Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <87y3qjcscp.fsf@hope.eyrie.org>
Date: Wed, 16 Aug 2017 10:52:54 -0700
From: Russ Allbery <eagle@...ie.org>
To: Florian Weimer <fweimer@...hat.com>
Cc: oss-security@...ts.openwall.com
Subject: Re: Insecure DNS dependency in many Kerberos deployments

Florian Weimer <fweimer@...hat.com> writes:

> As a rule of thumb, the impact is similar to running TLS with CA-based
> certificate validation, but without host name checks (but perhaps
> slightly less because the trust domains could be much smaller).

I think this overstates the impact somewhat.  This is more worrisome with
TLS because for most TLS applications there is a single global trust
domain with certificates issued by dozens or hundreds of parties and no
organizational scoping.  This is *not* the case for Kerberos.  To exploit
this flaw in Kerberos, the attacker has to be able to control service
principals (for the same target service with a different hostname) within
the same Kerberos realm (or, in some circumstances, one reachable by
cross-realm trust).  This is a much higher bar to meet, and in a lot of
organizations this bar cannot be easily met by an attacker.

The attack is definitely possible, and the Kerberos community has been
aware of this problem for a long time (there are a lot of difficult issues
involved in closing it, but everyone has wanted to close it), but it's not
as exploitable as the TLS equivalent (at least in the absence of
organizational cert pinning).

> The Kerberos client library enables this canonicalization by default:

>        dns_canonicalize_hostname
>               Indicate  whether  name lookups will
>               be used  to  canonicalize  hostnames
>               for  use in service principal names.
>               Setting  this  flag  to  false   can
>               improve    security    by   reducing
>               reliance  on  DNS,  but  means  that
>               short  hostnames will not be canoni‐
>               calized  to  fully-qualified   host‐
>               names.  The default value is true.

>        rdns   If this flag is true,  reverse  name
>               lookup  will  be used in addition to
>               forward name lookup to  canonicaliz‐
>               ing  hostnames  for  use  in service
>               principal names.  If  dns_canonical‐
>               ize_hostname  is  set to false, this
>               flag has  no  effect.   The  default
>               value is true.

For the record, those are settings for *a* Kerberos client library, not
*the* Kerberos client library (specifically, the MIT Kerberos
implementation).  Heimdal does not use those settings, and there are other
Kerberos implementations as well.

-- 
Russ Allbery (eagle@...ie.org)              <http://www.eyrie.org/~eagle/>

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.