Package: release.debian.org Severity: normal Tags: bookworm X-Debbugs-Cc: k...@packages.debian.org Control: affects -1 + src:krb5 User: release.debian....@packages.debian.org Usertags: pu
[ Reason ]
CVE-2025-3576
[ Impact ]
CVE-2025-3576 is not fixed.
[ Tests ]
Test suite
[ Risks ]
low disabling security hardening is possible
[ Checklist ]
[X] *all* changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in (old)stable
[X] the issue is verified as fixed in unstable
[ Changes ]
* Fix CVE-2025-3576. Closes: #1103525
A Vulnerability in the MIT Kerberos implementation
allows GSSAPI-protected messages using RC4-HMAC-MD5
to be spoofed due to weaknesses in the MD5 checksum design.
If RC4 is preferred over stronger encryption types,
an attacker could exploit MD5 collisions to forge message
integrity codes. This may lead to unauthorized
message tampering.
* Tickets will not be issued with RC4 or triple-DES session
keys unless explicitly configured with the new allow_rc4
or allow_des3 variables respectively.
* In KDC, assume all services support aes256-sha1
To facilitate negotiating session keys with acceptable security,
assume that services support aes256-cts-hmac-sha1 unless a
session_enctypes string attribute says otherwise.
[ Other info ]
Reviewed by debian maintainer
diff -Nru krb5-1.20.1/debian/changelog krb5-1.20.1/debian/changelog --- krb5-1.20.1/debian/changelog 2025-02-23 18:42:24.000000000 +0100 +++ krb5-1.20.1/debian/changelog 2025-05-07 19:06:22.000000000 +0200 @@ -1,3 +1,24 @@ +krb5 (1.20.1-2+deb12u4) bookworm; urgency=medium + + * Non Maintainer upload by LTS team + * Fix CVE-2025-3576. Closes: #1103525 + A Vulnerability in the MIT Kerberos implementation + allows GSSAPI-protected messages using RC4-HMAC-MD5 + to be spoofed due to weaknesses in the MD5 checksum design. + If RC4 is preferred over stronger encryption types, + an attacker could exploit MD5 collisions to forge message + integrity codes. This may lead to unauthorized + message tampering. + * Tickets will not be issued with RC4 or triple-DES session + keys unless explicitly configured with the new allow_rc4 + or allow_des3 variables respectively. + * In KDC, assume all services support aes256-sha1 + To facilitate negotiating session keys with acceptable security, + assume that services support aes256-cts-hmac-sha1 unless a + session_enctypes string attribute says otherwise. + + -- Bastien Roucariès <ro...@debian.org> Wed, 07 May 2025 19:06:22 +0200 + krb5 (1.20.1-2+deb12u3) bookworm; urgency=medium * Non Maintainer upload by LTS team diff -Nru krb5-1.20.1/debian/krb5-kdc.NEWS krb5-1.20.1/debian/krb5-kdc.NEWS --- krb5-1.20.1/debian/krb5-kdc.NEWS 2025-02-23 17:33:21.000000000 +0100 +++ krb5-1.20.1/debian/krb5-kdc.NEWS 2025-05-07 19:06:22.000000000 +0200 @@ -1,3 +1,11 @@ +krb5 (1.20.1-2+deb12u4) bookworm; urgency=medium + + In order to fix CVE-2025-3576, vulnerable cryptographic + for tickets are disabled by default unless explicitly configured + with the new allow_rc4 or allow_des3 variables respectively. + + -- Bastien Roucariès <ro...@debian.org> Sun, 04 May 2025 22:44:14 +0200 + krb5 (1.13.1+dfsg-1) experimental; urgency=low The KDC process now listens on TCP port 88 as well as UDP port 88 by diff -Nru krb5-1.20.1/debian/patches/CVE-2025-3576.patch krb5-1.20.1/debian/patches/CVE-2025-3576.patch --- krb5-1.20.1/debian/patches/CVE-2025-3576.patch 1970-01-01 01:00:00.000000000 +0100 +++ krb5-1.20.1/debian/patches/CVE-2025-3576.patch 2025-05-07 19:06:22.000000000 +0200 @@ -0,0 +1,318 @@ +From: Greg Hudson <ghud...@mit.edu> +Date: Fri, 16 Dec 2022 18:31:07 -0500 +Subject: [PATCH] Don't issue session keys with deprecated enctypes + +A paper by Tom Tervoort noted that rc4-hmac pre-hashes the input for +its checksum and GSS operations before applying HMAC, and is therefore +potentially vulnerable to hash collision attacks if a protocol +contains a restricted signing oracle. + +In light of these potential attacks, begin the functional deprecation +of DES3 and RC4 by disallowing their use as session key enctypes by +default. Add the variables allow_des3 and allow_rc4 in case +negotiability of these enctypes for session keys needs to be turned +back on, with the expectation that in future releases the enctypes +will be more comprehensively deprecated. + +ticket: 9081 +origin: backport, https://github.com/krb5/krb5/commit/1b57a4d134bbd0e7c52d5885a92eccc815726463 +--- + doc/admin/conf_files/krb5_conf.rst | 12 ++++++++++++ + doc/admin/enctypes.rst | 23 ++++++++++++++++++++--- + src/include/k5-int.h | 4 ++++ + src/kdc/kdc_util.c | 10 ++++++++++ + src/lib/krb5/krb/get_in_tkt.c | 31 ++++++++++++++++++++----------- + src/lib/krb5/krb/init_ctx.c | 10 ++++++++++ + src/tests/gssapi/t_enctypes.py | 3 ++- + src/tests/t_etype_info.py | 2 +- + src/tests/t_sesskeynego.py | 28 ++++++++++++++++++++++++++-- + src/util/k5test.py | 4 ++-- + 10 files changed, 107 insertions(+), 20 deletions(-) + +diff --git a/doc/admin/conf_files/krb5_conf.rst b/doc/admin/conf_files/krb5_conf.rst +index d5d6e06..d7d4baf 100644 +--- a/doc/admin/conf_files/krb5_conf.rst ++++ b/doc/admin/conf_files/krb5_conf.rst +@@ -95,6 +95,18 @@ Additionally, krb5.conf may include any of the relations described in + + The libdefaults section may contain any of the following relations: + ++**allow_des3** ++ Permit the KDC to issue tickets with des3-cbc-sha1 session keys. ++ In future releases, this flag will allow des3-cbc-sha1 to be used ++ at all. The default value for this tag is false. (Added in ++ release 1.21.) ++ ++**allow_rc4** ++ Permit the KDC to issue tickets with arcfour-hmac session keys. ++ In future releases, this flag will allow arcfour-hmac to be used ++ at all. The default value for this tag is false. (Added in ++ release 1.21.) ++ + **allow_weak_crypto** + If this flag is set to false, then weak encryption types (as noted + in :ref:`Encryption_types` in :ref:`kdc.conf(5)`) will be filtered +diff --git a/doc/admin/enctypes.rst b/doc/admin/enctypes.rst +index 694922c..dce19ad 100644 +--- a/doc/admin/enctypes.rst ++++ b/doc/admin/enctypes.rst +@@ -48,12 +48,15 @@ Session key selection + The KDC chooses the session key enctype by taking the intersection of + its **permitted_enctypes** list, the list of long-term keys for the + most recent kvno of the service, and the client's requested list of +-enctypes. ++enctypes. Starting in krb5-1.21, all services are assumed to support ++aes256-cts-hmac-sha1-96; also, des3-cbc-sha1 and arcfour-hmac session ++keys will not be issued by default. + + Starting in krb5-1.11, it is possible to set a string attribute on a + service principal to control what session key enctypes the KDC may +-issue for service tickets for that principal. See :ref:`set_string` +-in :ref:`kadmin(1)` for details. ++issue for service tickets for that principal, overriding the service's ++long-term keys and the assumption of aes256-cts-hmac-sha1-96 support. ++See :ref:`set_string` in :ref:`kadmin(1)` for details. + + + Choosing enctypes for a service +@@ -87,6 +90,20 @@ affect how enctypes are chosen. + acceptable risk for your environment and the weak enctypes are + required for backward compatibility. + ++**allow_des3** ++ was added in release 1.21 and defaults to *false*. Unless this ++ flag is set to *true*, the KDC will not issue tickets with ++ des3-cbc-sha1 session keys. In a future release, this flag will ++ control whether des3-cbc-sha1 is permitted in similar fashion to ++ weak enctypes. ++ ++**allow_rc4** ++ was added in release 1.21 and defaults to *false*. Unless this ++ flag is set to *true*, the KDC will not issue tickets with ++ arcfour-hmac session keys. In a future release, this flag will ++ control whether arcfour-hmac is permitted in similar fashion to ++ weak enctypes. ++ + **permitted_enctypes** + controls the set of enctypes that a service will permit for + session keys and for ticket and authenticator encryption. The KDC +diff --git a/src/include/k5-int.h b/src/include/k5-int.h +index 5c582dc..b89763f 100644 +--- a/src/include/k5-int.h ++++ b/src/include/k5-int.h +@@ -180,6 +180,8 @@ typedef unsigned char u_char; + * matches the variable name. Keep these alphabetized. */ + #define KRB5_CONF_ACL_FILE "acl_file" + #define KRB5_CONF_ADMIN_SERVER "admin_server" ++#define KRB5_CONF_ALLOW_DES3 "allow_des3" ++#define KRB5_CONF_ALLOW_RC4 "allow_rc4" + #define KRB5_CONF_ALLOW_WEAK_CRYPTO "allow_weak_crypto" + #define KRB5_CONF_AUTH_TO_LOCAL "auth_to_local" + #define KRB5_CONF_AUTH_TO_LOCAL_NAMES "auth_to_local_names" +@@ -1244,6 +1246,8 @@ struct _krb5_context { + struct _kdb_log_context *kdblog_context; + + krb5_boolean allow_weak_crypto; ++ krb5_boolean allow_des3; ++ krb5_boolean allow_rc4; + krb5_boolean ignore_acceptor_hostname; + krb5_boolean enforce_ok_as_delegate; + enum dns_canonhost dns_canonicalize_hostname; +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 9f2a67d..490864f 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1045,6 +1045,16 @@ select_session_keytype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, + if (!krb5_is_permitted_enctype(kdc_context, ktype[i])) + continue; + ++ /* ++ * Prevent these deprecated enctypes from being used as session keys ++ * unless they are explicitly allowed. In the future they will be more ++ * comprehensively disabled and eventually removed. ++ */ ++ if (ktype[i] == ENCTYPE_DES3_CBC_SHA1 && !kdc_context->allow_des3) ++ continue; ++ if (ktype[i] == ENCTYPE_ARCFOUR_HMAC && !kdc_context->allow_rc4) ++ continue; ++ + if (dbentry_supports_enctype(kdc_active_realm, server, ktype[i])) + return ktype[i]; + } +diff --git a/src/lib/krb5/krb/get_in_tkt.c b/src/lib/krb5/krb/get_in_tkt.c +index 8b5ab59..4ca7b4e 100644 +--- a/src/lib/krb5/krb/get_in_tkt.c ++++ b/src/lib/krb5/krb/get_in_tkt.c +@@ -1583,22 +1583,31 @@ warn_pw_expiry(krb5_context context, krb5_get_init_creds_opt *options, + (*prompter)(context, data, 0, banner, 0, 0); + } + +-/* Display a warning via the prompter if des3-cbc-sha1 was used for either the +- * reply key or the session key. */ ++/* Display a warning via the prompter if a deprecated enctype was used for ++ * either the reply key or the session key. */ + static void +-warn_des3(krb5_context context, krb5_init_creds_context ctx, +- krb5_enctype as_key_enctype) ++warn_deprecated(krb5_context context, krb5_init_creds_context ctx, ++ krb5_enctype as_key_enctype) + { +- const char *banner; ++ krb5_enctype etype; ++ char encbuf[128], banner[256]; + +- if (as_key_enctype != ENCTYPE_DES3_CBC_SHA1 && +- ctx->cred.keyblock.enctype != ENCTYPE_DES3_CBC_SHA1) +- return; + if (ctx->prompter == NULL) + return; + +- banner = _("Warning: encryption type des3-cbc-sha1 used for " +- "authentication is weak and will be disabled"); ++ if (krb5int_c_deprecated_enctype(as_key_enctype)) ++ etype = as_key_enctype; ++ else if (krb5int_c_deprecated_enctype(ctx->cred.keyblock.enctype)) ++ etype = ctx->cred.keyblock.enctype; ++ else ++ return; ++ ++ if (krb5_enctype_to_name(etype, FALSE, encbuf, sizeof(encbuf)) != 0) ++ return; ++ snprintf(banner, sizeof(banner), ++ _("Warning: encryption type %s used for authentication is " ++ "deprecated and will be disabled"), encbuf); ++ + /* PROMPTER_INVOCATION */ + (*ctx->prompter)(context, ctx->prompter_data, NULL, banner, 0, NULL); + } +@@ -1849,7 +1858,7 @@ init_creds_step_reply(krb5_context context, + ctx->complete = TRUE; + warn_pw_expiry(context, ctx->opt, ctx->prompter, ctx->prompter_data, + ctx->in_tkt_service, ctx->reply); +- warn_des3(context, ctx, encrypting_key.enctype); ++ warn_deprecated(context, ctx, encrypting_key.enctype); + + cleanup: + krb5_free_pa_data(context, kdc_padata); +diff --git a/src/lib/krb5/krb/init_ctx.c b/src/lib/krb5/krb/init_ctx.c +index 87b486c..a6c2bbe 100644 +--- a/src/lib/krb5/krb/init_ctx.c ++++ b/src/lib/krb5/krb/init_ctx.c +@@ -221,6 +221,16 @@ krb5_init_context_profile(profile_t profile, krb5_flags flags, + goto cleanup; + ctx->allow_weak_crypto = tmp; + ++ retval = get_boolean(ctx, KRB5_CONF_ALLOW_DES3, 0, &tmp); ++ if (retval) ++ goto cleanup; ++ ctx->allow_des3 = tmp; ++ ++ retval = get_boolean(ctx, KRB5_CONF_ALLOW_RC4, 0, &tmp); ++ if (retval) ++ goto cleanup; ++ ctx->allow_rc4 = tmp; ++ + retval = get_boolean(ctx, KRB5_CONF_IGNORE_ACCEPTOR_HOSTNAME, 0, &tmp); + if (retval) + goto cleanup; +diff --git a/src/tests/gssapi/t_enctypes.py b/src/tests/gssapi/t_enctypes.py +index 7494d7f..f5f1184 100755 +--- a/src/tests/gssapi/t_enctypes.py ++++ b/src/tests/gssapi/t_enctypes.py +@@ -18,7 +18,8 @@ d_rc4 = 'DEPRECATED:arcfour-hmac' + # These tests make assumptions about the default enctype lists, so set + # them explicitly rather than relying on the library defaults. + supp='aes256-cts:normal aes128-cts:normal des3-cbc-sha1:normal rc4-hmac:normal' +-conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4'}, ++conf = {'libdefaults': {'permitted_enctypes': 'aes des3 rc4', ++ 'allow_des3': 'true', 'allow_rc4': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supp}}} + realm = K5Realm(krb5_conf=conf) + shutil.copyfile(realm.ccache, os.path.join(realm.testdir, 'save')) +diff --git a/src/tests/t_etype_info.py b/src/tests/t_etype_info.py +index c982508..38cf96c 100644 +--- a/src/tests/t_etype_info.py ++++ b/src/tests/t_etype_info.py +@@ -1,7 +1,7 @@ + from k5test import * + + supported_enctypes = 'aes128-cts des3-cbc-sha1 rc4-hmac' +-conf = {'libdefaults': {'allow_weak_crypto': 'true'}, ++conf = {'libdefaults': {'allow_des3': 'true', 'allow_rc4': 'true'}, + 'realms': {'$realm': {'supported_enctypes': supported_enctypes}}} + realm = K5Realm(create_host=False, get_creds=False, krb5_conf=conf) + +diff --git a/src/tests/t_sesskeynego.py b/src/tests/t_sesskeynego.py +index 9024aee..5a21361 100755 +--- a/src/tests/t_sesskeynego.py ++++ b/src/tests/t_sesskeynego.py +@@ -25,6 +25,8 @@ conf3 = {'libdefaults': { + 'default_tkt_enctypes': 'aes128-cts', + 'default_tgs_enctypes': 'rc4-hmac,aes128-cts'}} + conf4 = {'libdefaults': {'permitted_enctypes': 'aes256-cts'}} ++conf5 = {'libdefaults': {'allow_rc4': 'true'}} ++conf6 = {'libdefaults': {'allow_des3': 'true'}} + # Test with client request and session_enctypes preferring aes128, but + # aes256 long-term key. + realm = K5Realm(krb5_conf=conf1, create_host=False, get_creds=False) +@@ -54,10 +56,12 @@ realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'aes128-cts,aes256-cts']) + test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + +-# 3b: Negotiate rc4-hmac session key when principal only has aes256 long-term. ++# 3b: Skip RC4 (as the KDC does not allow it for session keys by ++# default) and negotiate aes128-cts session key, with only an aes256 ++# long-term service key. + realm.run([kadminl, 'setstr', 'server', 'session_enctypes', + 'rc4-hmac,aes128-cts,aes256-cts']) +-test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') ++test_kvno(realm, 'aes128-cts-hmac-sha1-96', 'aes256-cts-hmac-sha1-96') + realm.stop() + + # 4: Check that permitted_enctypes is a default for session key enctypes. +@@ -67,4 +71,24 @@ realm.run([kvno, 'user'], + expected_trace=('etypes requested in TGS request: aes256-cts',)) + realm.stop() + ++# 5: allow_rc4 permits negotiation of rc4-hmac session key. ++realm = K5Realm(krb5_conf=conf5, create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) ++realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'rc4-hmac']) ++test_kvno(realm, 'DEPRECATED:arcfour-hmac', 'aes256-cts-hmac-sha1-96') ++realm.stop() ++ ++# 6: allow_des3 permits negotiation of des3-cbc-sha1 session key. ++realm = K5Realm(krb5_conf=conf6, create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'aes256-cts', 'server']) ++realm.run([kadminl, 'setstr', 'server', 'session_enctypes', 'des3-cbc-sha1']) ++test_kvno(realm, 'DEPRECATED:des3-cbc-sha1', 'aes256-cts-hmac-sha1-96') ++realm.stop() ++ ++# 7: default config negotiates aes256-sha1 session key for RC4-only service. ++realm = K5Realm(create_host=False, get_creds=False) ++realm.run([kadminl, 'addprinc', '-randkey', '-e', 'rc4-hmac', 'server']) ++test_kvno(realm, 'aes256-cts-hmac-sha1-96', 'DEPRECATED:arcfour-hmac') ++realm.stop() ++ + success('sesskeynego') +diff --git a/src/util/k5test.py b/src/util/k5test.py +index 619f199..6c5a586 100644 +--- a/src/util/k5test.py ++++ b/src/util/k5test.py +@@ -1346,14 +1346,14 @@ _passes = [ + + # Exercise the DES3 enctype. + ('des3', None, +- {'libdefaults': {'permitted_enctypes': 'des3'}}, ++ {'libdefaults': {'permitted_enctypes': 'des3 aes256-sha1'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'des3-cbc-sha1:normal', + 'master_key_type': 'des3-cbc-sha1'}}}), + + # Exercise the arcfour enctype. + ('arcfour', None, +- {'libdefaults': {'permitted_enctypes': 'rc4'}}, ++ {'libdefaults': {'permitted_enctypes': 'rc4 aes256-sha1'}}, + {'realms': {'$realm': { + 'supported_enctypes': 'arcfour-hmac:normal', + 'master_key_type': 'arcfour-hmac'}}}), diff -Nru krb5-1.20.1/debian/patches/kdc-assume-aes-support.patch krb5-1.20.1/debian/patches/kdc-assume-aes-support.patch --- krb5-1.20.1/debian/patches/kdc-assume-aes-support.patch 1970-01-01 01:00:00.000000000 +0100 +++ krb5-1.20.1/debian/patches/kdc-assume-aes-support.patch 2025-05-07 19:06:22.000000000 +0200 @@ -0,0 +1,47 @@ +From: Greg Hudson <ghud...@mit.edu> +Date: Wed, 14 Dec 2022 13:20:46 -0500 +Subject: [PATCH] In KDC, assume all services support aes256-sha1 + +To facilitate negotiating session keys with acceptable security, +assume that services support aes256-cts-hmac-sha1 unless a +session_enctypes string attribute says otherwise. + +ticket: 9075 +origin: backport, https://github.com/krb5/krb5/commit/2cbd847e0e92bc4e219b65c770ae33f851b22afc +--- + src/kdc/kdc_util.c | 4 ++++ + src/tests/t_keyrollover.py | 6 +++--- + 2 files changed, 7 insertions(+), 3 deletions(-) + +diff --git a/src/kdc/kdc_util.c b/src/kdc/kdc_util.c +index 490864f..fd57c64 100644 +--- a/src/kdc/kdc_util.c ++++ b/src/kdc/kdc_util.c +@@ -1023,6 +1023,10 @@ dbentry_supports_enctype(kdc_realm_t *kdc_active_realm, krb5_db_entry *server, + free(etypes_str); + free(etypes); + ++ /* Assume every server without a session_enctypes attribute supports ++ * aes256-cts-hmac-sha1-96. */ ++ if (enctype == ENCTYPE_AES256_CTS_HMAC_SHA1_96) ++ return TRUE; + /* Assume the server supports any enctype it has a long-term key for. */ + return !krb5_dbe_find_enctype(kdc_context, server, enctype, -1, 0, &datap); + } +diff --git a/src/tests/t_keyrollover.py b/src/tests/t_keyrollover.py +index 2c825a6..e9840df 100755 +--- a/src/tests/t_keyrollover.py ++++ b/src/tests/t_keyrollover.py +@@ -22,9 +22,9 @@ realm.run([kvno, princ1]) + realm.run([kadminl, 'purgekeys', realm.krbtgt_princ]) + # Make sure an old TGT fails after purging old TGS key. + realm.run([kvno, princ2], expected_code=1) +-et = "aes128-cts-hmac-sha256-128" +-msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): %s, %s' % \ +- (realm.realm, realm.realm, et, et) ++msg = 'krbtgt/%s@%s\n\tEtype (skey, tkt): ' \ ++ 'aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha256-128' % \ ++ (realm.realm, realm.realm) + realm.run([klist, '-e'], expected_msg=msg) + + # Check that new key actually works. diff -Nru krb5-1.20.1/debian/patches/series krb5-1.20.1/debian/patches/series --- krb5-1.20.1/debian/patches/series 2025-02-23 18:42:24.000000000 +0100 +++ krb5-1.20.1/debian/patches/series 2025-05-07 19:06:22.000000000 +0200 @@ -11,3 +11,5 @@ CVE-2024-37370 CVE-2024-26462.patch CVE-2025-24528.patch +CVE-2025-3576.patch +kdc-assume-aes-support.patch
signature.asc
Description: This is a digitally signed message part.
