ID CVE-2017-11368
Summary In MIT Kerberos 5 (aka krb5) 1.7 and later, an authenticated attacker can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.
References
Vulnerable Configurations
  • cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:25:*:*:*:*:*:*:*
  • cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*
    cpe:2.3:o:fedoraproject:fedora:26:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.7:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.7.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.7.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.8:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.8:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.8.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.8.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.8.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.8.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.8.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.8.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.8.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.8.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.8.5:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.8.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.8.6:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.8.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.9:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.9:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.9.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.9.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.9.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.9.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.9.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.9.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.9.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.9.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.10:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.10:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.10.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.10.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.10.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.10.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.10.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.10.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.10.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.10.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.11:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.11:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.11.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.11.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.11.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.11.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.11.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.11.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.11.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.11.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.11.5:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.11.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.12:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.12:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.12.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.12.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.12.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.12.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.12.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.12.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.13:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.13:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.13.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.13.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.13.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.13.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.13.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.13.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.13.5:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.13.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.13.6:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.13.6:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.13.7:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.13.7:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.14:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.14:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.14:alpha1:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.14:alpha1:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.14:beta1:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.14:beta1:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.14:beta2:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.14:beta2:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.14.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.14.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.14.2:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.14.2:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.14.3:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.14.3:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.14.4:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.14.4:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.14.5:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.14.5:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.15:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.15:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.15.1:*:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.15.1:*:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.15.1:beta1:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.15.1:beta1:*:*:*:*:*:*
  • cpe:2.3:a:mit:kerberos:5-1.15.1:beta2:*:*:*:*:*:*
    cpe:2.3:a:mit:kerberos:5-1.15.1:beta2:*:*:*:*:*:*
CVSS
Base: 4.0 (as of 03-10-2019 - 00:03)
Impact:
Exploitability:
CWE CWE-617
CAPEC
Access
VectorComplexityAuthentication
NETWORK LOW SINGLE
Impact
ConfidentialityIntegrityAvailability
NONE NONE PARTIAL
cvss-vector via4 AV:N/AC:L/Au:S/C:N/I:N/A:P
redhat via4
advisories
bugzilla
id 1485510
title CVE-2017-7562 krb5: Authentication bypass by improper validation of certificate EKU and SAN
oval
AND
  • OR
    • comment Red Hat Enterprise Linux 7 Client is installed
      oval oval:com.redhat.rhba:tst:20150364001
    • comment Red Hat Enterprise Linux 7 Server is installed
      oval oval:com.redhat.rhba:tst:20150364002
    • comment Red Hat Enterprise Linux 7 Workstation is installed
      oval oval:com.redhat.rhba:tst:20150364003
    • comment Red Hat Enterprise Linux 7 ComputeNode is installed
      oval oval:com.redhat.rhba:tst:20150364004
  • OR
    • AND
      • comment krb5-devel is earlier than 0:1.15.1-18.el7
        oval oval:com.redhat.rhsa:tst:20180666011
      • comment krb5-devel is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863012
    • AND
      • comment krb5-libs is earlier than 0:1.15.1-18.el7
        oval oval:com.redhat.rhsa:tst:20180666007
      • comment krb5-libs is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863016
    • AND
      • comment krb5-pkinit is earlier than 0:1.15.1-18.el7
        oval oval:com.redhat.rhsa:tst:20180666013
      • comment krb5-pkinit is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20150439006
    • AND
      • comment krb5-server is earlier than 0:1.15.1-18.el7
        oval oval:com.redhat.rhsa:tst:20180666015
      • comment krb5-server is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863010
    • AND
      • comment krb5-server-ldap is earlier than 0:1.15.1-18.el7
        oval oval:com.redhat.rhsa:tst:20180666017
      • comment krb5-server-ldap is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863006
    • AND
      • comment krb5-workstation is earlier than 0:1.15.1-18.el7
        oval oval:com.redhat.rhsa:tst:20180666005
      • comment krb5-workstation is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20100863014
    • AND
      • comment libkadm5 is earlier than 0:1.15.1-18.el7
        oval oval:com.redhat.rhsa:tst:20180666009
      • comment libkadm5 is signed with Red Hat redhatrelease2 key
        oval oval:com.redhat.rhsa:tst:20162591008
rhsa
id RHSA-2018:0666
released 2018-04-10
severity Moderate
title RHSA-2018:0666: krb5 security, bug fix, and enhancement update (Moderate)
rpms
  • krb5-devel-0:1.15.1-18.el7
  • krb5-libs-0:1.15.1-18.el7
  • krb5-pkinit-0:1.15.1-18.el7
  • krb5-server-0:1.15.1-18.el7
  • krb5-server-ldap-0:1.15.1-18.el7
  • krb5-workstation-0:1.15.1-18.el7
  • libkadm5-0:1.15.1-18.el7
refmap via4
bid 100291
confirm https://github.com/krb5/krb5/commit/ffb35baac6981f9e8914f8f3bffd37f284b85970
fedora
  • FEDORA-2017-8e9d9771c4
  • FEDORA-2017-e5b36383f4
Last major update 03-10-2019 - 00:03
Published 09-08-2017 - 18:29
Back to Top