The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified impact by performing a man-in-the-middle attack.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate     with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified     impact by performing a man-in-the-middle attack. (CVE-2015-3206)

Note that Nessus relies on the presence of the package as reported by the vendor.

The version of FreeBSD installed on the remote host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the 2acdf364-9f8d-4aaf-8d1b-867fdfd771c6 advisory.

  - The checkPassword function in python-kerberos does not authenticate the KDC it attempts to communicate     with, which allows remote attackers to cause a denial of service (bad response), or have other unspecified     impact by performing a man-in-the-middle attack. (CVE-2015-3206)

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

It was discovered that the original fix did not disable KDC verification support by default and changed checkPassowrd()'s signature. This update corrects this.

This was the text of the original advisiory :

Martin Prpic has reported the possibility of a man-in-the-middle attack in the pykerberos code to the Red Hat Bugzilla (Fedora bug tracker). The original issue has earlier been reported upstream [1].
We are quoting the upstream bug reported partially below :

The python-kerberos checkPassword() method has been badly insecure in previous releases. It used to do (and still does by default) a kinit (AS-REQ) to ask a KDC for a TGT for the given user principal, and interprets the success or failure of that as indicating whether the password is correct. It does not, however, verify that it actually spoke to a trusted KDC: an attacker may simply reply instead with an AS-REP which matches the password he just gave you.

Imagine you were verifying a password using LDAP authentication rather than Kerberos: you would, of course, use TLS in conjunction with LDAP to make sure you were talking to a real, trusted LDAP server. The same requirement applies here. kinit is not a password-verification service.

The usual way of doing this is to take the TGT you've obtained with the user's password, and then obtain a ticket for a principal for which the verifier has keys (e.g. a web server processing a username/password form login might get a ticket for its own HTTP/host@REALM principal), which it can then verify. Note that this requires that the verifier has its own Kerberos identity, which is mandated by the symmetric nature of Kerberos (whereas in the LDAP case, the use of public-key cryptography allows anonymous verification).

With this version of the pykerberos package a new option is introduced for the checkPassword() method. Setting verify to True when using checkPassword() will perform a KDC verification. For this to work, you need to provide a krb5.keytab file containing service principal keys for the service you intend to use.

As the default krb5.keytab file in /etc is normally not accessible by non-root users/processes, you have to make sure a custom krb5.keytab file containing the correct principal keys is provided to your application using the KRB5_KTNAME environment variable.

Note: In Debian squeeze(-lts), KDC verification support is disabled by default in order not to break existing setups.

[1] https://www.calendarserver.org/ticket/833

NOTE: Tenable Network Security has extracted the preceding description block directly from the DLA security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

ID	Name	Product	Family	Severity
218886	Linux Distros Unpatched Vulnerability : CVE-2015-3206	Nessus	Misc.	high
174313	FreeBSD : py-kerberos -- DoS and MitM vulnerabilities (2acdf364-9f8d-4aaf-8d1b-867fdfd771c6)	Nessus	FreeBSD Local Security Checks	high
84507	Debian DLA-265-2 : pykerberos regression update	Nessus	Debian Local Security Checks	high

Detections

Analytics

CVE-2015-3206

critical

Tenable Plugins

high

high

high