{"id": "DEBIAN:DLA-265-2:EB3E4", "bulletinFamily": "unix", "title": "[SECURITY] [DLA 265-2] pykerberos regression update", "description": "Package : pykerberos\nVersion : 1.1+svn4895-1+deb6u2\nCVE ID : CVE-2015-3206\n\nIt was discovered that the original fix did not disable KDC\nverification support by default and changed checkPassowrd()'s\nsignature. This update corrects this.\n\nThis was the text of the original advisiory:\n\nMartin Prpic has reported the possibility of a man-in-the-middle attack\nin the pykerberos code to the Red Hat Bugzilla (Fedora bug tracker). The\noriginal issue has earlier been reported upstream [1]. We are quoting the\nupstream bug reported partially below:\n\nThe python-kerberos checkPassword() method has been badly insecure in\nprevious releases. It used to do (and still does by default) a kinit\n(AS-REQ) to ask a KDC for a TGT for the given user principal, and\ninterprets the success or failure of that as indicating whether the\npassword is correct. It does not, however, verify that it actually spoke\nto a trusted KDC: an attacker may simply reply instead with an AS-REP\nwhich matches the password he just gave you.\n\nImagine you were verifying a password using LDAP authentication rather\nthan Kerberos: you would, of course, use TLS in conjunction with LDAP to\nmake sure you were talking to a real, trusted LDAP server. The same\nrequirement applies here. kinit is not a password-verification service.\n\nThe usual way of doing this is to take the TGT you've obtained with the\nuser's password, and then obtain a ticket for a principal for which the\nverifier has keys (e.g. a web server processing a username/password form\nlogin might get a ticket for its own HTTP/host@REALM principal), which\nit can then verify. Note that this requires that the verifier has its\nown Kerberos identity, which is mandated by the symmetric nature of\nKerberos (whereas in the LDAP case, the use of public-key cryptography\nallows anonymous verification).\n\nWith this version of the pykerberos package a new option is introduced\nfor the checkPassword() method. Setting verify to True when using\ncheckPassword() will perform a KDC verification. For this to work, you\nneed to provide a krb5.keytab file containing service principal keys for\nthe service you intend to use.\n\nAs the default krb5.keytab file in /etc is normally not accessible by\nnon-root users/processes, you have to make sure a custom krb5.keytab\nfile containing the correct principal keys is provided to your\napplication using the KRB5_KTNAME environment variable.\n\nNote: In Debian squeeze(-lts), KDC verification support is disabled by\ndefault in order not to break existing setups.\n\n[1] https://www.calendarserver.org/ticket/833\n", "published": "2015-08-26T16:39:35", "modified": "2015-08-26T16:39:35", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201508/msg00015.html", "reporter": "Debian", "references": [], "cvelist": ["CVE-2015-3206"], "type": "debian", "lastseen": "2020-11-11T13:28:32", "edition": 7, "viewCount": 1, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2015-3206"]}, {"type": "nessus", "idList": ["DEBIAN_DLA-265.NASL"]}, {"type": "debian", "idList": ["DEBIAN:DLA-265-1:A0CA3"]}], "modified": "2020-11-11T13:28:32", "rev": 2}, "score": {"value": 5.5, "vector": "NONE", "modified": "2020-11-11T13:28:32", "rev": 2}, "vulnersScore": 5.5}, "affectedPackage": [{"OS": "Debian", "OSVersion": "6", "arch": "all", "operator": "lt", "packageFilename": "pykerberos_1.1+svn4895-1+deb6u2_all.deb", "packageName": "pykerberos", "packageVersion": "1.1+svn4895-1+deb6u2"}], "scheme": null}

{"cve": [{"lastseen": "2020-10-03T12:49:50", "description": "The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.", "edition": 3, "cvss3": {"exploitabilityScore": 2.2, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "HIGH", "scope": "UNCHANGED", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 8.1, "privilegesRequired": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2017-08-25T18:29:00", "title": "CVE-2015-3206", "type": "cve", "cwe": ["CWE-287"], "bulletinFamily": "NVD", "cvss2": {"severity": "MEDIUM", "exploitabilityScore": 8.6, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "MEDIUM", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 6.8, "vectorString": "AV:N/AC:M/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 6.4, "obtainUserPrivilege": false}, "cvelist": ["CVE-2015-3206"], "modified": "2018-12-20T18:11:00", "cpe": ["cpe:/a:apple:pykerberos:-"], "id": "CVE-2015-3206", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-3206", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:a:apple:pykerberos:-:*:*:*:*:*:*:*"]}], "debian": [{"lastseen": "2020-11-11T13:17:14", "bulletinFamily": "unix", "cvelist": ["CVE-2015-3206"], "description": "Package : pykerberos\nVersion : 1.1+svn4895-1+deb6u1\nCVE ID : CVE-2015-3206\n\nMartin Prpic has reported the possibility of a man-in-the-middle attack\nin the pykerberos code to the Red Hat Bugzilla (Fedora bug tracker). The\noriginal issue has earlier been reported upstream [1]. We are quoting the\nupstream bug reported partially below:\n\nThe python-kerberos checkPassword() method has been badly insecure in\nprevious releases. It used to do (and still does by default) a kinit\n(AS-REQ) to ask a KDC for a TGT for the given user principal, and\ninterprets the success or failure of that as indicating whether the\npassword is correct. It does not, however, verify that it actually spoke\nto a trusted KDC: an attacker may simply reply instead with an AS-REP\nwhich matches the password he just gave you.\n\nImagine you were verifying a password using LDAP authentication rather\nthan Kerberos: you would, of course, use TLS in conjunction with LDAP to\nmake sure you were talking to a real, trusted LDAP server. The same\nrequirement applies here. kinit is not a password-verification service.\n\nThe usual way of doing this is to take the TGT you've obtained with the\nuser's password, and then obtain a ticket for a principal for which the\nverifier has keys (e.g. a web server processing a username/password form\nlogin might get a ticket for its own HTTP/host@REALM principal), which\nit can then verify. Note that this requires that the verifier has its\nown Kerberos identity, which is mandated by the symmetric nature of\nKerberos (whereas in the LDAP case, the use of public-key cryptography\nallows anonymous verification).\n\nWith this version of the pykerberos package a new option is introduced\nfor the checkPassword() method. Setting verify to True when using\ncheckPassword() will perform a KDC verification. For this to work, you\nneed to provide a krb5.keytab file containing service principal keys for\nthe service you intend to use.\n\nAs the default krb5.keytab file in /etc is normally not accessible by\nnon-root users/processes, you have to make sure a custom krb5.keytab\nfile containing the correct principal keys is provided to your\napplication using the KRB5_KTNAME environment variable.\n\nNote: In Debian squeeze(-lts), KDC verification support is disabled by\ndefault in order not to break existing setups.\n\n[1] https://www.calendarserver.org/ticket/833\n\n-- \n\nmike gabriel aka sunweaver (Debian Developer)\nfon: +49 (1520) 1976 148\n\nGnuPG Fingerprint: 9BFB AEE8 6C0A A5FF BF22 0782 9AF4 6B30 2577 1B31\nmail: sunweaver@debian.org, http://sunweavers.net\n", "edition": 9, "modified": "2015-07-03T09:52:35", "published": "2015-07-03T09:52:35", "id": "DEBIAN:DLA-265-1:A0CA3", "href": "https://lists.debian.org/debian-lts-announce/2015/debian-lts-announce-201507/msg00003.html", "title": "[SECURITY] [DLA 265-1] pykerberos security update", "type": "debian", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}], "nessus": [{"lastseen": "2021-01-12T09:43:35", "description": "It was discovered that the original fix did not disable KDC\nverification support by default and changed checkPassowrd()'s\nsignature. This update corrects this.\n\nThis was the text of the original advisiory :\n\nMartin Prpic has reported the possibility of a man-in-the-middle\nattack in the pykerberos code to the Red Hat Bugzilla (Fedora bug\ntracker). The original issue has earlier been reported upstream [1].\nWe are quoting the upstream bug reported partially below :\n\nThe python-kerberos checkPassword() method has been badly insecure in\nprevious releases. It used to do (and still does by default) a kinit\n(AS-REQ) to ask a KDC for a TGT for the given user principal, and\ninterprets the success or failure of that as indicating whether the\npassword is correct. It does not, however, verify that it actually\nspoke to a trusted KDC: an attacker may simply reply instead with an\nAS-REP which matches the password he just gave you.\n\nImagine you were verifying a password using LDAP authentication rather\nthan Kerberos: you would, of course, use TLS in conjunction with LDAP\nto make sure you were talking to a real, trusted LDAP server. The same\nrequirement applies here. kinit is not a password-verification\nservice.\n\nThe usual way of doing this is to take the TGT you've obtained with\nthe user's password, and then obtain a ticket for a principal for\nwhich the verifier has keys (e.g. a web server processing a\nusername/password form login might get a ticket for its own\nHTTP/host@REALM principal), which it can then verify. Note that this\nrequires that the verifier has its own Kerberos identity, which is\nmandated by the symmetric nature of Kerberos (whereas in the LDAP\ncase, the use of public-key cryptography allows anonymous\nverification).\n\nWith this version of the pykerberos package a new option is introduced\nfor the checkPassword() method. Setting verify to True when using\ncheckPassword() will perform a KDC verification. For this to work, you\nneed to provide a krb5.keytab file containing service principal keys\nfor the service you intend to use.\n\nAs the default krb5.keytab file in /etc is normally not accessible by\nnon-root users/processes, you have to make sure a custom krb5.keytab\nfile containing the correct principal keys is provided to your\napplication using the KRB5_KTNAME environment variable.\n\nNote: In Debian squeeze(-lts), KDC verification support is disabled by\ndefault in order not to break existing setups.\n\n[1] https://www.calendarserver.org/ticket/833\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.", "edition": 19, "cvss3": {"score": 8.1, "vector": "AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}, "published": "2015-07-06T00:00:00", "title": "Debian DLA-265-2 : pykerberos regression update", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-3206"], "modified": "2015-07-06T00:00:00", "cpe": ["cpe:/o:debian:debian_linux:6.0", "p-cpe:/a:debian:debian_linux:python-kerberos"], "id": "DEBIAN_DLA-265.NASL", "href": "https://www.tenable.com/plugins/nessus/84507", "sourceData": "#%NASL_MIN_LEVEL 70300\n#\n# (C) Tenable Network Security, Inc.\n#\n# The descriptive text and package checks in this plugin were\n# extracted from Debian Security Advisory DLA-265-2. The text\n# itself is copyright (C) Software in the Public Interest, Inc.\n#\n\ninclude('deprecated_nasl_level.inc');\ninclude('compat.inc');\n\nif (description)\n{\n script_id(84507);\n script_version(\"2.10\");\n script_set_attribute(attribute:\"plugin_modification_date\", value:\"2021/01/11\");\n\n script_cve_id(\"CVE-2015-3206\");\n script_bugtraq_id(74760);\n\n script_name(english:\"Debian DLA-265-2 : pykerberos regression update\");\n script_summary(english:\"Checks dpkg output for the updated package.\");\n\n script_set_attribute(\n attribute:\"synopsis\", \n value:\"The remote Debian host is missing a security update.\"\n );\n script_set_attribute(\n attribute:\"description\", \n value:\n\"It was discovered that the original fix did not disable KDC\nverification support by default and changed checkPassowrd()'s\nsignature. This update corrects this.\n\nThis was the text of the original advisiory :\n\nMartin Prpic has reported the possibility of a man-in-the-middle\nattack in the pykerberos code to the Red Hat Bugzilla (Fedora bug\ntracker). The original issue has earlier been reported upstream [1].\nWe are quoting the upstream bug reported partially below :\n\nThe python-kerberos checkPassword() method has been badly insecure in\nprevious releases. It used to do (and still does by default) a kinit\n(AS-REQ) to ask a KDC for a TGT for the given user principal, and\ninterprets the success or failure of that as indicating whether the\npassword is correct. It does not, however, verify that it actually\nspoke to a trusted KDC: an attacker may simply reply instead with an\nAS-REP which matches the password he just gave you.\n\nImagine you were verifying a password using LDAP authentication rather\nthan Kerberos: you would, of course, use TLS in conjunction with LDAP\nto make sure you were talking to a real, trusted LDAP server. The same\nrequirement applies here. kinit is not a password-verification\nservice.\n\nThe usual way of doing this is to take the TGT you've obtained with\nthe user's password, and then obtain a ticket for a principal for\nwhich the verifier has keys (e.g. a web server processing a\nusername/password form login might get a ticket for its own\nHTTP/host@REALM principal), which it can then verify. Note that this\nrequires that the verifier has its own Kerberos identity, which is\nmandated by the symmetric nature of Kerberos (whereas in the LDAP\ncase, the use of public-key cryptography allows anonymous\nverification).\n\nWith this version of the pykerberos package a new option is introduced\nfor the checkPassword() method. Setting verify to True when using\ncheckPassword() will perform a KDC verification. For this to work, you\nneed to provide a krb5.keytab file containing service principal keys\nfor the service you intend to use.\n\nAs the default krb5.keytab file in /etc is normally not accessible by\nnon-root users/processes, you have to make sure a custom krb5.keytab\nfile containing the correct principal keys is provided to your\napplication using the KRB5_KTNAME environment variable.\n\nNote: In Debian squeeze(-lts), KDC verification support is disabled by\ndefault in order not to break existing setups.\n\n[1] https://www.calendarserver.org/ticket/833\n\nNOTE: Tenable Network Security has extracted the preceding description\nblock directly from the DLA security advisory. Tenable has attempted\nto automatically clean and format it as much as possible without\nintroducing additional issues.\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://lists.debian.org/debian-lts-announce/2015/08/msg00015.html\"\n );\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://packages.debian.org/source/squeeze-lts/pykerberos\"\n );\n # https://www.calendarserver.org/ticket/833\n script_set_attribute(\n attribute:\"see_also\",\n value:\"https://github.com/apple/ccs-pykerberos/issues/31\"\n );\n script_set_attribute(\n attribute:\"solution\", \n value:\"Upgrade the affected python-kerberos package.\"\n );\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"false\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"p-cpe:/a:debian:debian_linux:python-kerberos\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:debian:debian_linux:6.0\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2017/08/25\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2015/08/26\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2015/07/06\");\n script_set_attribute(attribute:\"generated_plugin\", value:\"current\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_copyright(english:\"This script is Copyright (C) 2015-2021 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n script_family(english:\"Debian Local Security Checks\");\n\n script_dependencies(\"ssh_get_info.nasl\");\n script_require_keys(\"Host/local_checks_enabled\", \"Host/Debian/release\", \"Host/Debian/dpkg-l\");\n\n exit(0);\n}\n\n\ninclude(\"audit.inc\");\ninclude(\"debian_package.inc\");\n\n\nif (!get_kb_item(\"Host/local_checks_enabled\")) audit(AUDIT_LOCAL_CHECKS_NOT_ENABLED);\nif (!get_kb_item(\"Host/Debian/release\")) audit(AUDIT_OS_NOT, \"Debian\");\nif (!get_kb_item(\"Host/Debian/dpkg-l\")) audit(AUDIT_PACKAGE_LIST_MISSING);\n\n\nflag = 0;\nif (deb_check(release:\"6.0\", prefix:\"python-kerberos\", reference:\"1.1+svn4895-1+deb6u2\")) flag++;\n\nif (flag)\n{\n if (report_verbosity > 0) security_warning(port:0, extra:deb_report_get());\n else security_warning(0);\n exit(0);\n}\nelse audit(AUDIT_HOST_NOT, \"affected\");\n", "cvss": {"score": 6.8, "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:P"}}]}