CVE-2001-1444Algorithm Downgrade in Kerberos

CWE-757Algorithm Downgrade4 documents4 sources
Severity
7.5HIGHNVD
EPSS
0.9%
top 24.96%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
KTH Kerberos
Timeline
PublishedAug 27
Latest updateApr 30

Description

The Kerberos Telnet protocol, as implemented by KTH Kerberos IV and Kerberos V (Heimdal), does not encrypt authentication and encryption options sent from the server, which allows remote attackers to downgrade authentication and encryption mechanisms via a man-in-the-middle attack.

CVSS vector

AV:N/AC:L/C:P/I:P/A:PExploitability: 10.0 | Impact: 6.4

Affected Packages1 packages

NVDkth/kth_kerberos4, 5+1

🔴Vulnerability Details

2
GHSA
GHSA-gf54-vw48-28p7: The Kerberos Telnet protocol, as implemented by KTH Kerberos IV and Kerberos V (Heimdal), does not encrypt authentication and encryption options sent2022-04-30
CVEList
CVE-2001-1444: The Kerberos Telnet protocol, as implemented by KTH Kerberos IV and Kerberos V (Heimdal), does not encrypt authentication and encryption options sent2005-04-21

📐Framework References

1
CWE
Selection of Less-Secure Algorithm During Negotiation ('Algorithm Downgrade')
CVE-2001-1444 — Algorithm Downgrade in KTH Kerberos | cvebase