Описание
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).
To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.
The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.
It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user.
Отчет
As a prerequisite to be vulnerable, a Key Distribution Center (KDC) must be able to accept delegation via the Service for User (S4U) extensions.
Version of MIT Kerberos KDC in Red Hat Enterprise Linux (provided by the krb5-server package) only allows use of the S4U extensions when configured with an LDAP backend. Furthermore, delegations are denied by default and delegation rules must be explicitly created by an administrator, between a given service principal and its targets. Such a rule would entitle that service to use delegation to the targets. This means that, in order to exploit the flaw, an attacker would require either to trick an administrator into adding a rule for a malicious service principal, or have the knowledge of an entitled principal's secret key. The victim principals would be limited to the ones allowed by the rules for that service.
This CVE only affects systems supporting constrained delegation as defined by MS-SFU. Vanilla MIT krb5 realms do not support this protocol extension.
In Red Hat Enterprise Linux version 8 and older and Red Hat Gluster Storage, Samba as an Active Directory Domain Controller is not supported, and thus is not affected by this flaw.
RHEL Identity Management (RHEL IdM) implements constrained delegation feature using Active Directory's Kerberos extensions called Service for User (S4U). The constrained delegation implementation may potentially be vulnerable if an attacker is capable to create constrained delegation rules. In RHEL IdM only administrators allowed to add constrained delegation rules and only one such rule exists by default for HTTP/.. principal on IdM server. Security of IdM server is the key to safety of the whole RHEL IdM deployment. If an attacker is able to impersonate the HTTP/.. service principal on IdM server, they would be able to overtake the whole deployment even without a Kerberos protocol vulnerability described by CVE-2020-17049. However, if an attacker cannot control any service with pre-existing constrained delegation rules and cannot force creation of the constrained delegation rules for other Kerberos services, they cannot utilize CVE-2020-17049 vulnerability against RHEL IdM.
Within regulated environments, a combination of the following controls acts as a significant barrier to the successful exploitation of a CWE-345: Insufficient Verification of Data Authenticity vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.
Red Hat restricts access to all information contained within the platform by default. Access to the platform is granted only after successful hard token, multi-factor authentication (MFA), which is coupled with least privilege principles to ensure that only authorized roles and users can execute or manipulate code. Event logs are collected and processed for centralization, correlation, analysis, monitoring, reporting, alerting, and retention. This process ensures that audit logs are generated for specific events involving sensitive information, ensuring that mechanisms such as digital signatures or certificates verify the authenticity and origin of data. External infrastructure and internal cluster certificates are established and maintained within the secure environment. The platform enforces validated cryptographic modules across all compute resources, helping prevent unauthorized actors from accessing or interpreting exposed information, even if it is intercepted.
Меры по смягчению последствий
In Red Hat Identity Management (IdM), the list of existing rules for service principals delegation can be obtained with the following commands : $ ipa servicedelegationrule-find $ ipa servicedelegationtarget-find The services allowed to delegate must all be trusted. By default, only HTTP/@, corresponding to IdM's Web UI, is allowed to delegate.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| Red Hat Enterprise Linux 7 | krb5 | Will not fix | ||
| Red Hat Enterprise Linux 7 | samba | Not affected | ||
| Red Hat Enterprise Linux 8 | krb5 | Not affected | ||
| Red Hat Enterprise Linux 8 | samba | Not affected | ||
| Red Hat Enterprise Linux 9 | samba | Not affected | ||
| Red Hat JBoss Core Services | krb5 | Not affected | ||
| Red Hat JBoss Enterprise Application Platform 6 | krb5 | Not affected | ||
| Red Hat Storage 3 | samba | Not affected | ||
| Red Hat Enterprise Linux 8 | idm | Fixed | RHSA-2024:0143 | 10.01.2024 |
| Red Hat Enterprise Linux 8.6 Extended Update Support | idm | Fixed | RHSA-2024:0139 | 10.01.2024 |
Показывать по
Дополнительная информация
Статус:
7.2 High
CVSS3
Связанные уязвимости
A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD). To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it. The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.
ELSA-2023-2570: krb5 security, bug fix, and enhancement update (MODERATE)
Уязвимость компонента Kerberos KDC операционных систем Windows, позволяющая нарушителю обойти существующие ограничения безопасности и получить несанкционированный доступ к приложению
7.2 High
CVSS3