[SECURITY] [DLA 265-2] pykerberos regression update

To: debian-lts-announce@lists.debian.org
Subject: [SECURITY] [DLA 265-2] pykerberos regression update
From: Guido Günther <agx@debian.org>
Date: Wed, 26 Aug 2015 18:38:28 +0200
Message-id: <[🔎] 20150826163828.GA2473@bogon.m.sigxcpu.org>
Mail-followup-to: Guido Günther <agx@debian.org>, debian-lts-announce@lists.debian.org
Reply-to: debian-lts@lists.debian.org

Package        : pykerberos
Version        : 1.1+svn4895-1+deb6u2
CVE ID         : CVE-2015-3206

It was discovered that the original fix did not disable KDC
verification support by default and changed checkPassowrd()'s
signature. This update corrects this.

This was the text of the original advisiory:

Martin Prpic has reported the possibility of a man-in-the-middle attack
in the pykerberos code to the Red Hat Bugzilla (Fedora bug tracker). The
original issue has earlier been reported upstream [1]. We are quoting the
upstream bug reported partially below:

The python-kerberos checkPassword() method has been badly insecure in
previous releases. It used to do (and still does by default) a kinit
(AS-REQ) to ask a KDC for a TGT for the given user principal, and
interprets the success or failure of that as indicating whether the
password is correct. It does not, however, verify that it actually spoke
to a trusted KDC: an attacker may simply reply instead with an AS-REP
which matches the password he just gave you.

Imagine you were verifying a password using LDAP authentication rather
than Kerberos: you would, of course, use TLS in conjunction with LDAP to
make sure you were talking to a real, trusted LDAP server. The same
requirement applies here. kinit is not a password-verification service.

The usual way of doing this is to take the TGT you've obtained with the
user's password, and then obtain a ticket for a principal for which the
verifier has keys (e.g. a web server processing a username/password form
login might get a ticket for its own HTTP/host@REALM principal), which
it can then verify. Note that this requires that the verifier has its
own Kerberos identity, which is mandated by the symmetric nature of
Kerberos (whereas in the LDAP case, the use of public-key cryptography
allows anonymous verification).

With this version of the pykerberos package a new option is introduced
for the checkPassword() method. Setting verify to True when using
checkPassword() will perform a KDC verification. For this to work, you
need to provide a krb5.keytab file containing service principal keys for
the service you intend to use.

As the default krb5.keytab file in /etc is normally not accessible by
non-root users/processes, you have to make sure a custom krb5.keytab
file containing the correct principal keys is provided to your
application using the KRB5_KTNAME environment variable.

Note: In Debian squeeze(-lts), KDC verification support is disabled by
default in order not to break existing setups.

[1] https://www.calendarserver.org/ticket/833

Attachment: signature.asc
Description: Digital signature

Reply to:

Prev by Date: [SECURITY] [DLA 300-1] ruby1.9.1 security update
Next by Date: [SECURITY] [DLA 301-1] python-django security update
Previous by thread: [SECURITY] [DLA 300-1] ruby1.9.1 security update
Next by thread: [SECURITY] [DLA 301-1] python-django security update
Index(es):
- Date
- Thread