logo
DATABASE RESOURCES PRICING ABOUT US

CVE-2020-17049

Description

It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user. #### Mitigation In Red Hat Identity Management (IdM), the list of existing rules for service principals delegation can be obtained with the following commands : $ ipa servicedelegationrule-find $ ipa servicedelegationtarget-find The services allowed to delegate must all be trusted. By default, only HTTP/<IPA host>@<REALM>, corresponding to IdM's Web UI, is allowed to delegate.


Related