CVE-2024-37370 – This vulnerability in MIT Kerberos 5 allows att... (How to Fix)

Q: What is the severity of CVE-2024-37370?

CVE-2024-37370 has a CVSS score of 7.5 (HIGH). This vulnerability in MIT Kerberos 5 allows attackers to modify the plaintext Extra Count field in GSS krb5 wrap tokens, causing applications to receive truncated unwrapped tokens. This affects all systems using vulnerable versions of MIT Kerberos 5 (krb5) for authentication. The manipulation can lead to authentication bypass or denial of service.

📋 TL;DR

This vulnerability in MIT Kerberos 5 allows attackers to modify the plaintext Extra Count field in GSS krb5 wrap tokens, causing applications to receive truncated unwrapped tokens. This affects all systems using vulnerable versions of MIT Kerberos 5 (krb5) for authentication. The manipulation can lead to authentication bypass or denial of service.

💻 Affected Systems

Products:

MIT Kerberos 5 (krb5)

Versions: All versions before 1.21.3

Operating Systems: All operating systems using vulnerable krb5 libraries

Default Config Vulnerable: ⚠️ Yes

Notes: Affects any application or service using GSS krb5 wrap tokens with confidentiality enabled.

📦 What is this software?

Kerberos 5 by Mit

View all CVEs affecting Kerberos 5 →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Authentication bypass allowing unauthorized access to protected resources or services that rely on Kerberos authentication.

🟠

Likely Case

Denial of service where applications fail to properly process truncated tokens, disrupting authentication flows.

🟢

If Mitigated

Limited impact if token integrity validation is enforced elsewhere in the application stack.

🌐 Internet-Facing: MEDIUM - Exploitation requires network access to Kerberos services, but authentication is typically internal.

🏢 Internal Only: HIGH - Kerberos is widely used in internal enterprise networks for authentication between services.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploitation requires ability to intercept and modify Kerberos tokens in transit, typically requiring some level of network access.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.21.3 and later

Vendor Advisory: https://web.mit.edu/kerberos/www/advisories/

Restart Required: Yes

Instructions:

1. Download krb5 1.21.3 or later from MIT Kerberos website. 2. Compile and install according to platform instructions. 3. Restart all services using Kerberos libraries.

🔧 Temporary Workarounds

Disable GSS krb5 wrap token confidentiality

all

Configure applications to not use confidentiality mode for GSS krb5 wrap tokens

Application-specific configuration changes required

🧯 If You Can't Patch

Implement network segmentation to restrict access to Kerberos services
Monitor for unusual authentication patterns or token manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check krb5 version with: krb5-config --version or strings /path/to/libkrb5.so | grep krb5-1.

Check Version:

krb5-config --version 2>/dev/null || strings /usr/lib*/libkrb5.so* 2>/dev/null | grep 'krb5-1\.[0-9]' | head -1

Verify Fix Applied:

Verify installed version is 1.21.3 or higher using same version check commands

📡 Detection & Monitoring

Log Indicators:

Failed GSS authentication attempts
Unexpected token length errors in application logs
Kerberos KDC error logs showing malformed tokens

Network Indicators:

Unusual Kerberos traffic patterns
Modified GSS tokens in network captures

SIEM Query:

source="kerberos_logs" AND (error OR failed OR malformed) AND token

📊 Metadata

CVE ID: CVE-2024-37370

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-345

Published: June 28, 2024

Last Updated: February 18, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-37370, you might also want to check these: