Title: MIT Kerberos
Creation Date: March 24, 2025
Source: Red Hat Security Bulletin
Classification:
- Impact: Loss of integrity
- Exploit: Unknown
- Solution: Unknown
Affected Systems:
- Red Hat Ansible Automation Platform version 2
- Red Hat Enterprise Linux version 9
- Red Hat Enterprise Linux version 7
- Red Hat Enterprise Linux version 6
- Red Hat Enterprise Linux version 8
- Red Hat OpenShift version 4
- MIT Kerberos version –
- MIT Kerberos5 version –
Risks:
- Message Forgery
- Loss of Integrity
- Exploitation of Encryption Preferences
Conclusion:
CVE-2025-3576 is a recently published vulnerability affecting the MIT Kerberos implementation. This vulnerability allows the spoofing of messages protected by GSSAPI using RC4-HMAC-MD5 due to weaknesses in the MD5 checksum design. If RC4 is preferred over stronger encryption types, an attacker could exploit MD5 collisions to forge message integrity codes, potentially leading to unauthorized message tampering.
References:
- CVE-2025-3576
- CVSS Vector: CVSS:3.1/AV: N/AC:H/PR: N/UI: N/S: U/C: N/I:H/A: N
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality: None
- Integrity: High
- Availability: None
Red Hat Bugzilla Advisory
https://bugzilla.redhat.com/show_bug.cgi?id=2359465
https://bugzilla.redhat.com/show_bug.cgi?id=2359673
https://bugzilla.redhat.com/show_bug.cgi?id=2359672
