The Samba-Bugzilla – Attachment 12735 Details for
Bug 12445
[SECURITY] CVE-2016-2125: don't send delegated credentials to all servers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Updated text with more context as to the problem (v3)
CVE-2016-2125-description.abartlet.txt (text/plain), 4.81 KB, created by
Andrew Bartlett
on 2016-12-07 03:53:27 UTC
(
hide
)
Description:
Updated text with more context as to the problem (v3)
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2016-12-07 03:53:27 UTC
Size:
4.81 KB
patch
obsolete
>=============================================================================== >== Subject: Unconditional privilege delegation to Kerberos servers in trusted realms >== >== CVE ID#: CVE-2016-2125 >== >== Versions: Samba 3.0.25 to 4.5.2 >== >== Summary: Samba client code always requests a forwardable ticket >== when using kerberos authentication. This means the >== target server, which must be in the current or trusted >== domain/realm, is given a valid general purpose Kerberos >== "Ticket Granting Ticket" (TGT), which can be used to >== fully impersonate the authenticated user or service. >== >================================================================================ > >=========== >Description >=========== > >Whenever the Samba client code uses Kerberos authentication to contact >a server it requests a forwardable ticket by passing the >GSS_C_DELEG_FLAG flag to the gss_init_sec_context() GSSAPI function. > >Because of this a forwardable TGT is always requested from the KDC and >passed (via the kerberos AP-REQ) to the remote server. By design, >this server must be in the same or a trusted Kerberos realm (typically >a domain in the same or a trusted AD forest). This forwardable TGT is >basically a normal TGT, which can be used by the remote service to get >service tickets on behalf of the user for any other service from the >KDC. > >The service that accepts the AP-REQ from the client can thus do >whatever the client is also able to do (impersonate the client). > >The risks here are similar to the well known risks from forwarding of >NTLM credentials, with two important differences: > - NTLM forwarding can and should be mitigated with packet signing > - Kerberos forwarding can only be attempted after the trusted > destination server decrypts the ticket. > >Finally, it should be noted that typically the connections involved >are either explicitly requested, or are between or to Domain >Controllers already of ultimate privilege. > >Controlling Kerberos forwarding >------------------------------- > >In the Active Directory world it's possible for administrators to >limit the delegation. User and computer objects can both act as >kerberos users and also as kerberos services. They both have an >attribute called 'userAccountControl' which is a bitmask that controls >the behavior of the account. The following three values have impact on >possible delegation: > >0x00100000: UF_NOT_DELEGATED: > >The UF_NOT_DELEGATED can be used to disable the ability to get >forwardable TGT for the account. It means the KDC will respond with >an error if the client asks for the forwardable ticket. The client >typically gives up and removes the GSS_C_DELEG_FLAG flag and continues >without passing delegated credentials. Administrators can use this to >disable possible delegation for the most privileged accounts >(e.g. administrator accounts). > >0x00080000: UF_TRUSTED_FOR_DELEGATION > >If the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC will >include the OK_AS_DELEGATE flag in a granted service ticket. If the >client application uses just GSS_C_DELEG_POLICY_FLAG (instead of >GSS_C_DELEG_FLAG) gssapi/kerberos libraries typically only include >delegated credentials when the service ticket includes the >OK_AS_DELEGATE flag. Administrators can use this to control which >services will get delegated credentials, for example if the service >runs in a trusted environment and actually requires the presence of >delegated credentials. > >0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION > >The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really relevant >for this CVE and just listed in order to have a complete list. The >UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION flag is relevant for the >S4U2Proxy feature, where a service can ask the KDC for a proxied >service tickets which can impersonate users to other services. > >The patched Samba version will still use GSS_C_DELEG_POLICY_FLAG and >provide delegated credentials to services which have the >UF_TRUSTED_FOR_DELEGATION bitmask set on the user account. > >================== >Patch Availability >================== > >A patch addressing this defect has been posted to > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as >security releases to correct the defect. Samba vendors and >administrators running affected versions are advised to upgrade or >apply the patch as soon as possible. > >========== >Workaround >========== > >See the description about UF_NOT_DELEGATED above. > >The samba-tool command and the AD DC mode honours the undocumented >"gensec_gssapi:delegation=no" option in the [global] section of the >smb.conf file. > >======= >Credits >======= > >This vulnerability was discovered by Simo Sorce of RedHat and >researched by Stefan Metzmacher of SerNet (https://samba.plus) both >members of the Samba Team (https://www.samba.org). Stefan Metzmacher >also provided the fixes.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12445
:
12707
|
12708
|
12709
|
12710
|
12711
|
12730
|
12732
|
12733
|
12735
|
12736
|
12737
|
12739
|
12766
|
12772