The Samba-Bugzilla – Attachment 12739 Details for
Bug 12445
[SECURITY] CVE-2016-2125: don't send delegated credentials to all servers
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Updated description
CVE-2016-2125-description.ab_v2.txt (text/plain), 4.65 KB, created by
Karolin Seeger
on 2016-12-07 11:42:39 UTC
(
hide
)
Description:
Updated description
Filename:
MIME Type:
Creator:
Karolin Seeger
Created:
2016-12-07 11:42:39 UTC
Size:
4.65 KB
patch
obsolete
>=============================================================================== >== Subject: Unconditional privilege delegation to Kerberos servers in trusted realms >== >== CVE ID#: CVE-2016-2125 >== >== Versions: Samba 3.0.25 to 4.5.2 >== >== Summary: Samba client code always requests a forwardable ticket >== when using Kerberos authentication. This means the >== target server, which must be in the current or trusted >== domain/realm, is given a valid general purpose Kerberos >== "Ticket Granting Ticket" (TGT), which can be used to >== fully impersonate the authenticated user or service. >== >================================================================================ > >=========== >Description >=========== > >The Samba client code always requests a forwardable Kerberos ticket when >performing Kerberos authentication by passing the GSS_C_DELEG_FLAG to the >gss_init_sec_context() GSSAPI function. > >The use of GSS_C_DELEG_FLAG, if accepted by the Kerberos KDC, results in >passing the forwardable TGT to the remote target service via Kerberos AP-REQ. >The target service by design must be part of the same or a trusted Kerberos >realm (a domain in the same or trusted Active Directory forest). > >The service that accepts the AP-REQ from the client can thus do whatever the >client is also able to achieve with the Kerberos TGT. > >The risks of impersonation of the client are similar to the well known risks >from forwarding of NTLM credentials, with two important differences: > - NTLM forwarding can and should be mitigated with packet signing > - Kerberos forwarding can only be attempted after the trusted > destination server decrypts the ticket. > >Finally, it should be noted that typically the connections involved >are either explicitly requested, or are between or to Domain >Controllers already of ultimate privilege. > >Controlling Kerberos forwarding >------------------------------- > >In the Active Directory world it's possible for administrators to >limit the delegation. User and computer objects can both act as >Kerberos users and also as Kerberos services. Both types of objects have an >attribute called 'userAccountControl' which is a bitmask that controls the >behavior of the account. The following three values have impact on possible >delegation: > >0x00100000: UF_NOT_DELEGATED: > >The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT >for the account. It means the KDC will respond with an error if the client asks >for the forwardable ticket. The client typically gives up and removes the >GSS_C_DELEG_FLAG flag and continues without passing delegated credentials. >Administrators can use this to disable possible delegation for the most >privileged accounts (e.g. administrator accounts). > >0x00080000: UF_TRUSTED_FOR_DELEGATION > >If the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC will include the >OK_AS_DELEGATE flag in a granted service ticket. If the client application >uses just GSS_C_DELEG_POLICY_FLAG (instead of GSS_C_DELEG_FLAG) gssapi/Kerberos >libraries typically only include delegated credentials when the service ticket >includes the OK_AS_DELEGATE flag. Administrators can use this to control which >services will get delegated credentials, for example if the service runs in a >trusted environment and actually requires the presence of delegated >credentials. > >0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION > >The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really relevant for this >CVE and just listed here for completeness. This flag is relevant for the >S4U2Proxy feature, where a service can ask the KDC for a proxied service >ticket which can impersonate users to other services. > >The patched Samba version will still use GSS_C_DELEG_POLICY_FLAG and provide >delegated credentials to services which have the UF_TRUSTED_FOR_DELEGATION >bitmask set on the user account. > >================== >Patch Availability >================== > >A patch addressing this defect has been posted to > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as >security releases to correct the defect. Samba vendors and >administrators running affected versions are advised to upgrade or >apply the patch as soon as possible. > >========== >Workaround >========== > >See the description about UF_NOT_DELEGATED above. > >The samba-tool command and the AD DC mode honours the undocumented >"gensec_gssapi:delegation=no" option in the [global] section of the >smb.conf file. > >======= >Credits >======= > >This vulnerability was discovered by Simo Sorce of Red Hat and >researched by Stefan Metzmacher of SerNet (https://samba.plus) both >members of the Samba Team (https://www.samba.org). Stefan Metzmacher >also provided the fixes.
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=12739">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 12445
:
12707
|
12708
|
12709
|
12710
|
12711
|
12730
|
12732
|
12733
|
12735
|
12736
|
12737
| 12739 |
12766
|
12772