MIT Kerberos 5 requires_preauth Bypass Vulnerability (CVE-2015-2694)
MIT Kerberos 5 requires_preauth Bypass Vulnerability (CVE-2015-2694)
Release date:
Updated on:
Affected Systems:
MIT Kerberos 5 <1.13.2
MIT Kerberos 5 1.12.x
Description:
CVE (CAN) ID: CVE-2015-2694
Kerberos is a widely used super-powerful encryption to verify the network protocol between the client and the server.
In versions earlier than MIT Kerberos 5 1.12.x and 1.13.2, The kdcpreauth module does not correctly track whether the client request has been verified. Remote attackers use zero-byte data and arbitrary domain names, this vulnerability allows you to bypass pre-verification requirements.
<* Source: vendor
*>
Suggestion:
Vendor patch:
MIT
---
The vendor has released a patch to fix this security problem. Please download it from the vendor's homepage:
Https://github.com/krb5/krb5/commit/e3b5a5e5267818c97750b266df50b6a3d4649604
Http://krbdev.mit.edu/rt/Ticket/Display.html? Id = 8160
This article permanently updates the link address: