{"timestamp":"2024-11-15T16:12:34.390288Z","id":"CVE-2020-17049","options":[{"exploitation":"none"},{"automatable":"no"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}

[{"vendor":"Microsoft","product":"Windows Server 2019","cpes":["cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2061:*:*:*:*:*:*:*"],"platforms":["x64-based Systems"],"versions":[{"version":"10.0.0","lessThan":"10.0.17763.2061","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"Windows Server 2019 (Server Core installation)","cpes":["cpe:2.3:o:microsoft:windows_server_2019:10.0.17763.2061:*:*:*:*:*:*:*"],"platforms":["x64-based Systems"],"versions":[{"version":"10.0.0","lessThan":"10.0.17763.2061","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"Windows Server, version 1909 (Server Core installation)","cpes":["cpe:2.3:o:microsoft:windows_server_1909:*:*:*:*:*:*:*:*"],"platforms":["x64-based Systems"],"versions":[{"version":"10.0.0","lessThan":"publication","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"Windows Server, version 1903 (Server Core installation)","cpes":["cpe:2.3:o:microsoft:windows_server_1903:*:*:*:*:*:*:*:*"],"platforms":["x64-based Systems"],"versions":[{"version":"10.0.0","lessThan":"publication","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"Windows Server version 2004","cpes":["cpe:2.3:o:microsoft:windows_server_2004:10.0.19041.1110:*:*:*:*:*:*:*"],"platforms":["x64-based Systems"],"versions":[{"version":"10.0.0","lessThan":"10.0.19041.1110","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"Windows Server 2016","cpes":["cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4530:*:*:*:*:*:*:*"],"platforms":["x64-based Systems"],"versions":[{"version":"10.0.0","lessThan":"10.0.14393.4530","versionType":"custom","status":"affected"}]},{"vendor":"Microsoft","product":"Windows Server 2016 (Server Core installation)","cpes":["cpe:2.3:o:microsoft:windows_server_2016:10.0.14393.4530:*:*:*:*:*:*:*"],"platforms":["x64-based Systems"],"versions":[{"version":"10.0.0","lessThan":"10.0.14393.4530","versionType":"custom","status":"affected"}]},{"vendor":"Micros

http://www.openwall.com/lists/oss-security/2021/11/10/3

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17049

https://security.gentoo.org/glsa/202309-06

<p>A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).</p>
<p>To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.</p>
<p>The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.</p>

A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).
To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.
The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.

Kerberos Security Feature Bypass Vulnerability

<p>A security feature bypass vulnerability exists in the way Key Distribution Center (KDC) determines if a service ticket can be used for delegation via Kerberos Constrained Delegation (KCD).</p>
<p>To exploit the vulnerability, a compromised service that is configured to use KCD could tamper with a service ticket that is not valid for delegation to force the KDC to accept it.</p>
<p>The update addresses this vulnerability by changing how the KDC validates service tickets used with KCD.</p>

Microsoft Corporation AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

https://security.gentoo.org/glsa/202309-06 [No Types Assigned]

NIST CWE-863

NIST NVD-CWE-noinfo

OR
     *cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:* versions from (including) 4.1.0 up to (excluding) 4.13.13
     *cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:* versions from (including) 4.14.0 up to (excluding) 4.14.9
     *cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:* versions from (including) 4.15.0 up to (excluding) 4.15.1

http://www.openwall.com/lists/oss-security/2021/11/10/3 No Types Assigned

http://www.openwall.com/lists/oss-security/2021/11/10/3 Mailing List, Third Party Advisory

http://www.openwall.com/lists/oss-security/2021/11/10/3 [No Types Assigned]

CWE-269

NVD-CWE-noinfo

NIST AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

NIST (AV:N/AC:L/Au:S/C:C/I:C/A:C)

NIST CWE-269

OR
     *cpe:2.3:o:microsoft:windows_server_2012:*:*:*:*:*:*:*:*
     *cpe:2.3:o:microsoft:windows_server_2012:r2:*:*:*:*:*:*:*
     *cpe:2.3:o:microsoft:windows_server_2016:-:*:*:*:*:*:*:*
     *cpe:2.3:o:microsoft:windows_server_2016:20h2:*:*:*:*:*:*:*
     *cpe:2.3:o:microsoft:windows_server_2016:1903:*:*:*:*:*:*:*
     *cpe:2.3:o:microsoft:windows_server_2016:1909:*:*:*:*:*:*:*
     *cpe:2.3:o:microsoft:windows_server_2016:2004:*:*:*:*:*:*:*
     *cpe:2.3:o:microsoft:windows_server_2019:-:*:*:*:*:*:*:*

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17049 No Types Assigned

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-17049 Patch, Vendor Advisory

, aka 'Kerberos Security Feature Bypass Vulnerability'.

Kerberos Security Feature Bypass Vulnerability