The Samba-Bugzilla – Attachment 12732 Details for
Bug 12445
[SECURITY] CVE-2016-2125: don't send delegated credentials to all servers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Fixed up version
CVE-2016-2125-description.metze02.txt (text/plain), 4.04 KB, created by
Jeremy Allison
on 2016-12-06 21:32:56 UTC
(
hide
)
Description:
Fixed up version
Filename:
MIME Type:
Creator:
Jeremy Allison
Created:
2016-12-06 21:32:56 UTC
Size:
4.04 KB
patch
obsolete
>=============================================================================== >== Subject: Unconditional Kerberos delegation to all servers. >== >== CVE ID#: CVE-2016-2125 >== >== Versions: Samba 3.0.25 to 4.5.2 >== >== Summary: Samba client code always requests a forwardable ticket >== when using kerberos authentication. This means the >== target server is given a valid general purpose >== Kerberos "Ticket Granting Ticket" (TGT), which can >== be used to fully impersonate the authenticated user. >== >================================================================================ > >=========== >Description >=========== > >Whenever the Samba client code uses GSSAPI/Kerberos authentication it >requests a forwardable ticket by passing the GSS_C_DELEG_FLAG flag to >the gss_init_sec_context() GSSAPI function. > >Because of this a forwardable TGT is always requested from the KDC and >passed (via the kerberos AP-REQ) to the remote server. This >forwardable TGT is basically a normal TGT, which can be used by the >remote service to get service tickets on behalf of the user for any >other service from the KDC. > >The service that accepts the AP-REQ from the client can thus do >whatever the client is also able to do (impersonate the client). > >In the Active Directory world it's possible for administrators to >limit the delegation. User and computer objects can both act as >kerberos users and also as kerberos services. They both have an >attribute called 'userAccountControl' which is a bitmask that controls >the behavior of the account. The following three values have impact on >possible delegation: > >0x00100000: UF_NOT_DELEGATED: > >The UF_NOT_DELEGATED can be used to disable the ability to get >forwardable TGT for the account. It means the KDC will response with >an error if the client asks for the forwardable ticket. The client >typically gives up and removes the GSS_C_DELEG_FLAG flag and continues >without passing delegated credentials. Administrators can use this to >disable possible delegation for the most privilaged accounts >(e.g. administrator accounts). > >0x00080000: UF_TRUSTED_FOR_DELEGATION > >If the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC will >include the OK_AS_DELEGATE flag in a granted service ticket. If the >client application uses just GSS_C_DELEG_POLICY_FLAG (instead of >GSS_C_DELEG_FLAG) gssapi/kerberos libraries typically only include >delegated credentials when the service ticket includes the >OK_AS_DELEGATE flag. Administrators can use this to control which >services will get delegated credentials, typically only if the service >runs in a trusted environment and actually requires the presens of >delegated credentials. > >0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION > >The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really relevant >for this CVE and just listed in order to have a complete list. The >UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag is relevant for the >S4U2Proxy feature, where a service can ask the KDC for a proxied >service tickets which can impersonate users to other services. > >The patched Samba version will still use GSS_C_DELEG_POLICY_FLAG and >provide delegated credentials to services which have the >UF_TRUSTED_FOR_DELEGATION bitmask set on the user account. > >================== >Patch Availability >================== > >A patch addressing this defect has been posted to > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as >security releases to correct the defect. Samba vendors and >administrators running affected versions are advised to upgrade or >apply the patch as soon as possible. > >========== >Workaround >========== > >See the description about UF_NOT_DELEGATED above. > >Some (but NOT all!) tools make use of the undocumented >"gensec_gssapi:delegation=no" option in the [global] section of the >smb.conf file. > >======= >Credits >======= > >This vulnerability was discovered by Simo Sorce of RedHat and >researched by Stefan Metzmacher of SerNet (https://samba.plus) both >members of the Samba Team (https://www.samba.org). Stefan Metzmacher >also provided the fixes.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12732">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 12445
:
12707
|
12708
|
12709
|
12710
|
12711
|
12730
|
12732
|
12733
|
12735
|
12736
|
12737
|
12739
|
12766
|
12772