The Samba-Bugzilla – Attachment 12730 Details for
Bug 12445
[SECURITY] CVE-2016-2125: don't send delegated credentials to all servers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE-2016-2125-description.metze02.txt
CVE-2016-2125-description.metze02.txt (text/plain), 3.83 KB, created by
Stefan Metzmacher
on 2016-12-06 14:31:52 UTC
(
hide
)
Description:
CVE-2016-2125-description.metze02.txt
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2016-12-06 14:31:52 UTC
Size:
3.83 KB
patch
obsolete
>=============================================================================== >== Subject: Unconditional Kerberos delegation to all servers. >== >== CVE ID#: CVE-2016-2125 >== >== Versions: Samba 3.0.25 to 4.5.2 >== >== Summary: When ever a Kerberos authentication is done against any server, >== that (most likely remote) server is given a valid general >== purpose Kerberos "Ticket Granting Ticket" (TGT), which >== can be used to impersonate the authenticated user. >== >================================================================================ > >=========== >Description >=========== > >When ever a GSSAPI/Kerberos authentication is done (as a client) >to any server, the GSS_C_DELEG_FLAG flag is passed to the gss_init_sec_context() >function. > >As result of the GSS_C_DELEG_FLAG usage a forwardable TGT is always >passed (via the AP-REQ) to the remote server. The forwardable TGT is >basically a normal TGT, which can be used to get service tickets for any >service from the KDC. > >The service that accepts the AP-REQ from the client can basically do >whatever the client is also able to do. > >In world of active directory it's possible for administrators to limit >the delegation. User and computer objects can both act as kerberos >user and also as kerberos service. They both have an attribute >called 'userAccountControl' which is a bitmask that controls >the behavior of the account. The following three values have >impact on possible delegation: > >0x00100000: UF_NOT_DELEGATED: >The UF_NOT_DELEGATED can be used to disable the ability to >get forwardable TGT for the account. It means the KDC will >response with an error if the client asks for the forwardable TGT. >The client typically gives up and removes the GSS_C_DELEG_FLAG flag >and continues without passing delegated credentials. >Administrators can use this to disable possible delegation for >the most privilaged accounts (e.g. administrator accounts). > >0x00080000: UF_TRUSTED_FOR_DELEGATION >If the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC >will include the OK_AS_DELEGATE flag in a granted service ticket. >If the client application uses just GSS_C_DELEG_POLICY_FLAG >(instead of GSS_C_DELEG_FLAG) gssapi/kerberos libraries typically >only include delegated credentials when the service ticket >includes the OK_AS_DELEGATE flag. Administrators can use this >to control which services will get delegated credentials, >typically only if the service runs in a trusted environment >and actually requires the presens of delegated credentials. > >0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION >The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really >relevant for this CVE and just listed in order to have a complete >list. The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag is >relevant for the S4U2Proxy feature, where a service can ask >the KDC for a proxied service tickets which can impersonate >users to other services. > >The patched Samba version will still use >GSS_C_DELEG_POLICY_FLAG and provide delegated credentials >to services with the UF_TRUSTED_FOR_DELEGATION. > >================== >Patch Availability >================== > >A patch addressing this defect has been posted to > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as >security releases to correct the defect. Samba vendors and administrators >running affected versions are advised to upgrade or apply the patch as >soon as possible. > >========== >Workaround >========== > >See the description about UF_NOT_DELEGATED above. > >Some (but NOT all!) tools make use of the undocumented >"gensec_gssapi:delegation=no" option in the [global] section >of the smb.conf file. > >======= >Credits >======= > >This vulnerability was discovered by Simo Sorce of RedHat and researched >by Stefan Metzmacher of SerNet (https://samba.plus) both members of the >Samba Team (https://www.samba.org). Stefan Metzmacher also provides the fixes.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12445
:
12707
|
12708
|
12709
|
12710
|
12711
|
12730
|
12732
|
12733
|
12735
|
12736
|
12737
|
12739
|
12766
|
12772