Microsoft PKINIT smart card logon vulnerable to information disclosure and spoofing

2005-11-09T00:00:00
ID VU:477341
Type cert
Reporter CERT
Modified 2005-11-09T15:43:00

Description

Overview

Microsoft PKINIT smart card authentication is vulnerable to an information disclosure flaw that may allow an attacker to spoof a trusted server.

Description

From the Microsoft PKINIT description:

PKINIT is an Internet Engineering Task Force (IETF) Internet Draft for "Public Key Cryptography for Initial Authentication in Kerberos." Windows 2000 and later uses draft 9 of the IETF "Public Key Cryptography for Initial Authentication in Kerberos" Internet Draft. Windows uses this protocol when you use a smart card for interactive logon. IETF Internet Drafts are available at the following IETF Web site.
When PKINIT smart card authentication is used, an attacker may be able to inject themselves into an authentication session between a user and a domain controller and exploit this flaw. After exploiting the flaw, the attacker may spoof the application server to a target client. This flaw is due to a weakness in the older PKINIT protocol design specification that is implemented.

Both the attacker and the target user must have their accounts enabled for smart card authentication. The attacker must already have valid logon credentials in order to successfully exploit the flaw.

Impact

A remote, authenticated attacker that is able to intercept an authentication session between a user and domain controller may be able to gain confidential information and spoof a trusted application server to a targeted user.


Solution

Apply An Update
Please see Microsoft Security Bulletin MS05-042 for information on fixes, updates, and workarounds.


Vendor Information

477341

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Vendor has issued information

__ Sort by: Status Alphabetical

Expand all

Affected Unknown __ Unaffected

Javascript is disabled. Click here to view vendors.

__ Microsoft Corporation

Updated: August 09, 2005

Status

__ Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please see Microsoft Security Bulletin MS05-042 for information on fixes, updates, and workarounds.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

Apple Computer, Inc.

Notified: October 17, 2005 Updated: November 09, 2005

Status

__ Not Vulnerable

Vendor Statement

Mac OS X and Mac OS X Server are not affected by this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

__ Heimdal Kerberos Project

Notified: October 17, 2005 Updated: November 09, 2005

Status

__ Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Released Heimdal code is not affected by this protocol flaw, although some unreleased code may be vulnerable if some modes of operation are used to talk to a Microsoft DC using PKINIT. All released Heimdal code uses a non-vulnerable protocol implementation.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ KTH Kerberos Team

Notified: October 17, 2005 Updated: November 09, 2005

Status

__ Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

KTH-KRB is not affected as it is a Kerberos 4 implementation.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

__ MIT Kerberos Development Team

Notified: October 17, 2005 Updated: November 09, 2005

Status

__ Not Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The MIT Kerberos team has indicated that PKINIT does not ship with MIT Kerberos and that as such the software is not vulnerable.

If you have feedback, comments, or additional information about this vulnerability, please send us email.

CVSS Metrics

Group | Score | Vector
---|---|---
Base | N/A | N/A
Temporal | N/A | N/A
Environmental | | N/A

References

  • <http://www.microsoft.com/technet/security/bulletin/MS05-042.mspx>
  • <http://secunia.com/advisories/16368/>

Acknowledgements

Thanks to Microsoft for reporting this vulnerability, who in turn thank Andre Scedrov and his team; Iliano Cervesato, Aaron Jaggard , Joe-Kai Tsay , and Chris Walstad

This document was written by Ken MacInnis.

Other Information

CVE IDs: | CVE-2005-1982
---|---
Severity Metric:** | 4.56
Date Public:
| 2005-08-09
Date First Published: | 2005-11-09
Date Last Updated: | 2005-11-09 15:43 UTC
Document Revision: | 11