{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2020-17049", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "assignerShortName": "microsoft", "dateUpdated": "2024-09-10T15:51:56.659Z", "dateReserved": "2020-08-04T00:00:00", "datePublished": "2020-11-11T00:00:00"}, "containers": {"cna": {"title": "Kerberos KDC Security Feature Bypass Vulnerability", "datePublic": "2020-11-10T08:00:00+00:00", "affected": [{"vendor": "Microsoft", "product": "Windows Server 2019", "cpes": ["cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2061:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.17763.2061", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2019 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2061:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.17763.2061", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server, version 1909 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_1909:*:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "publication", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server, version 1903 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_1903:*:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "publication", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server version 2004", "cpes": ["cpe:2.3:o:microsoft:windows_server_2004:10.0.19041.1110:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.19041.1110", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2016", "cpes": ["cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4530:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.14393.4530", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2016 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4530:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.14393.4530", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 Service Pack 2", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21167:*:*:*:*:*:x64:*"], "platforms": ["32-bit Systems"], "versions": [{"version": "6.0.0", "lessThan": "6.0.6003.21167", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 Service Pack 2 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21167:*:*:*:*:*:x64:*", "cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21167:*:*:*:*:*:x86:*"], "platforms": ["32-bit Systems", "x64-based Systems"], "versions": [{"version": "6.0.0", "lessThan": "6.0.6003.21167", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 Service Pack 2", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_sp2:6.0.6003.21167:*:*:*:*:*:x86:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.0.0", "lessThan": "6.0.6003.21167", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 R2 Service Pack 1", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25661:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.1.0", "lessThan": "6.1.7601.25661", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2008 R2 Service Pack 1 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2008_R2:6.1.7601.25661:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.0.0", "lessThan": "6.1.7601.25661", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2012", "cpes": ["cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23409:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.2.0", "lessThan": "6.2.9200.23409", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2012 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2012:6.2.9200.23409:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.2.0", "lessThan": "6.2.9200.23409", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2012 R2", "cpes": ["cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20069:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.3.0", "lessThan": "6.3.9600.20069", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server 2012 R2 (Server Core installation)", "cpes": ["cpe:2.3:o:microsoft:windows_server_2012_R2:6.3.9600.20069:*:*:*:*:*:x64:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "6.3.0", "lessThan": "6.3.9600.20069", "versionType": "custom", "status": "affected"}]}, {"vendor": "Microsoft", "product": "Windows Server version 20H2", "cpes": ["cpe:2.3:o:microsoft:windows_server_20H2:10.0.19041.1110:*:*:*:*:*:*:*"], "platforms": ["x64-based Systems"], "versions": [{"version": "10.0.0", "lessThan": "10.0.19041.1110", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).\nTo exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.\nThe update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "Security Feature Bypass", "lang": "en-US", "type": "Impact"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2024-09-10T15:51:56.659Z"}, "references": [{"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17049"}, {"name": "[oss-security] 20211110 Fwd: Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download", "tags": ["mailing-list"], "url": "http://www.openwall.com/lists/oss-security/2021/11/10/3"}, {"name": "GLSA-202309-06", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202309-06"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "MEDIUM", "baseScore": 6.6, "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-04T13:45:34.908Z"}, "title": "CVE Program Container", "references": [{"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17049", "tags": ["x_transferred"]}, {"name": "[oss-security] 20211110 Fwd: Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download", "tags": ["mailing-list", "x_transferred"], "url": "http://www.openwall.com/lists/oss-security/2021/11/10/3"}, {"name": "GLSA-202309-06", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202309-06"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*", "matchCriteriaId": "80EB5690-B20F-457A-A202-FBADAA17E05C", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*", "matchCriteriaId": "DB18C4CE-5917-401E-ACF7-2747084FD36E", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*", "matchCriteriaId": "041FF8BA-0B12-4A1F-B4BF-9C4F33B7C1E7", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*", "matchCriteriaId": "4A190388-AA82-4504-9D5A-624F23268C9F", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*", "matchCriteriaId": "5B921FDB-8E7D-427E-82BE-4432585080CF", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*", "matchCriteriaId": "C253A63F-03AB-41CB-A03A-B2674DEA98AA", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*", "matchCriteriaId": "0B60D940-80C7-49F0-8F4E-3F99AC15FA82", "vulnerable": true}, {"criteria": "cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*", "matchCriteriaId": "DB79EE26-FC32-417D-A49C-A1A63165A968", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "68372C1C-E091-434C-A853-8C61A92BFCDE", "versionEndExcluding": "4.13.13", "versionStartIncluding": "4.1.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "F7D7145C-64C2-40D6-90CD-EA21B84AB559", "versionEndExcluding": "4.14.9", "versionStartIncluding": "4.14.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "2688DF19-E259-4E99-B50C-DAA9318D484B", "versionEndExcluding": "4.15.1", "versionStartIncluding": "4.15.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).\nTo exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.\nThe update addresses this vulnerability by changing how the KDC validates service tickets used with KCD."}, {"lang": "es", "value": "Vulnerabilidad de Omisi\u00f3n de la Caracter\u00edstica de Seguridad de Kerberos"}], "id": "CVE-2020-17049", "lastModified": "2024-09-10T16:15:06.657", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "HIGH", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "COMPLETE", "baseScore": 9.0, "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 10.0, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.7, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Secondary"}]}, "published": "2020-11-11T07:15:16.543", "references": [{"source": "secure@microsoft.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2021/11/10/3"}, {"source": "secure@microsoft.com", "tags": ["Patch", "Vendor Advisory"], "url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17049"}, {"source": "secure@microsoft.com", "url": "https://security.gentoo.org/glsa/202309-06"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-863"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0143", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "idm:DL1-8090020231201152514.3387e3d0", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0139", "cpe": "cpe:/a:redhat:rhel_eus:8.6", "package": "idm:DL1-8060020231208020207.ada582f1", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2024:0252", "cpe": "cpe:/o:redhat:rhel_eus:8.6", "package": "krb5-0:1.18.2-16.el8_6", "product_name": "Red Hat Enterprise Linux 8.6 Extended Update Support", "release_date": "2024-01-15T00:00:00Z"}, {"advisory": "RHSA-2024:0137", "cpe": "cpe:/a:redhat:rhel_eus:8.8", "package": "idm:DL1-8080020231201153604.b0a6ceea", "product_name": "Red Hat Enterprise Linux 8.8 Extended Update Support", "release_date": "2024-01-10T00:00:00Z"}, {"advisory": "RHSA-2023:2570", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "krb5-0:1.20.1-8.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}, {"advisory": "RHSA-2023:2570", "cpe": "cpe:/o:redhat:enterprise_linux:9", "package": "krb5-0:1.20.1-8.el9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2023-05-09T00:00:00Z"}], "bugzilla": {"description": "Kerberos: delegation constrain bypass in S4U2Proxy", "id": "2025721", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2025721"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.2", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "status": "verified"}, "cwe": "CWE-345", "details": ["A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).\nTo exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.\nThe update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.", "It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user."], "mitigation": {"lang": "en:us", "value": "In Red Hat Identity Management (IdM), the list of existing rules for service principals delegation can be obtained with the following commands :\n$ ipa servicedelegationrule-find\n$ ipa servicedelegationtarget-find\nThe services allowed to delegate must all be trusted.\nBy default, only HTTP/<IPA host>@<REALM>, corresponding to IdM's Web UI, is allowed to delegate."}, "name": "CVE-2020-17049", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Will not fix", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Affected", "package_name": "krb5", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:jboss_core_services:1", "fix_state": "Not affected", "package_name": "krb5", "product_name": "Red Hat JBoss Core Services"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:6", "fix_state": "Not affected", "package_name": "krb5", "product_name": "Red Hat JBoss Enterprise Application Platform 6"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Storage 3"}], "public_date": "2020-11-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2020-17049\nhttps://nvd.nist.gov/vuln/detail/CVE-2020-17049\nhttps://msrc.microsoft.com/update-guide/vulnerability/CVE-2020-17049"], "statement": "As a prerequisite to be vulnerable, a Key Distribution Center (KDC) must be able to accept delegation via the `Service for User` (S4U) extensions.\nVersion of MIT Kerberos KDC in Red Hat Enterprise Linux (provided by the krb5-server package) only allows use of the S4U extensions when configured with an LDAP backend. Furthermore, delegations are denied by default and delegation rules must be explicitly created by an administrator, between a given service principal and its targets. Such a rule would entitle that service to use delegation to the targets. This means that, in order to exploit the flaw, an attacker would require either to trick an administrator into adding a rule for a malicious service principal, or have the knowledge of an entitled principal's secret key. The victim principals would be limited to the ones allowed by the rules for that service.\nIn Red Hat Enterprise Linux version 8 and older and Red Hat Gluster Storage, Samba as an Active Directory Domain Controller is not supported, and thus is not affected by this flaw.\nRHEL Identity Management (RHEL IdM) implements constrained delegation feature using Active Directory's Kerberos extensions called Service for User (S4U). The constrained delegation implementation may potentially be vulnerable if an attacker is capable to create constrained delegation rules. In RHEL IdM only administrators allowed to add constrained delegation rules and only one such rule exists by default for HTTP/.. principal on IdM server. Security of IdM server is the key to safety of the whole RHEL IdM deployment. If an attacker is able to impersonate the HTTP/.. service principal on IdM server, they would be able to overtake the whole deployment even without a Kerberos protocol vulnerability described by CVE-2020-17049. However, if an attacker cannot control any service with pre-existing constrained delegation rules and cannot force creation of the constrained delegation rules for other Kerberos services, they cannot utilize CVE-2020-17049 vulnerability against RHEL IdM.", "threat_severity": "Moderate"}