SB2019071131 - Key management errors in heimdal (Alpine package)
Published: July 11, 2019
Security Bulletin ID
SB2019071131
Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Data manipulation
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 security vulnerability.
1) Key management errors (CVE-ID: CVE-2019-12098)
The vulnerability allows a remote attacker to perform a Man-in-the-Middle (MitM) attack.
The vulnerability exists due to Heimdal fails to verify anonymous PKINIT PA-PKINIT-KX key exchange within the krb5_init_creds_step() function in lib/krb5/init_creds_pw.c. A remote attacker can perform a MitM attack against the Heimdal client.
Remediation
Install update from vendor's website.
References
- https://git.alpinelinux.org/aports/commit/?id=5949036164c597352ded38bcb5386cc5e4ea273b
- https://git.alpinelinux.org/aports/commit/?id=7f6e6b03d2536a389bb79a29915bd3a8fe881517
- https://git.alpinelinux.org/aports/commit/?id=c29e49eb3beddab5fba37d37713486319c12df8c
- https://git.alpinelinux.org/aports/commit/?id=e8ebbb3123154e0d2dfd574d9eea59dd51ffe205