CVE-2023-39975
📋 TL;DR
CVE-2023-39975 is a double-free vulnerability in MIT Kerberos 5's Key Distribution Center (KDC) that allows authenticated users to potentially execute arbitrary code or cause denial of service by triggering authorization-data handling failures. This affects organizations running vulnerable versions of MIT Kerberos 5 (krb5) as a KDC server. The vulnerability requires authenticated access but can lead to complete system compromise.
💻 Affected Systems
- MIT Kerberos 5 (krb5)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/root privileges leading to complete KDC compromise, domain takeover, and credential theft across the Kerberos realm.
Likely Case
KDC crash causing denial of service for Kerberos authentication across the entire domain, disrupting all dependent services.
If Mitigated
Limited impact due to network segmentation, proper authentication controls, and monitoring that detects exploitation attempts.
🎯 Exploit Status
Requires authenticated user access and ability to trigger specific authorization-data handling failures. The double-free occurs during ticket copying operations.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.21.2 or later
Vendor Advisory: https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840
Restart Required: Yes
Instructions:
1. Download krb5-1.21.2 or later from https://web.mit.edu/kerberos/dist/. 2. Stop the KDC service. 3. Install the updated version following platform-specific instructions. 4. Restart the KDC service. 5. Verify the patch is applied.
🔧 Temporary Workarounds
Restrict KDC Access
linuxLimit which users can authenticate to the KDC and which systems can communicate with it
# Configure firewall rules to restrict KDC access
iptables -A INPUT -p tcp --dport 88 -s trusted_network -j ACCEPT
iptables -A INPUT -p udp --dport 88 -s trusted_network -j ACCEPT
iptables -A INPUT -p tcp --dport 88 -j DROP
iptables -A INPUT -p udp --dport 88 -j DROP
🧯 If You Can't Patch
- Implement strict network segmentation to isolate KDC servers from general user networks
- Enhance monitoring of KDC logs for authorization failures and implement alerting for unusual patterns
🔍 How to Verify
Check if Vulnerable:
Check krb5 version: krb5-config --version or examine installed package version. If version is 1.21 through 1.21.1 and KDC service is running, system is vulnerable.Check Version:
krb5-config --version 2>/dev/null || rpm -q krb5-server 2>/dev/null || dpkg -l | grep krb5-kdc 2>/dev/null || find /usr -name 'libkrb5*' -exec strings {} \; 2>/dev/null | grep -i 'krb5 1\.21\.'Verify Fix Applied:
Verify version is 1.21.2 or later and KDC service is running without crashes after applying patch.📡 Detection & Monitoring
Log Indicators:
- Multiple authorization-data handling failures in KDC logs
- KDC process crashes or restarts
- Unusual ticket copying operations
Network Indicators:
- Multiple failed TGS requests from single source
- Abnormal patterns in Kerberos traffic to port 88/tcp or 88/udp
SIEM Query:
source="kdc.log" AND ("authorization-data failure" OR "do_tgs_req error" OR "double free")🔗 References
- https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840
- https://github.com/krb5/krb5/compare/krb5-1.21.1-final...krb5-1.21.2-final
- https://security.netapp.com/advisory/ntap-20230915-0014/
- https://security.netapp.com/advisory/ntap-20240201-0005/
- https://security.netapp.com/advisory/ntap-20240201-0008/
- https://web.mit.edu/kerberos/www/advisories/
- https://github.com/krb5/krb5/commit/88a1701b423c13991a8064feeb26952d3641d840
- https://github.com/krb5/krb5/compare/krb5-1.21.1-final...krb5-1.21.2-final
- https://security.netapp.com/advisory/ntap-20230915-0014/
- https://security.netapp.com/advisory/ntap-20240201-0005/
- https://security.netapp.com/advisory/ntap-20240201-0008/
- https://web.mit.edu/kerberos/www/advisories/
