=============================================================================== == Subject: Unconditional Kerberos delegation to all servers. == == CVE ID#: CVE-2016-2125 == == Versions: Samba 3.0.25 to 4.5.2 == == Summary: Samba client code always requests a forwardable ticket == when using kerberos authentication. This means the == target server is given a valid general purpose == Kerberos "Ticket Granting Ticket" (TGT), which can == be used to fully impersonate the authenticated user. == ================================================================================ =========== Description =========== Whenever the Samba client code uses GSSAPI/Kerberos authentication it requests a forwardable ticket by passing the GSS_C_DELEG_FLAG flag to the gss_init_sec_context() GSSAPI function. Because of this a forwardable TGT is always requested from the KDC and passed (via the kerberos AP-REQ) to the remote server. This forwardable TGT is basically a normal TGT, which can be used by the remote service to get service tickets on behalf of the user for any other service from the KDC. The service that accepts the AP-REQ from the client can thus do whatever the client is also able to do (impersonate the client). In the Active Directory world it's possible for administrators to limit the delegation. User and computer objects can both act as kerberos users and also as kerberos services. They both have an attribute called 'userAccountControl' which is a bitmask that controls the behavior of the account. The following three values have impact on possible delegation: 0x00100000: UF_NOT_DELEGATED: The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT for the account. It means the KDC will respond with an error if the client asks for the forwardable ticket. The client typically gives up and removes the GSS_C_DELEG_FLAG flag and continues without passing delegated credentials. Administrators can use this to disable possible delegation for the most privileged accounts (e.g. administrator accounts). 0x00080000: UF_TRUSTED_FOR_DELEGATION If the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC will include the OK_AS_DELEGATE flag in a granted service ticket. If the client application uses just GSS_C_DELEG_POLICY_FLAG (instead of GSS_C_DELEG_FLAG) gssapi/kerberos libraries typically only include delegated credentials when the service ticket includes the OK_AS_DELEGATE flag. Administrators can use this to control which services will get delegated credentials, usually reserving this for services that run in a trusted environment and actually require the presence of delegated credentials. 0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really relevant for this CVE and just listed in order to have a complete list. The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag is relevant for the S4U2Proxy feature, where a service can ask the KDC for a proxied service tickets which can impersonate users to other services. The patched Samba version will still use GSS_C_DELEG_POLICY_FLAG and provide delegated credentials to services which have the UF_TRUSTED_FOR_DELEGATION bitmask set on the user account. ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== See the description about UF_NOT_DELEGATED above. Some (but NOT all!) tools make use of the undocumented "gensec_gssapi:delegation=no" option in the [global] section of the smb.conf file. ======= Credits ======= This vulnerability was discovered by Simo Sorce of RedHat and researched by Stefan Metzmacher of SerNet (https://samba.plus) both members of the Samba Team (https://www.samba.org). Stefan Metzmacher also provided the fixes.