oss-sec mailing list archives
Re: Insecure DNS dependency in many Kerberos deployments
From: Russ Allbery <eagle () eyrie org>
Date: Wed, 16 Aug 2017 10:52:54 -0700
Florian Weimer <fweimer () redhat com> writes:
As a rule of thumb, the impact is similar to running TLS with CA-based certificate validation, but without host name checks (but perhaps slightly less because the trust domains could be much smaller).
I think this overstates the impact somewhat. This is more worrisome with TLS because for most TLS applications there is a single global trust domain with certificates issued by dozens or hundreds of parties and no organizational scoping. This is *not* the case for Kerberos. To exploit this flaw in Kerberos, the attacker has to be able to control service principals (for the same target service with a different hostname) within the same Kerberos realm (or, in some circumstances, one reachable by cross-realm trust). This is a much higher bar to meet, and in a lot of organizations this bar cannot be easily met by an attacker. The attack is definitely possible, and the Kerberos community has been aware of this problem for a long time (there are a lot of difficult issues involved in closing it, but everyone has wanted to close it), but it's not as exploitable as the TLS equivalent (at least in the absence of organizational cert pinning).
The Kerberos client library enables this canonicalization by default:
dns_canonicalize_hostname Indicate whether name lookups will be used to canonicalize hostnames for use in service principal names. Setting this flag to false can improve security by reducing reliance on DNS, but means that short hostnames will not be canoni‐ calized to fully-qualified host‐ names. The default value is true.
rdns If this flag is true, reverse name lookup will be used in addition to forward name lookup to canonicaliz‐ ing hostnames for use in service principal names. If dns_canonical‐ ize_hostname is set to false, this flag has no effect. The default value is true.
For the record, those are settings for *a* Kerberos client library, not *the* Kerberos client library (specifically, the MIT Kerberos implementation). Heimdal does not use those settings, and there are other Kerberos implementations as well. -- Russ Allbery (eagle () eyrie org) <http://www.eyrie.org/~eagle/>
Current thread:
- Insecure DNS dependency in many Kerberos deployments Florian Weimer (Aug 16)
- Re: Insecure DNS dependency in many Kerberos deployments Daniel Kahn Gillmor (Aug 16)
- Re: Insecure DNS dependency in many Kerberos deployments Russ Allbery (Aug 16)
- Re: Insecure DNS dependency in many Kerberos deployments Daniel Kahn Gillmor (Aug 16)
- Re: Insecure DNS dependency in many Kerberos deployments Russ Allbery (Aug 17)
- Re: Insecure DNS dependency in many Kerberos deployments Daniel Kahn Gillmor (Aug 16)