Bug 928978 (CVE-2015-2694) - VUL-0: CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass
Summary: VUL-0: CVE-2015-2694: krb5: issues in OTP and PKINIT kdcpreauth modules leadi...
Status: RESOLVED FIXED
Alias: CVE-2015-2694
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P3 - Medium : Normal
Target Milestone: ---
Assignee: Peter Varkoly
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/116337/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2015-04-28 17:48 UTC by Andreas Stieger
Modified: 2016-05-25 15:37 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Stieger 2015-04-28 17:48:43 UTC 
https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604

> In the OTP kdcpreauth module, don't set the TKT_FLG_PRE_AUTH bit until
> the request is successfully verified.  In the PKINIT kdcpreauth
> module, don't respond with code 0 on empty input or an unconfigured
> realm.  Together these bugs could cause the KDC preauth framework to
> erroneously treat a request as pre-authenticated.
> 
> CVE-2015-2694:
> 
> In MIT krb5 1.12 and later, when the KDC is configured with PKINIT
> support, an unauthenticated remote attacker can bypass the
> requires_preauth flag on a client principal and obtain a ciphertext
> encrypted in the principal's long-term key.  This ciphertext could be
> used to conduct an off-line dictionary attack against the user's
> password.
> 
>     CVSSv2 Vector: AV:N/AC:M/Au:N/C:P/I:P/A:N/E:POC/RL:OF/RC:C
> 
> ticket: 8160 (new)
> target_version: 1.13.2
> tags: pullup
> subject: requires_preauth bypass in PKINIT-enabled KDC [CVE-2015-2694]


SLE 12 is affected
>         --enable-pkinit \
>         --with-pkinit-crypto-impl=openssl \


References:
https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604
https://bugzilla.redhat.com/show_bug.cgi?id=1216133
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2694
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2694
Comment 2 Swamp Workflow Management 2015-04-28 22:00:54 UTC 
bugbot adjusting priority
Comment 3 Victor Pereira 2015-06-11 14:58:36 UTC 
ping! We still have it open, waiting for new submissions.. any ETA?
Comment 4 Peter Varkoly 2015-07-13 07:02:58 UTC 
Create MR:62272
Comment 6 Andreas Stieger 2015-07-22 10:56:29 UTC 
The update is still required for openSUSE 13.2.
Comment 7 Swamp Workflow Management 2015-07-22 11:08:39 UTC 
SUSE-SU-2015:1276-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 910457,910458,918595,928978
CVE References: CVE-2014-5353,CVE-2014-5354,CVE-2014-5355,CVE-2015-2694
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    krb5-1.12.1-16.1
SUSE Linux Enterprise Server 12 (src):    krb5-1.12.1-16.1
Comment 8 Bernhard Wiedemann 2015-08-03 06:00:32 UTC 
This is an autogenerated message for OBS integration:
This bug (928978) was mentioned in
https://build.opensuse.org/request/show/320084 42 / krb5
Comment 9 Marcus Meissner 2016-05-25 15:37:19 UTC 
done