Published: 26 December 2018
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
From the Ubuntu security team
It was discovered that Kerberos incorrectly handled certain S4U2Self requests. An attacker could possibly use this issue to cause a denial of service.
CVSS 3 base score: 5.3
Launchpad, Ubuntu, Debian
|Ubuntu 20.10 (Groovy Gorilla)||
|Ubuntu 20.04 LTS (Focal Fossa)||
|Ubuntu 18.04 LTS (Bionic Beaver)||
|Ubuntu 16.04 LTS (Xenial Xerus)||
|Ubuntu 14.04 ESM (Trusty Tahr)||
|Binaries built from this source package are in Universe and so are supported by the community.|