Microsoft PKINIT smart card logon vulnerable to information disclosure and spoofing

2005-11-09T00:00:00
ID VU:477341
Type cert
Reporter CERT
Modified 2005-11-09T00:00:00

Description

Overview

Microsoft PKINIT smart card authentication is vulnerable to an information disclosure flaw that may allow an attacker to spoof a trusted server.

Description

From the Microsoft PKINIT description:

PKINIT is an Internet Engineering Task Force (IETF) Internet Draft for "Public Key Cryptography for Initial Authentication in Kerberos." Windows 2000 and later uses draft 9 of the IETF "Public Key Cryptography for Initial Authentication in Kerberos" Internet Draft. Windows uses this protocol when you use a smart card for interactive logon. IETF Internet Drafts are available at the following IETF Web site.

When PKINIT smart card authentication is used, an attacker may be able to inject themselves into an authentication session between a user and a domain controller and exploit this flaw. After exploiting the flaw, the attacker may spoof the application server to a target client. This flaw is due to a weakness in the older PKINIT protocol design specification that is implemented.

Both the attacker and the target user must have their accounts enabled for smart card authentication. The attacker must already have valid logon credentials in order to successfully exploit the flaw.


Impact

A remote, authenticated attacker that is able to intercept an authentication session between a user and domain controller may be able to gain confidential information and spoof a trusted application server to a targeted user.


Solution

Apply An Update
Please see Microsoft Security Bulletin MS05-042 for information on fixes, updates, and workarounds.


Systems Affected

Vendor| Status| Date Notified| Date Updated
---|---|---|---
Microsoft Corporation| | -| 09 Aug 2005
Apple Computer, Inc.| | 17 Oct 2005| 09 Nov 2005
Heimdal Kerberos Project| | 17 Oct 2005| 09 Nov 2005
KTH Kerberos Team| | 17 Oct 2005| 09 Nov 2005
MIT Kerberos Development Team| | 17 Oct 2005| 09 Nov 2005
If you are a vendor and your product is affected, let us know.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | N/A | N/A

References

  • <http://www.microsoft.com/technet/security/bulletin/MS05-042.mspx>
  • <http://secunia.com/advisories/16368/>

Credit

Thanks to Microsoft for reporting this vulnerability, who in turn thank Andre Scedrov and his team; Iliano Cervesato, Aaron Jaggard , Joe-Kai Tsay , and Chris Walstad.

This document was written by Ken MacInnis.

Other Information

  • CVE IDs: CAN-2005-1982
  • Date Public: 09 Aug 2005
  • Date First Published: 09 Nov 2005
  • Date Last Updated: 09 Nov 2005
  • Severity Metric: 4.56
  • Document Revision: 11