===========================================================
== Subject:     Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
==
== CVE ID#:     CVE-2018-16860
==
== Versions:    All Samba versions since Samba 4.0
==
== Summary:     The checksum validation in the S4U2Self handler in
==              the KDC did not first confirm that the checksum
==              was keyed, allowing replacement of the requested
==              target principal.
===========================================================

===========
Description
===========

S4U2Self is an extension to Kerberos used in Active Directory to allow
the creation of arbitrary Kerberos tickets, written only to the local
server.  This is helpful in obtaining a full list of the groups (SIDs)
for a user given only a login name.

S4U2Proxy is an extension of this mechanism allowing this
impersonation over the network, allowing a privileged server to assert
the identity of any user (who has presumably asserted their own
identity via a non-Kerberos protocol).

The flaw in Samba's AD DC is that the Heimdal KDC, when checking the
checksum that is placed on the S4U2Self packet by the client to
protect the target principal against modification, it does not confirm
that the checksum algorithm is keyed.  This allows the use of CRC32
(which requires no special knowledge to compute).

This in turn would allow a ticket requested to be of user@EXAMPLE.COM
to instead be (and contain the PAC of) administrator@EXAMPLE.COM.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.8.12, 4.9.8 and 4.10.3 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)

==========================
Workaround and Mitigations
==========================

If no client takes privileged actions based on tickets obtained by
S2U2Self nor obtains tickets via S4U2Proxy then this issue cannot
be exploited.

The path to an exploit is not generic, the KDC is not harmed by the
malicious checksum, it is the client service requesting the ticket
being mislead, because it trusted the KDC to return the correct ticket
and PAC.

Samba clients that use S4U2Self are only:
 - the "net ads kerberos pac dump" (debugging) tool.
 - the CIFS proxy in the deprecated/developer-only NTVFS file server

In particular, winbindd does not use S4U2Self.

=======
Credits
=======

Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
Team and Catalyst.

Patches provided by Isaac Boukris.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================