The following flaw was found in MIT Kerberos:
In the OTP kdcpreauth module, the TKT_FLG_PRE_AUTH bit was set before the request was successfully verified. In the PKINIT kdcpreauth module, code 0 was returned on empty input or an unconfigured realm. Together, these bugs could cause the KDC preauth framework to erroneously treat a request as pre-authenticated.
In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.
Created krb5 tracking bugs for this issue:
Affects: fedora-21 [bug 1216134]
This issue does not affect the version of krb5 package as shipped with Red Hat Enterprise Linux 5 and 6.
krb5-1.13.1-3.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
krb5-1.12.2-17.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 7
Via RHSA-2015:2154 https://rhn.redhat.com/errata/RHSA-2015-2154.html