Bug 2025721 (Bronze_Bit, CVE-2020-17049) - CVE-2020-17049 Kerberos: delegation constrain bypass in S4U2Proxy
Summary: CVE-2020-17049 Kerberos: delegation constrain bypass in S4U2Proxy
Keywords:
Status: CLOSED ERRATA
Alias: Bronze_Bit, CVE-2020-17049
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1913254 1956994 2026711 2026712 2026713
Blocks: 2018583
TreeView+ depends on / blocked
 
Reported: 2021-11-22 20:03 UTC by Cedric Buissart
Modified: 2024-04-10 19:51 UTC (History)
53 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user.
Clone Of:
Environment:
Last Closed: 2023-05-09 15:42:48 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2024:0282 0 None None None 2024-01-18 07:26:12 UTC
Red Hat Product Errata RHSA-2023:2570 0 None None None 2023-05-09 07:59:51 UTC
Red Hat Product Errata RHSA-2024:0137 0 None None None 2024-01-10 12:27:46 UTC
Red Hat Product Errata RHSA-2024:0139 0 None None None 2024-01-10 13:10:35 UTC
Red Hat Product Errata RHSA-2024:0143 0 None None None 2024-01-10 13:34:17 UTC
Red Hat Product Errata RHSA-2024:0252 0 None None None 2024-01-15 15:46:36 UTC

Description Cedric Buissart 2021-11-22 20:03:47 UTC 
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).
To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.
Comment 5 Cedric Buissart 2021-11-25 15:00:52 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 2026712]


Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2026711]
Comment 15 errata-xmlrpc 2023-05-09 07:59:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2570 https://access.redhat.com/errata/RHSA-2023:2570
Comment 16 Product Security DevOps Team 2023-05-09 15:42:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17049
Comment 17 errata-xmlrpc 2024-01-10 12:27:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0137 https://access.redhat.com/errata/RHSA-2024:0137
Comment 18 errata-xmlrpc 2024-01-10 13:10:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0139 https://access.redhat.com/errata/RHSA-2024:0139
Comment 19 errata-xmlrpc 2024-01-10 13:34:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0143 https://access.redhat.com/errata/RHSA-2024:0143
Comment 21 errata-xmlrpc 2024-01-15 15:46:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0252 https://access.redhat.com/errata/RHSA-2024:0252
Note You need to log in before you can comment on or make changes to this bug.