can be found in the Samba advisory at https://www.samba.org/samba/security/CVE-2018-16860.html . - CVE-2019-12098 It was discovered that failure of verification of the PA-PKINIT-KX key exchange client-side could permit to perform man-in-the-middle attack.
    last seen2020-06-01
    modified2020-06-02
    plugin id125709
    published2019-06-05
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/125709
    titleDebian DSA-4455-1 : heimdal - security update
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-F3046B6BFB.NASL
    descriptionSecurity fix for CVE-2019-12098 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id132663
    published2020-01-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132663
    titleFedora 31 : heimdal (2019-f3046b6bfb)
  • NASL familyFedora Local Security Checks
    NASL idFEDORA_2019-2FA7D6405B.NASL
    descriptionSecurity fix for CVE-2019-12098 Note that Tenable Network Security has extracted the preceding description block directly from the Fedora update system website. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.
    last seen2020-06-01
    modified2020-06-02
    plugin id132642
    published2020-01-06
    reporterThis script is Copyright (C) 2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/132642
    titleFedora 30 : heimdal (2019-2fa7d6405b)
  • NASL familySuSE Local Security Checks
    NASL idOPENSUSE-2019-1682.NASL
    descriptionThis update for libheimdal fixes the following issues : libheimdal was updated to version 7.7.0 : + Bug fixes : - PKCS#11 hcrypto back-end : + initialize the p11_module_load function list + verify that not only is a mechanism present but that its mechanism info states that it offers the required encryption, decryption or digest services - krb5 : + Starting with 7.6, Heimdal permitted requesting authenticated anonymous tickets. However, it did not verify that a KDC in fact returned an anonymous ticket when one was requested. + Cease setting the KDCOption reaquest_anonymous flag when issuing S4UProxy (constrained delegation) TGS requests. + when the Win2K PKINIT compatibility option is set, do not require krbtgt otherName to match when validating KDC certificate. + set PKINIT_BTMM flag per Apple implementation + use memset_s() instead of memset() - kdc : + When generating KRB5SignedPath in the AS, use the reply client name rather than the one from the request, so validation will work correctly in the TGS. + allow checksum of PA-FOR-USER to be HMAC_MD5. Even if TGT used an enctype with a different checksum. Per [MS-SFU] 2.2.1 PA-FOR-USER the checksum is always HMAC_MD5, and that
    last seen2020-05-31
    modified2019-07-02
    plugin id126437
    published2019-07-02
    reporterThis script is Copyright (C) 2019-2020 and is owned by Tenable, Inc. or an Affiliate thereof.
    sourcehttps://www.tenable.com/plugins/nessus/126437
    titleopenSUSE Security Update : libheimdal (openSUSE-2019-1682)

References