=========================================================== == Subject: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum == == CVE ID#: CVE-2018-16860 == == Versions: All Samba versions since Samba 4.0 == All releases of Heimdal from 0.8 including 7.5.0 == and any products that ship a KDC derived from one of == those Heimdal releases. == == Summary: The checksum validation in the S4U2Self handler in == the embedded Heimdal KDC did not first confirm that the == checksum was keyed, allowing replacement of the == requested target (client) principal. =========================================================== =========== Description =========== S4U2Self (aka protocol-transition) is an extension to Kerberos used in Active Directory to allow the creation of arbitrary Kerberos tickets, written only to the local server. This is helpful in obtaining a full list of the groups (SIDs) for a user given only a login name (see MS-SFU, linked below). S4U2Proxy (aka constrained-delegation) is an extension of this mechanism allowing this impersonation over the network, allowing a privileged server to assert the identity of any user (who has presumably asserted their own identity via a non-Kerberos protocol). The flaw in Samba's AD DC is that the Heimdal KDC, when checking the checksum that is placed on the S4U2Self packet by the server to protect the target principal against modification, it does not confirm that the checksum algorithm is keyed. This allows a MITM to modify the packet and to generate instead a CRC32 checksum (which requires no prior knowledge to compute). This in turn would allow a ticket requested on behalf of user@EXAMPLE.COM to be issued instead on behalf (and contain the PAC) of administrator@EXAMPLE.COM. ================== Patch Availability ================== Patches addressing both these issues have been posted to: http://www.samba.org/samba/security/ Additionally, Samba 4.8.12, 4.9.8 and 4.10.3 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5) ========================= Workaround and Mitigation ========================= If no server takes privileged actions based on tickets obtained by S4U2Self nor obtains tickets via S4U2Proxy then this issue cannot be exploited. The path to an exploit is not generic, the KDC is not harmed by the malicious checksum, it is the client service requesting the ticket being mislead, because it trusted the KDC to return the correct ticket and PAC. It is out of scope for Samba to describe all of the possible tool chains that might be vulnerable. SFU2Self might be used by a web service authenticating an end user via OAuth, Shibboleth, or other protocols to obtain a Kerberos service ticket for use by any Kerberos service principal the web service has a keytab for. One example is acquiring an AFS token by requesting an afs/cell@REALM service ticket for a client via SFU2Self. With this exploit an organization that deploys a KDC built from Heimdal (be it Heimdal directly or vendor versions such as found in Samba) is vulnerable to privilege escalation attacks. Likewise, if for instance the server authenticates users using X509 certificates, and then uses S4U2Self to obtain a ticket on behalf of the user in order to authorize access to local resources or to be used via S4U2Proxy extension in order to provide access to network resources. In such a scenario and under conditions allowing active network protocol manipulation, a malicious user could authenticate using a certificate of an unprivileged user, and then elevate its privileges by intercepting the packet from the server to the KDC and changing the requested principal name. Samba clients that use S4U2Self are only: - the "net ads kerberos pac dump" (debugging) tool. - the CIFS proxy in the deprecated/developer-only NTVFS file server In particular, winbindd does not use S4U2Self. Finally, MIT Kerberos and so therefore the experimental MIT KDC backend for Samba AD is understood not to be impacted. =============== Further Reading =============== There is more detail on and a description of the protocols in [MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/ ======= Credits ======= Originally reported by Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst. Patches provided by Isaac Boukris. Advisory written by Andrew Bartlett of the Samba Team and Catalyst, with contributions from Isaac Boukris and Jeffrey Altman. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================