CVE-2020-17049
Robbie Harwood
rharwood at redhat.com
Tue Nov 17 12:16:20 EST 2020
Luke Hebert <lhebert at cloudera.com> writes:
> Hi,
>
> We've just started encountering problems at customer sites with Kerberos
> enabled clients as a result of how Microsoft appears to be approaching
> CVE-2020-17049
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The
> details on this CVE are slim on Mitre and there is a small amount of
> additional information on the microsoft portal. I thought I'd ask the list
> what their thoughts are on what is being done here. Disabling service
> ticket and tgt renewability is not great and it obviously breaks long
> running processes that rely on renewability of these items. I'm sure we
> could move to an alternate approach where we do not renew these items but
> rather obtain a new one but the changes are likely non-trivial across many
> different projects.
>
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049
>
>>> *How does this patch affect third-party Kerberos clients?*
>
>>> When the registry key is set to 1, patched domain controllers will issue
> service tickets and Ticket-Granting Tickets (TGT)s that are not renewable
> and will refuse to renew existing service tickets and TGTs. Windows clients
> are not impacted by this since they never renew service tickets or TGTs.
> Third-party Kerberos clients may fail to renew service tickets or TGTs
> acquired from unpatched DCs. If all DCs are patched with the registry set
> to 1, third-party clients will no longer receive renewable tickets.
You're correct that Microsoft has not released details on this issue.
They have indicated that some failures are a known issue, and claim to
be working on a fix:
https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-20h2#1522msgdesc
Thanks,
--Robbie
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 832 bytes
Desc: not available
Url : http://mailman.mit.edu/pipermail/kerberos/attachments/20201117/5a4c626d/attachment.bin
More information about the Kerberos
mailing list