The Samba-Bugzilla – Attachment 15100 Details for
Bug 13685
[SECURITY] CVE-2018-16860 S4U2Self with unkeyed checksum
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v2
advisory_v2.txt (text/plain), 3.66 KB, created by
Isaac Boukris
on 2019-04-26 16:07:39 UTC
(
hide
)
Description:
Advisory v2
Filename:
MIME Type:
Creator:
Isaac Boukris
Created:
2019-04-26 16:07:39 UTC
Size:
3.66 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum >== >== CVE ID#: CVE-2018-16860 >== >== Versions: All Samba versions since Samba 4.0 >== >== Summary: The checksum validation in the S4U2Self handler in >== the KDC did not first confirm that the checksum >== was keyed, allowing replacement of the requested >== target principal. >=========================================================== > >=========== >Description >=========== > >S4U2Self (aka protocol-transition) is an extension to Kerberos used in >Active Directory to allow the creation of arbitrary Kerberos tickets, >written only to the local server. This is helpful in obtaining a full >list of the groups (SIDs) for a user given only a login name (see MS-SFU). > >S4U2Proxy (aka constrained-delegation) is an extension of this mechanism >allowing this impersonation over the network, allowing a privileged >server to assert the identity of any user (who has presumably asserted >their own identity via a non-Kerberos protocol). > >The flaw in Samba's AD DC is that the Heimdal KDC, when checking the >checksum that is placed on the S4U2Self packet by the server to >protect the target principal against modification, it does not confirm >that the checksum algorithm is keyed. This allows a MITM to modify the >packet and to generate instead a CRC32 checksum (which requires no prior >knowledge to compute). > >This in turn would allow a ticket requested on behalf of user@EXAMPLE.COM to >be issued instead on behalf (and contain the PAC) of administrator@EXAMPLE.COM. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > http://www.samba.org/samba/security/ > >Additionally, Samba 4.8.12, 4.9.8 and 4.10.3 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5) > >========================== >Workaround and Mitigations >========================== > >If no server takes privileged actions based on tickets obtained by >S4U2Self nor obtains tickets via S4U2Proxy then this issue cannot >be exploited. > >The path to an exploit is not generic, the KDC is not harmed by the >malicious checksum, it is the client service requesting the ticket >being mislead, because it trusted the KDC to return the correct ticket >and PAC. > >A possible path to exploit, if for instance the server authenticates >users using X509 certificates, and then uses S4U2Self to obtain a >ticket on behalf of the user in order to authorize access to local >resources or to be used via S4U2Proxy extension in order to provide >access to network resources. >In such a scenario and under some conditions, a malicious user could >authenticate using a certificate of an unprivileged user, and then >elevate its privileges by intercepting the packet from the server to >the KDC and changing the requested principal name. > >Samba clients that use S4U2Self are only: > - the "net ads kerberos pac dump" (debugging) tool. > - the CIFS proxy in the deprecated/developer-only NTVFS file server > >In particular, winbindd does not use S4U2Self. > >======= >Credits >======= > >Originally reported by Isaac Boukris and Andrew Bartlett of the Samba >Team and Catalyst. > >Patches provided by Isaac Boukris. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 13685
:
14669
|
14810
|
14817
|
15094
|
15096
|
15097
|
15098
|
15100
|
15102
|
15103
|
15104
|
15106
|
15107
|
15108
|
15109
|
15110
|
15111
|
15112