=================================================================
== Subject:     kpasswd authentication with canonicalization
==              enabled against Samba AD DC with Heimdal returns
==              a krbtgt
==
== CVE ID#:     CVE-2022-XXXXX
==
== Versions:    All versions of Samba prior to 4.16.x
==
== Summary:     This vulnerability allows a user who is requested
==              to change his password get a normal krbtgt instead
==              of a restricted ticket only for changing the password.
==              This can only happen if Samba ist built with Heimdal
==              Kerberos.
=================================================================

===========
Description
===========

All versions of Samba prior to 4.16.x built with Heimdal Kerberos are
vulnerable to an Elevation of Privilege attack. If the password of
a user expires and need to be changed, a user could get a krbtgt
using kpasswd with canonicalization turned on.
The KDC should only provide a ticket for kadmin/changepw but returns
a krbtgt. So a user could skip the password change and just use
the krbtgt to get service tickets and use services in the forest.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, 4.15.x and 4.14.x have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

=======
Credits
=======

Originally reported by Luke Howard.

Patches provided by Joseph Sutton and Andreas Schneider of the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================