// For flags

CVE-2015-2694

krb5: issues in OTP and PKINIT kdcpreauth modules leading to requires_preauth bypass

Severity Score

5.9
*CVSS v3

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

The kdcpreauth modules in MIT Kerberos 5 (aka krb5) 1.12.x and 1.13.x before 1.13.2 do not properly track whether a client's request has been validated, which allows remote attackers to bypass an intended preauthentication requirement by providing (1) zero bytes of data or (2) an arbitrary realm name, related to plugins/preauth/otp/main.c and plugins/preauth/pkinit/pkinit_srv.c.

Los módulos kdcpreauth en MIT Kerberos 5 (también conocido como krb5) 1.12.x y 1.13.x anterior a 1.13.2 no rastrea correctamente si la solicitud de un cliente ha sido validada, lo que permite a atacantes remotos evadir un requisito de preautenticación mediante la provisión de (1) cero bytes de datos o (2) un nombre de ámbito (realm) arbitrario, relacionado con plugins/preauth/otp/main.c y plugins/preauth/pkinit/pkinit_srv.c.

A flaw was found in the OTP kdcpreauth module of MIT Kerberos. A remote attacker could use this flaw to bypass the requires_preauth flag on a client principal and obtain a ciphertext encrypted in the principal's long-term key. This ciphertext could be used to conduct an off-line dictionary attack against the user's password.

Kerberos is a network authentication system, which can improve the security of your network by eliminating the insecure practice of sending passwords over the network in unencrypted form. It allows clients and servers to authenticate to each other with the help of a trusted third party, the Kerberos key distribution center. It was found that the krb5_read_message() function of MIT Kerberos did not correctly sanitize input, and could create invalid krb5_data objects. A remote, unauthenticated attacker could use this flaw to crash a Kerberos child process via a specially crafted request.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Attack Vector
Network
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
None
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2015-03-24 CVE Reserved
  • 2015-05-25 CVE Published
  • 2024-08-06 CVE Updated
  • 2025-05-20 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-264: Permissions, Privileges, and Access Controls
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Mit
Search vendor "Mit"
 Kerberos 5
Search vendor "Mit" for product "Kerberos 5"
 1.12
Search vendor "Mit" for product "Kerberos 5" and version "1.12"
-
Affected
Mit
Search vendor "Mit"
 Kerberos 5
Search vendor "Mit" for product "Kerberos 5"
 1.12.1
Search vendor "Mit" for product "Kerberos 5" and version "1.12.1"
-
Affected
Mit
Search vendor "Mit"
 Kerberos 5
Search vendor "Mit" for product "Kerberos 5"
 1.12.2
Search vendor "Mit" for product "Kerberos 5" and version "1.12.2"
-
Affected
Mit
Search vendor "Mit"
 Kerberos 5
Search vendor "Mit" for product "Kerberos 5"
 1.12.3
Search vendor "Mit" for product "Kerberos 5" and version "1.12.3"
-
Affected
Mit
Search vendor "Mit"
 Kerberos 5
Search vendor "Mit" for product "Kerberos 5"
 1.13
Search vendor "Mit" for product "Kerberos 5" and version "1.13"
-
Affected
Mit
Search vendor "Mit"
 Kerberos 5
Search vendor "Mit" for product "Kerberos 5"
 1.13.1
Search vendor "Mit" for product "Kerberos 5" and version "1.13.1"
-
Affected