CVE-2018-20217
Published: 26 December 2018
A Reachable Assertion issue was discovered in the KDC in MIT Kerberos 5 (aka krb5) before 1.17. If an attacker can obtain a krbtgt ticket using an older encryption type (single-DES, triple-DES, or RC4), the attacker can crash the KDC by making an S4U2Self request.
From the Ubuntu security team
It was discovered that Kerberos incorrectly handled certain S4U2Self requests. An attacker could possibly use this issue to cause a denial of service.
Priority
Medium
CVSS 3 base score: 5.3
Status
| Package | Release | Status |
|---|---|---|
|
krb5 Launchpad, Ubuntu, Debian |
Upstream |
Released
(1.17)
|
| Ubuntu 21.04 (Hirsute Hippo) |
Not vulnerable
(1.17-10)
|
|
| Ubuntu 20.10 (Groovy Gorilla) |
Not vulnerable
(1.17-10)
|
|
| Ubuntu 20.04 LTS (Focal Fossa) |
Not vulnerable
(1.17-6ubuntu4)
|
|
| Ubuntu 18.04 LTS (Bionic Beaver) |
Needed
|
|
| Ubuntu 16.04 ESM (Xenial Xerus) |
Needed
|
|
| Ubuntu 14.04 ESM (Trusty Tahr) |
Needed
|
|
|
Patches: Upstream: https://github.com/krb5/krb5/commit/5e6d1796106df8ba6bc1973ee0917c170d929086 |
||
| Binaries built from this source package are in Universe and so are supported by the community. | ||