GMS-2020-751: Spoofing attack due to unvalidated KDC in node-krb5

September 1, 2020 (updated September 23, 2021)

Affected versions of node-krb5 do not validate the KDC prior to authenticating, which might allow an attacker with network access and enough time to spoof the KDC and impersonate a valid user without knowing their credentials.

Recommendation

It appears that this will remain unfixed indefinitely, as the Github issue for this vulnerability has been open since 2015, with no work on it since then.

At this time, the best available mitigation is to use an alternative module that is actively maintained and provides similar functionality. There are multiple modules fitting this criteria available on npm..

References

archive.hack.lu/2010/Bouillon-Stealing-credentials-for-impersonation.pdf
github.com/advisories/GHSA-4v9q-hm2p-68c4
github.com/qesuto/node-krb5/issues/13
nvd.nist.gov/vuln/detail/CVE-2016-1000238
www.npmjs.com/advisories/136

Detect and mitigate GMS-2020-751 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →