beyondmachines1, to Cybersecurity

FreeBSD Project patches Critical Vulnerability in FreeBSD Kerberos 5 implementation

https://beyondmachines.net/event_details/netbsd-foundation-patches-critical-vulnerability-in-netbsd-kerberos-5-implementation-e-x-m-3-c/gD2P6Ple2L

todb,

@beyondmachines1 @adminkirsty Okay, so I did, in fact, get out of bed to chase this business.

Read the patch, saw this delightful line:

+#define PAM_OPT_ALLOW_KDC_SPOOF "allow_kdc_spoof"

That's fun. Reminds me of netcat's GAPING_SECURITY_HOLE

Skimming Linux docs, it looks like pam_krb5 is deprecated anyway in favor of pam_sssd, and pam_sssd automatically creates a keytab file upon joining the domain -- looks non-optional.

Over in land, it looks like keytab is similarly required, but you can turn it off manually (according to the man page).

So with those two examples, my bet is that most domain members are okay by default. Broken is still broken, but you have to go out of your way to break it (and if you have that breaking power, you can do easier things anyway like just straight up suing as someone else).

The above is based purely on documentation, no testing.

  • All
  • Subscribed
  • Moderated
  • Favorites
  • megavids
  • rosin
  • thenastyranch
  • tester
  • DreamBathrooms
  • mdbf
  • magazineikmin
  • tacticalgear
  • Youngstown
  • ethstaker
  • osvaldo12
  • slotface
  • everett
  • kavyap
  • JUstTest
  • khanakhh
  • ngwrru68w68
  • Leos
  • modclub
  • cubers
  • cisconetworking
  • Durango
  • InstantRegret
  • GTA5RPClips
  • provamag3
  • normalnudes
  • anitta
  • lostlight
  • All magazines
    •