CVE-2020-28196
📋 TL;DR
This vulnerability in MIT Kerberos 5 allows remote attackers to cause a denial of service (DoS) via unbounded recursion when processing specially crafted ASN.1-encoded Kerberos messages with BER indefinite lengths. It affects systems running vulnerable versions of krb5 that process Kerberos authentication requests. The vulnerability can be exploited by any entity that can send Kerberos messages to the affected service.
💻 Affected Systems
- MIT Kerberos 5 (krb5)
📦 What is this software?
Communications Cloud Native Core Policy by Oracle
View all CVEs affecting Communications Cloud Native Core Policy →
Communications Offline Mediation Controller by Oracle
View all CVEs affecting Communications Offline Mediation Controller →
Communications Pricing Design Center by Oracle
View all CVEs affecting Communications Pricing Design Center →
Fedora by Fedoraproject
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete system compromise if the recursion triggers memory corruption that can be weaponized, though this is theoretical and not demonstrated.
Likely Case
Denial of service (DoS) causing service crashes or resource exhaustion, disrupting Kerberos authentication and dependent services.
If Mitigated
Limited impact with proper network segmentation and monitoring; DoS may affect availability but not compromise data integrity or confidentiality.
🎯 Exploit Status
Exploitation requires crafting malicious ASN.1 messages; no public proof-of-concept has been released, but the vulnerability is in a critical authentication component.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.17.2 or 1.18.3 and later
Vendor Advisory: https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd
Restart Required: Yes
Instructions:
1. Check current krb5 version. 2. Update to patched version via package manager (e.g., apt-get upgrade krb5, yum update krb5). 3. Restart services using krb5 (e.g., sshd, sssd, nfs).
🔧 Temporary Workarounds
Network Segmentation
linuxRestrict access to Kerberos services (ports 88, 749) to trusted networks only.
iptables -A INPUT -p tcp --dport 88 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -j DROP
Rate Limiting
linuxImplement rate limiting on Kerberos ports to reduce DoS impact.
iptables -A INPUT -p tcp --dport 88 -m limit --limit 10/min -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -j DROP
🧯 If You Can't Patch
- Implement strict network controls to limit Kerberos traffic to essential sources only.
- Monitor system logs and resource usage for signs of DoS attacks or unusual Kerberos activity.
🔍 How to Verify
Check if Vulnerable:
Check krb5 version: krb5-config --version or dpkg -l | grep krb5 or rpm -qa | grep krb5. If version is before 1.17.2 or 1.18.x before 1.18.3, it's vulnerable.Check Version:
krb5-config --version 2>/dev/null || dpkg -l | grep krb5 2>/dev/null || rpm -qa | grep krb5 2>/dev/nullVerify Fix Applied:
After update, verify version is 1.17.2+ or 1.18.3+ using the same commands, and test Kerberos functionality (e.g., kinit).📡 Detection & Monitoring
Log Indicators:
- Repeated crashes of krb5-related services (e.g., kdc, sssd)
- High CPU/memory usage by krb5 processes
- Failed authentication attempts with malformed packets in Kerberos logs
Network Indicators:
- Unusual volume of traffic to Kerberos ports (88/tcp, 88/udp, 749/tcp)
- ASN.1-encoded packets with indefinite length fields
SIEM Query:
source="kerberos.log" AND (event="crash" OR "segmentation fault") OR process="krb5" AND resource_usage>threshold🔗 References
- https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/11/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/73IGOG6CZAVMVNS4GGRMOLOZ7B6QVA7F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPH2V3WSQTELROZK3GFCPQDOFLKIZ6H5/
- https://security.gentoo.org/glsa/202011-17
- https://security.netapp.com/advisory/ntap-20201202-0001/
- https://security.netapp.com/advisory/ntap-20210513-0002/
- https://www.debian.org/security/2020/dsa-4795
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
- https://github.com/krb5/krb5/commit/57415dda6cf04e73ffc3723be518eddfae599bfd
- https://lists.apache.org/thread.html/r58af02e294bd07f487e2c64ffc0a29b837db5600e33b6e698b9d696b%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.apache.org/thread.html/rf4c02775860db415b4955778a131c2795223f61cb8c6a450893651e4%40%3Cissues.bookkeeper.apache.org%3E
- https://lists.debian.org/debian-lts-announce/2020/11/msg00011.html
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/45KKOZQWIIIW5C45PJVGQ32AXBSYNBE7/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/73IGOG6CZAVMVNS4GGRMOLOZ7B6QVA7F/
- https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KPH2V3WSQTELROZK3GFCPQDOFLKIZ6H5/
- https://security.gentoo.org/glsa/202011-17
- https://security.netapp.com/advisory/ntap-20201202-0001/
- https://security.netapp.com/advisory/ntap-20210513-0002/
- https://www.debian.org/security/2020/dsa-4795
- https://www.oracle.com//security-alerts/cpujul2021.html
- https://www.oracle.com/security-alerts/cpuApr2021.html
- https://www.oracle.com/security-alerts/cpuapr2022.html
