Brian May wrote: > I am hardly authoritative on this, however my rough take right now is: > > * There is a vulerability. > * The fix is simple. Looking at the Samba patches, I suspect we only > need the bit that alters krb5tgs.c - below. > * Not convinced this can actually be exploited without AD. It is > unlikely you would be using the stock Heimdal with AD. So possible > we don't need to worry.
When authoring https://www.samba.org/samba/security/CVE-2018-16860.html we tried to make it very clear that although this vulnerability exists within the Heimdal KDC (as well as Microsoft Active Directory) the exploit grants privilege escalation to any service that authenticates users via a non-Kerberos mechanism and the obtains a Kerberos ticket for the authenticated user issued with the service principal being the requesting service's identity. To make it clear that non-Windows services could be impacted we provided an example of a web authentication service using OAuth or Shibboleth to obtain AFS tokens on behalf of an authenticating user. This vulnerability is very serious and should be patched immediately. The minimal set of changes to address CVE-2018-16860 and CVE-2019-12098 can be found in this pull request: https://github.com/heimdal/heimdal/pull/555 Jeffrey Altman Heimdal Project Manager
smime.p7s
Description: S/MIME Cryptographic Signature
