Bug 2025721 (Bronze_Bit, CVE-2020-17049)

Summary: CVE-2020-17049 Kerberos: delegation constrain bypass in S4U2Proxy
Product: [Other] Security Response Reporter: Cedric Buissart <cbuissar>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, asoldano, atangrin, bbaranow, bdettelb, bmaxwell, brian.stansberry, cdewolf, chazlett, csutherl, darran.lofthouse, dkarpele, dkreling, doconnor, dosoudil, eleandro, fdvorak, fjuma, gdeschner, gzaronik, hvyas, iboukris, istudens, ivassile, iweiss, jburrell, jclere, jochrist, jpallich, jperkins, jrische, jstephen, j, jwon, kwills, lgao, lmohanty, mosmerov, msochure, msvehla, mturk, nobody, npmccallum, nwallace, pesilva, pfilipen, pjindal, plodge, pmackay, pvoborni, rguimara, rhs-smb, rstancel, rsvoboda, sbose, smaestri, ssorce, szappis, teagle, tom.jenkinson, yborgess
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-05-09 15:42:48 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1913254, 1956994, 2026711, 2026712, 2026713    
Bug Blocks: 2018583    

Description Cedric Buissart 2021-11-22 20:03:47 UTC 
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).
To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.
Comment 5 Cedric Buissart 2021-11-25 15:00:52 UTC 
Created krb5 tracking bugs for this issue:

Affects: fedora-all [bug 2026712]


Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2026711]
Comment 15 errata-xmlrpc 2023-05-09 07:59:48 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:2570 https://access.redhat.com/errata/RHSA-2023:2570
Comment 16 Product Security DevOps Team 2023-05-09 15:42:44 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17049
Comment 17 errata-xmlrpc 2024-01-10 12:27:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Extended Update Support

Via RHSA-2024:0137 https://access.redhat.com/errata/RHSA-2024:0137
Comment 18 errata-xmlrpc 2024-01-10 13:10:32 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0139 https://access.redhat.com/errata/RHSA-2024:0139
Comment 19 errata-xmlrpc 2024-01-10 13:34:13 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2024:0143 https://access.redhat.com/errata/RHSA-2024:0143
Comment 21 errata-xmlrpc 2024-01-15 15:46:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Extended Update Support

Via RHSA-2024:0252 https://access.redhat.com/errata/RHSA-2024:0252