CVE-2020-17049

James Ralston ralston at pobox.com
Tue Nov 17 14:19:56 EST 2020 

On Mon, Nov 16, 2020 at 10:48 AM Luke Hebert <lhebert at cloudera.com> wrote:

> We've just started encountering problems at customer sites with
> Kerberos enabled clients as a result of how Microsoft appears to be
> approaching CVE-2020-17049
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The
> details on this CVE are slim on Mitre and there is a small amount of
> additional information on the microsoft portal. I thought I'd ask
> the list what their thoughts are on what is being done here.
> Disabling service ticket and tgt renewability is not great and it
> obviously breaks long running processes that rely on renewability of
> these items.

I believe we are being bitten by this change as well. Here’s what we
see.

I perform an initial kinit, and request a renewable ticket:

$ kinit username at EXAMPLE.ORG
Password for username at EXAMPLE.ORG:

As klist shows, the ticket is renewable:

$ klist -f
Ticket cache: KCM:2000:78917
Default principal: username at EXAMPLE.ORG

Valid starting       Expires              Service principal
2020-11-13 13:15:57  2020-11-14 13:15:50  krbtgt/EXAMPLE.ORG at EXAMPLE.ORG
        renew until 2020-11-20 13:15:50, Flags: FRIA

Decoding the Flags field:

+------+------------------+
| flag | meaning          |
+------+------------------+
|  F   | Forwardable      |
|  R   | Renewable        |
|  I   | Initial          |
|  A   | preAuthenticated |
+------+------------------+

But attempting to renew this ticket throws an error:

$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials

>From packet tracing, the TGS-REQ packet contains the following options:

kdc-options: 40800002
    .1.. .... = forwardable: True
    1... .... = renewable: True
    .... ..1. = renew: True

This is exactly what a renewal request should contain: a renew request
(renew: True) using a non-expired renewable ticket (renewable: True).

But the reply from the server is KRB-ERROR, and contains:

krb-error
    msg-type: krb-error (30)
    error-code: eRR-BADOPTION (13)

Curiously, we have multiple AD realms, and not all of them show this
problem, despite the fact that our Windows admins assert that all
realms received the Microsoft updates that contain the fix for
CVE-2020-17049.

I’ve asked our Windows admins to enumerate what the
PerformTicketSignature registry keys are set to for all of our DCs,
for all realms.

More information about the Kerberos mailing list