[Bug 1981697] [NEW] KDC: weak crypto in default settings

Thomas Dreibholz 1981697 at bugs.launchpad.net
Thu Jul 14 10:49:34 UTC 2022 

*** This bug is a security vulnerability ***

Public security bug reported:

Default setting in /etc/krb5kdc/kdc.conf, as installed from krb5-kdc in Ubuntu 22.04 Server:
master_key_type = des3-hmac-sha1

3DES was deprecated by NIST in 2017, i.e. give years ago! Reference:
https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-
of-TDEA . This should not be a default since a very long time, and
particularly not for new installations. If a compatibility with out-of-
date installations is necessary, this should be explicitly made be the
administrator.

SHA-1 was deprecated as well, in 2011, i.e. eleven years ago! Reference:
https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-131a.pdf
.

A reasonable default would probably be:
master_key_type = aes256-cts-hmac-sha384-192

ProblemType: Bug
DistroRelease: Ubuntu 22.04
Package: krb5-kdc 1.19.2-2
ProcVersionSignature: Ubuntu 5.15.0-40.43-generic 5.15.35
Uname: Linux 5.15.0-40-generic x86_64
ApportVersion: 2.20.11-0ubuntu82.1
Architecture: amd64
CasperMD5CheckResult: pass
Date: Thu Jul 14 12:34:22 2022
InstallationDate: Installed on 2022-05-30 (45 days ago)
InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220421)
ProcEnviron:
 TERM=xterm-256color
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=en_IE.UTF-8
 SHELL=/bin/bash
SourcePackage: krb5
UpgradeStatus: No upgrade log present (probably fresh install)

** Affects: krb5 (Ubuntu)
     Importance: Undecided
         Status: New


** Tags: amd64 apport-bug jammy uec-images

** Information type changed from Private Security to Public Security

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to krb5 in Ubuntu.
https://bugs.launchpad.net/bugs/1981697

Title:
  KDC: weak crypto in default settings

Status in krb5 package in Ubuntu:
  New

Bug description:
  Default setting in /etc/krb5kdc/kdc.conf, as installed from krb5-kdc in Ubuntu 22.04 Server:
  master_key_type = des3-hmac-sha1

  3DES was deprecated by NIST in 2017, i.e. give years ago! Reference:
  https://csrc.nist.gov/News/2017/Update-to-Current-Use-and-Deprecation-
  of-TDEA . This should not be a default since a very long time, and
  particularly not for new installations. If a compatibility with out-
  of-date installations is necessary, this should be explicitly made be
  the administrator.

  SHA-1 was deprecated as well, in 2011, i.e. eleven years ago!
  Reference:
  https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-131a.pdf
  .

  A reasonable default would probably be:
  master_key_type = aes256-cts-hmac-sha384-192

  ProblemType: Bug
  DistroRelease: Ubuntu 22.04
  Package: krb5-kdc 1.19.2-2
  ProcVersionSignature: Ubuntu 5.15.0-40.43-generic 5.15.35
  Uname: Linux 5.15.0-40-generic x86_64
  ApportVersion: 2.20.11-0ubuntu82.1
  Architecture: amd64
  CasperMD5CheckResult: pass
  Date: Thu Jul 14 12:34:22 2022
  InstallationDate: Installed on 2022-05-30 (45 days ago)
  InstallationMedia: Ubuntu-Server 22.04 LTS "Jammy Jellyfish" - Release amd64 (20220421)
  ProcEnviron:
   TERM=xterm-256color
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=en_IE.UTF-8
   SHELL=/bin/bash
  SourcePackage: krb5
  UpgradeStatus: No upgrade log present (probably fresh install)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/krb5/+bug/1981697/+subscriptions

More information about the foundations-bugs mailing list