Published: 26/12/2018 Updated: 07/11/2023

CVSS v2 Base Score: 3.5 | Impact Score: 2.9 | Exploitability Score: 6.8

CVSS v3 Base Score: 5.3 | Impact Score: 3.6 | Exploitability Score: 1.6

VMScore: 312

Vector: AV:N/AC:M/Au:S/C:N/I:N/A:P

A Reachable Assertion issue exists in the KDC in MIT Kerberos 5 (aka krb5) prior to 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.

Vulnerable Product	Search on Vulmon	Subscribe to Product
mit kerberos
debian debian linux 8.0
debian debian linux 9.0

Debian Bug report logs - #917387 krb5: CVE-2018-20217: Ignore password attributes for S4U2Self requests Package: src:krb5; Maintainer for src:krb5 is Sam Hartman <hartmans@debianorg>; Reported by: Salvatore Bonaccorso <carnil@debianorg> Date: Thu, 27 Dec 2018 07:42:01 UTC Severity: normal Tags: patch, security, ups ...

Several security issues were fixed in Kerberos ...

A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 117 If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request(CVE-2018-20217) ...

CWE-617 https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086 http://krbdev.mit.edu/rt/Ticket/Display.html?id=8763 https://lists.debian.org/debian-lts-announce/2019/01/msg00020.html https://security.netapp.com/advisory/ntap-20190416-0006/https://lists.debian.org/debian-lts-announce/2021/09/msg00019.html https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/2KNHELH4YHNT6H2ESJWX2UIDXLBNGB2O/https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=917387 https://ubuntu.com/security/notices/USN-5828-1 https://nvd.nist.gov https://alas.aws.amazon.com/ALAS-2020-1374.html

CVE-2018-20217

Vulnerability Summary

Vulnerability Trend

Vendor Advisories

References

Vulmon Search

About

Products

Connect