CVE-2017-11368 : Security Advisory and Response

MIT Kerberos 5 vulnerability allowing an authenticated attacker to induce a failure in the Key Distribution Center (KDC) by sending invalid requests.

Understanding CVE-2017-11368

An attacker authenticated in MIT Kerberos 5 version 1.7 or later can trigger a KDC failure by sending specific invalid requests.

What is CVE-2017-11368?

In MIT Kerberos 5 (krb5) 1.7 and later, an attacker with authentication privileges can cause a KDC assertion failure by sending invalid S4U2Self or S4U2Proxy requests.

The Impact of CVE-2017-11368

An authenticated attacker can induce a failure in the KDC by sending invalid requests for S4U2Self or S4U2Proxy.

Technical Details of CVE-2017-11368

A vulnerability in MIT Kerberos 5 that allows an authenticated attacker to disrupt the KDC by sending specific invalid requests.

Vulnerability Description

The vulnerability in MIT Kerberos 5 (krb5) version 1.7 and later enables an attacker to cause a KDC assertion failure through invalid S4U2Self or S4U2Proxy requests.

Affected Systems and Versions

Product: Not applicable
Vendor: Not applicable
Versions: 1.7 and later

Exploitation Mechanism

Attacker needs to be authenticated in MIT Kerberos 5
Sending invalid requests for S4U2Self or S4U2Proxy

Mitigation and Prevention

Steps to address and prevent the CVE-2017-11368 vulnerability.

Immediate Steps to Take

Apply patches provided by the vendor
Monitor for any unauthorized access or unusual activities
Restrict network access to authenticated users only

Long-Term Security Practices

Regularly update and patch Kerberos installations
Conduct security training for users on best practices
Implement multi-factor authentication where possible

Patching and Updates

Check for updates and patches from MIT Kerberos 5
Apply patches promptly to mitigate the vulnerability