FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

krb5 -- requires_preauth bypass in PKINIT-enabled KDC

Affected packages
krb5 < 1.13.2
krb5-112 < 1.12.3_2


VuXML ID 406636fe-055d-11e5-aab1-d050996490d0
Discovery 2015-05-25
Entry 2015-05-28

MIT reports:

In MIT krb5 1.12 and later, when the KDC is configured with PKINIT support, an unauthenticated remote attacker can bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.


CVE Name CVE-2015-2694