{"vuid":"VU#477341","idnumber":"477341","name":"Microsoft PKINIT smart card logon vulnerable to information disclosure and spoofing","keywords":["Microsoft","PKINIT","information disclosure","MS05-042"],"overview":"Microsoft PKINIT smart card authentication is vulnerable to an information disclosure flaw that may allow an attacker to spoof a trusted server.","clean_desc":"From the Microsoft PKINIT description: PKINIT is an Internet Engineering Task Force (IETF) Internet Draft for \"Public Key Cryptography for Initial Authentication in Kerberos.\" Windows 2000 and later uses draft 9 of the IETF \"Public Key Cryptography for Initial Authentication in Kerberos\" Internet Draft. Windows uses this protocol when you use a smart card for interactive logon. IETF Internet Drafts are available at the following IETF Web site. When PKINIT smart card authentication is used, an attacker may be able to inject themselves into an authentication session between a user and a domain controller and exploit this flaw. After exploiting the flaw, the attacker may spoof the application server to a target client. This flaw is due to a weakness in the older PKINIT protocol design specification that is implemented. Both the attacker and the target user must have their accounts enabled for smart card authentication. The attacker must already have valid logon credentials in order to successfully exploit the flaw.","impact":"A remote, authenticated attacker that is able to intercept an authentication session between a user and domain controller may be able to gain confidential information and spoof a trusted application server to a targeted user.","resolution":"Apply An Update\nPlease see Microsoft Security Bulletin MS05-042 for information on fixes, updates, and workarounds.","workarounds":"","sysaffected":"","thanks":"Thanks to Microsoft for reporting this vulnerability, who in turn thank \nAndre Scedrov\n and his team; Iliano Cervesato, Aaron Jaggard , Joe-Kai Tsay , and Chris Walstad","author":"This document was written by Ken MacInnis.","public":["http://www.microsoft.com/technet/security/bulletin/MS05-042.mspx","http://secunia.com/advisories/16368/"],"cveids":["CVE-2005-1982"],"certadvisory":"","uscerttechnicalalert":null,"datecreated":"2005-08-09T18:12:00Z","publicdate":"2005-08-09T00:00:00Z","datefirstpublished":"2005-11-09T15:42:37Z","dateupdated":"2005-11-09T15:43:26Z","revision":16,"vrda_d1_directreport":"0","vrda_d1_population":"3","vrda_d1_impact":"2","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"5","cam_population":"15","cam_impact":"15","cam_easeofexploitation":"6","cam_attackeraccessrequired":"9","cam_scorecurrent":"4.55625","cam_scorecurrentwidelyknown":"5.6953125","cam_scorecurrentwidelyknownexploited":"10.2515625","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":4.55625,"vulnote":null}