1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1103525: krb5: CVE-2025-3576

    From =?UTF-8?Q?Moritz_M=C3=BChlenhoff?=@21:1/5 to All on Fri Apr 18 18:10:01 2025
    Source: krb5
    X-Debbugs-CC: team@security.debian.org
    Severity: important
    Tags: security

    Hi,

    The following vulnerability was published for krb5.

    CVE-2025-3576[0]:
    | A vulnerability in the MIT Kerberos implementation allows GSSAPI-
    | protected messages using RC4-HMAC-MD5 to be spoofed due to
    | weaknesses in the MD5 checksum design. If RC4 is preferred over
    | stronger encryption types, an attacker could exploit MD5 collisions
    | to forge message integrity codes. This may lead to unauthorized
    | message tampering.

    So far the only reference here is from Red Hat Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=2359465


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-3576
    https://www.cve.org/CVERecord?id=CVE-2025-3576

    Please adjust the affected versions in the BTS as needed.

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)
  • From Benjamin Kaduk@21:1/5 to All on Fri Apr 18 22:00:02 2025
    I asked upstream who notes that this is the stuff covered in the Tervoort
    paper (https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf)
    and that, per https://web.mit.edu/kerberos/krb5-1.21/, you have to
    specifically enable issuance of rc4 (and des3) session keys with new config
    as of 1.21. Since there has to be a knob to let people enable the weak behavior in case they are completely broken without it, that seems like it should count as fixed for trixie and sid. The paper also talks about
    attacks against the PAC, and upstream says there was a fair bit of work in
    1.21 to tackle things on the PAC side as well.

    I have not attempted to take a look at how much work it would be to extract those changes for backport to stable.

    -Ben

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)