[38840] in Kerberos
Re: CVE-2020-17049
daemon@ATHENA.MIT.EDU (Robbie Harwood)
Tue Nov 17 12:19:29 2020
From: Robbie Harwood <rharwood@redhat.com>
To: Luke Hebert <lhebert@cloudera.com>, kerberos@mit.edu
In-Reply-To: <CAH-c_Ehqw+ajLy0yFaNSeAfj3He7RCAw3rgthkWyOJT8DGzVXw@mail.gmail.com>
Date: Tue, 17 Nov 2020 12:16:20 -0500
Message-ID: <jlgv9e3aopn.fsf@redhat.com>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============5632698433030640490=="
Errors-To: kerberos-bounces@mit.edu
--===============5632698433030640490==
Content-Type: multipart/signed; boundary="=-=-=";
micalg=pgp-sha512; protocol="application/pgp-signature"
--=-=-=
Content-Type: text/plain
Luke Hebert <lhebert@cloudera.com> writes:
> Hi,
>
> We've just started encountering problems at customer sites with Kerberos
> enabled clients as a result of how Microsoft appears to be approaching
> CVE-2020-17049
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The
> details on this CVE are slim on Mitre and there is a small amount of
> additional information on the microsoft portal. I thought I'd ask the list
> what their thoughts are on what is being done here. Disabling service
> ticket and tgt renewability is not great and it obviously breaks long
> running processes that rely on renewability of these items. I'm sure we
> could move to an alternate approach where we do not renew these items but
> rather obtain a new one but the changes are likely non-trivial across many
> different projects.
>
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049
>
>>> *How does this patch affect third-party Kerberos clients?*
>
>>> When the registry key is set to 1, patched domain controllers will issue
> service tickets and Ticket-Granting Tickets (TGT)s that are not renewable
> and will refuse to renew existing service tickets and TGTs. Windows clients
> are not impacted by this since they never renew service tickets or TGTs.
> Third-party Kerberos clients may fail to renew service tickets or TGTs
> acquired from unpatched DCs. If all DCs are patched with the registry set
> to 1, third-party clients will no longer receive renewable tickets.
You're correct that Microsoft has not released details on this issue.
They have indicated that some failures are a known issue, and claim to
be working on a fix:
https://docs.microsoft.com/en-us/windows/release-information/status-windows-10-20h2#1522msgdesc
Thanks,
--Robbie
--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEA5qc6hnelQjDaHWqJTL5F2qVpEIFAl+0BWQACgkQJTL5F2qV
pEIxaQ//bME+ItF8IqCzFYSYg6Mv/tMnhDZ/JardO5pZNDorS61TXVE7GIoajJvm
njIxr1bduD5o9r8AuA+AIfM/rti/ByggLDnd+mZNaD7zHaXfhUeKgUnE/LJC4Ydv
WIh5QErnyM2EAk9PHMLCtoMe24HFtZcrT6dUA+ahCfS9pd5x8QF38TBpJ5cY/hko
E8a4kd4fbHM8N8iIxUygUUU2zZl7wXklufwYjoZmrt38i1RI4GDdHnXjfYJH+NXW
s8mIfQaJkgTBqs7HTiKB+2ZoWXhrLhRUCxAVwliOkgPfmI7fKvWvL0M2ZNCi2njE
Y1shC2fwu0WrMl2/oSVQ7XjKnq4G9GDZ4hvuawRNvg7KiuiKg5CNAaTia0nI8V+D
6mCGshfpHhxxX9xXemjTcG9XK27AmE5PTMPVlTuapushT4IkgUwYw7eAjUoPNpv5
28v1jcp07+A0kiFds/DSoe3N8Wr8G5TIodX/3EFwzux15Ytxxf7wdf9wRc5IeTih
S955hsUE1Y5jlYBNVzs+naVSvjLPFFFB/cJDwHuD1TdOglmieN2L2/kMgiN7LS0T
RIl0oaaQNyFzPgn+n07tEx+O4DDNFFynRcvMJ0Ji/7E5VXiKWEIcaHWRikawP3Le
W3M11YuhtxLAuGyJqIvG0NpxiY0pI1O7K8M+BITd8Bhg58eRIpM=
=mqyo
-----END PGP SIGNATURE-----
--=-=-=--
--===============5632698433030640490==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============5632698433030640490==--
