1485510 – (CVE-2017-7562) CVE-2017-7562 krb5: Authentication bypass by improper validation of certificate EKU and SAN

Bug 1485510 (CVE-2017-7562) - CVE-2017-7562 krb5: Authentication bypass by improper validation of certificate EKU and SAN

Summary: CVE-2017-7562 krb5: Authentication bypass by improper validation of certifica...

Keywords:
Status:	CLOSED ERRATA
Alias:	CVE-2017-7562
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	1498767
Blocks:	1485513 1498774
TreeView+	depends on / blocked

Reported:	2017-08-25 22:00 UTC by Pedro Sampaio
Modified:	2019-09-29 14:19 UTC (History)
CC List:	39 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:	An authentication bypass flaw was found in the way krb5's certauth interface handled the validation of client certificates. A remote attacker able to communicate with the KDC could potentially use this flaw to impersonate arbitrary principals under rare and erroneous circumstances.
Clone Of:
Environment:
Last Closed:	2019-06-08 03:22:16 UTC
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2018:0666	0	None	None	None	2018-04-10 08:03:08 UTC

Description Pedro Sampaio 2017-08-25 22:00:29 UTC

A flaw was found in krb5 certificate EKU validation which could lead to improper authorization if a forged certificate with the right EKU and no SAN is used.

The PKINIT certauth eku module should never authoritatively authorize
a certificate, because an extended key usage does not establish a
relationship between the certificate and any specific user; it only
establishes that the certificate was created for PKINIT client
authentication.

Upstream bug:

https://github.com/krb5/krb5/pull/694

Upstream patch:

https://github.com/krb5/krb5/pull/694/commits/50fe4074f188c2d4da0c421e96553acea8378db2
https://github.com/krb5/krb5/pull/694/commits/1de6ca2f2eb1fdbab51f1549a25a6903aefcc196
https://github.com/krb5/krb5/pull/694/commits/b7af544e50a4d8291524f590e20dd44430bf627d

Comment 7 errata-xmlrpc 2018-04-10 08:02:54 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2018:0666 https://access.redhat.com/errata/RHSA-2018:0666

Note You need to log in before you can comment on or make changes to this bug.

abokovoy
bmaxwell
cdewolf
chazlett
csutherl
darran.lofthouse
dimitris
dosoudil
dpal
fgavrilo
gzaronik
jawilson
jclere
jondruse
jplans
jshepherd
j
lgao
mbabacek
mturk
myarboro
nalin
npmccallum
pgier
pjurak
pkis
ppalaga
psakar
pslavice
rharwood
rnetuka
rstancel
rsvoboda
sardella
sbose
ssorce
twalsh
vtunka
weli