Need suggestion/help in back porting the fix for vulnerability CVE-2017-7562 (backporting from Kerberos 1.16.1 to Kerberos 1.9)
Greg Hudson
ghudson at mit.edu
Fri Sep 21 11:12:29 EDT 2018
On 09/21/2018 10:37 AM, Shivakumar Nadarajan -X (shinadar - HCL
TECHNOLOGIES LIMITED at Cisco) wrote:
> Thanks for your interest in this issue. But I am still not clear that how this vulnerability is not applicable to kerberos 1.9 .
> Because as per the git link https://github.com/krb5/krb5/pull/694 it seems that this functionality is present in kerberos 1.9 also.
The certauth pluggable interface was introduced in commit
b619ce84470519bea65470be3263cd85fba94f57 (February 2017). It replaced
some of the existing logic for validating client certificates with two
built-in modules. The first, "pkinit_san", checks the Subject
Alternative Name values in the client certificate against the requested
principal; the second, "pkinit_eku", checks the Extended Key Usage
values in the client certificate to see if it was issued for use with
PKINIT.
The vulnerability was that these two new modules were not always
returning the correct results to the pluggable interface accumulator.
The hardcoded logic used prior to commit
b619ce84470519bea65470be3263cd85fba94f57 did not have the same problem.
More information about the krbdev
mailing list