The Samba-Bugzilla – Attachment 15094 Details for
Bug 13685
[SECURITY] CVE-2018-16860 S4U2Self with unkeyed checksum
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
a very rough first advisory
CVE-2018-16860-advisory-01.txt (text/plain), 2.88 KB, created by
Andrew Bartlett
on 2019-04-25 09:23:23 UTC
(
hide
)
Description:
a very rough first advisory
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-04-25 09:23:23 UTC
Size:
2.88 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum >== >== CVE ID#: CVE-2018-16860 >== >== Versions: All Samba versions since Samba 4.0 >== >== Summary: The checksum validation in the S4U2Self handler in >== the KDC did not first confirm that the checksum >== was keyed, allowing replacement of the requested >== target principal. >=========================================================== > >=========== >Description >=========== > >S4U2Self is an extension to Kerberos used in Active Directory to allow >the creation of arbitrary Kerberos tickets, written only to the local >server. This is helpful in obtaining a full list of the groups (SIDs) >for a user given only a login name. > >S4U2Proxy is an extension of this mechanism allowing this >impersonation over the network, allowing a privileged server to assert >the identity of any user (who has presumably asserted their own >identity via a non-Kerberos protocol). > >The flaw in Samba's AD DC is that the Heimdal KDC, when checking the >checksum that is placed on the S4U2Self packet by the client to >protect the target principal against modification, it does not confirm >that the checksum algorithm is keyed. This allows the use of CRC32 >(which requires no special knowledge to compute). > >This in turn would allow a ticket requested to be of user@EXAMPLE.COM >to instead be (and contain the PAC of) administrator@EXAMPLE.COM. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > http://www.samba.org/samba/security/ > >Additionally, Samba 4.8.12, 4.9.8 and 4.10.3 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5) > >========================== >Workaround and Mitigations >========================== > >If no client takes privileged actions based on tickets obtained by >S2U2Self nor obtains tickets via S4U2Proxy then this issue cannot >be exploited. > >The path to an exploit is not generic, the KDC is not harmed by the >malicious checksum, it is the client service requesting the ticket >being mislead, because it trusted the KDC to return the correct ticket >and PAC. > >Samba clients that use S4U2Self are only: > - the "net ads kerberos pac dump" (debugging) tool. > - the CIFS proxy in the deprecated/developer-only NTVFS file server > >In particular, winbindd does not use S4U2Self. > >======= >Credits >======= > >Originally reported by Isaac Boukris and Andrew Bartlett of the Samba >Team and Catalyst. > >Patches provided by Isaac Boukris. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=15094">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 13685
:
14669
|
14810
|
14817
|
15094
|
15096
|
15097
|
15098
|
15100
|
15102
|
15103
|
15104
|
15106
|
15107
|
15108
|
15109
|
15110
|
15111
|
15112