Debian DLA-265-2 : pykerberos regression update

high Nessus Plugin ID 84507

Synopsis

The remote Debian host is missing a security update.

Description

It was discovered that the original fix did not disable KDC verification support by default and changed checkPassowrd()'s signature. This update corrects this.

This was the text of the original advisiory :

Martin Prpic has reported the possibility of a man-in-the-middle attack in the pykerberos code to the Red Hat Bugzilla (Fedora bug tracker). The original issue has earlier been reported upstream [1].
We are quoting the upstream bug reported partially below :

The python-kerberos checkPassword() method has been badly insecure in previous releases. It used to do (and still does by default) a kinit (AS-REQ) to ask a KDC for a TGT for the given user principal, and interprets the success or failure of that as indicating whether the password is correct. It does not, however, verify that it actually spoke to a trusted KDC: an attacker may simply reply instead with an AS-REP which matches the password he just gave you.

Imagine you were verifying a password using LDAP authentication rather than Kerberos: you would, of course, use TLS in conjunction with LDAP to make sure you were talking to a real, trusted LDAP server. The same requirement applies here. kinit is not a password-verification service.

The usual way of doing this is to take the TGT you've obtained with the user's password, and then obtain a ticket for a principal for which the verifier has keys (e.g. a web server processing a username/password form login might get a ticket for its own HTTP/host@REALM principal), which it can then verify. Note that this requires that the verifier has its own Kerberos identity, which is mandated by the symmetric nature of Kerberos (whereas in the LDAP case, the use of public-key cryptography allows anonymous verification).

With this version of the pykerberos package a new option is introduced for the checkPassword() method. Setting verify to True when using checkPassword() will perform a KDC verification. For this to work, you need to provide a krb5.keytab file containing service principal keys for the service you intend to use.

As the default krb5.keytab file in /etc is normally not accessible by non-root users/processes, you have to make sure a custom krb5.keytab file containing the correct principal keys is provided to your application using the KRB5_KTNAME environment variable.

Note: In Debian squeeze(-lts), KDC verification support is disabled by default in order not to break existing setups.

[1] https://www.calendarserver.org/ticket/833

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Solution

Upgrade the affected python-kerberos package.

See Also

https://lists.debian.org/debian-lts-announce/2015/08/msg00015.html

https://packages.debian.org/source/squeeze-lts/pykerberos

https://github.com/apple/ccs-pykerberos/issues/31

Plugin Details

Severity: High

ID: 84507

File Name: debian_DLA-265.nasl

Version: 2.10

Type: local

Agent: unix

Published: 7/6/2015

Updated: 1/11/2021

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

Risk Information

VPR

Risk Factor: Medium

Score: 5.9

CVSS v2

Risk Factor: Medium

Base Score: 6.8

Temporal Score: 5

Vector: CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:debian:debian_linux:6.0, p-cpe:/a:debian:debian_linux:python-kerberos

Required KB Items: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

Exploit Ease: No known exploits are available

Patch Publication Date: 8/26/2015

Vulnerability Publication Date: 8/25/2017

Reference Information

CVE: CVE-2015-3206

BID: 74760