Login Sign Up

CVE-2019-25018

7.5 HIGH

📋 TL;DR

This vulnerability in the rcp client of MIT krb5-appl allows malicious servers to bypass access restrictions by sending filenames like '.' or empty strings, enabling them to modify permissions of target directories on client systems. It affects users of unsupported MIT krb5-appl software shipped by some Linux distributions, but not the main MIT Kerberos 5 product.

💻 Affected Systems

Products:
  • MIT krb5-appl
Versions: through 1.0.3
Operating Systems: Linux distributions shipping krb5-appl (e.g., SUSE)
Default Config Vulnerable: ⚠️ Yes
Notes: MIT krb5-appl is not supported upstream; affected code removed from main MIT Kerberos 5 (krb5) at version 1.8.

📦 What is this software?

Krb5 Appl by Mit

View all CVEs affecting Krb5 Appl →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Malicious server could modify directory permissions on client systems, potentially leading to privilege escalation or unauthorized access to sensitive files.

🟠

Likely Case

Malicious server modifies permissions of client directories, potentially exposing sensitive data or allowing further exploitation.

🟢

If Mitigated

With proper network segmentation and server trust controls, impact is limited to directory permission changes on isolated systems.

🌐 Internet-Facing: LOW - rcp is typically used internally, not exposed to internet.
🏢 Internal Only: MEDIUM - Requires internal malicious server, but rcp usage is common in some environments.

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: UNKNOWN
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires malicious server that client connects to; similar to CVE-2018-20685 and CVE-2019-7282.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified (code removed from krb5 at version 1.8)

Vendor Advisory: https://bugzilla.suse.com/show_bug.cgi?id=1131109

Restart Required: No

Instructions:

1. Check if using krb5-appl. 2. Update to patched version from distribution vendor. 3. Consider migrating to main MIT Kerberos 5 (krb5) which removed affected code years ago.

🔧 Temporary Workarounds

Disable rcp usage

all

Replace rcp with secure alternatives like scp or rsync over SSH

# Replace rcp commands in scripts/configs with scp or rsync

Restrict rcp to trusted servers

linux

Limit rcp connections to known, trusted servers only

# Use firewall rules to restrict rcp (port 514) to trusted IPs
iptables -A INPUT -p tcp --dport 514 -s trusted_ip -j ACCEPT
iptables -A INPUT -p tcp --dport 514 -j DROP

🧯 If You Can't Patch

  • Migrate from rcp to scp/rsync for all file transfers
  • Implement strict network segmentation to limit rcp traffic to trusted zones only

🔍 How to Verify

Check if Vulnerable:

Check if krb5-appl package is installed and version is 1.0.3 or earlier: rpm -qa | grep -i krb5-appl or dpkg -l | grep -i krb5-appl

Check Version:

rpm -q krb5-appl || dpkg -l | grep krb5-appl || krb5-config --version

Verify Fix Applied:

Verify krb5-appl is either removed/updated or confirm using main MIT Kerberos 5 (krb5) version 1.8+

📡 Detection & Monitoring

Log Indicators:

  • Unusual rcp connections from unexpected servers
  • Failed permission changes in system logs

Network Indicators:

  • rcp traffic to/from untrusted servers
  • Unusual port 514 traffic patterns

SIEM Query:

source_port=514 OR dest_port=514 | stats count by src_ip, dest_ip

📊 Metadata

CVE ID: CVE-2019-25018
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
Published: February 2, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON