CVE-2020-28196 Explained : Impact and Mitigation
Learn about CVE-2020-28196, a vulnerability in MIT Kerberos 5 allowing unbounded recursion in ASN.1-encoded messages, leading to denial of service attacks. Find mitigation steps and patching details here.
MIT Kerberos 5 (aka krb5) before 1.17.2 and 1.18.x before 1.18.3 allows unbounded recursion via an ASN.1-encoded Kerberos message due to a lack of recursion limit in BER indefinite lengths.
Understanding CVE-2020-28196
MIT Kerberos 5 vulnerability with unbounded recursion in ASN.1-encoded messages.
What is CVE-2020-28196?
CVE-2020-28196 is a vulnerability in MIT Kerberos 5 that allows unbounded recursion through ASN.1-encoded Kerberos messages.
The Impact of CVE-2020-28196
The vulnerability can be exploited to cause denial of service (DoS) attacks by consuming excessive system resources through recursive processing.
Technical Details of CVE-2020-28196
MIT Kerberos 5 vulnerability details.
Vulnerability Description
The issue arises from the lack of a recursion limit in the support for BER indefinite lengths in lib/krb5/asn.1/asn1_encode.c.
Affected Systems and Versions
- Versions before 1.17.2 and 1.18.x before 1.18.3 of MIT Kerberos 5 are affected.
Exploitation Mechanism
Attackers can exploit this vulnerability by crafting malicious ASN.1-encoded Kerberos messages to trigger unbounded recursion.
Mitigation and Prevention
Protect systems from CVE-2020-28196.
Immediate Steps to Take
- Apply security patches provided by MIT Kerberos to address the recursion issue.
- Monitor system resources for unusual consumption that may indicate a DoS attack.
Long-Term Security Practices
- Regularly update and patch software to mitigate known vulnerabilities.
- Implement network security measures to detect and block malicious traffic.
Patching and Updates
- Ensure all instances of MIT Kerberos 5 are updated to versions 1.17.2 or 1.18.3 to fix the recursion vulnerability.