The Samba-Bugzilla – Attachment 17305 Details for
Bug 15047
[SECURITY] CVE-2022-2031 kadmin/changew gets a krbtgt key as AS-REP
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory draft #1
CVE-kadmin-advisory-draftv1.txt (text/plain), 1.85 KB, created by
Andreas Schneider
on 2022-05-24 14:15:44 UTC
(
hide
)
Description:
Advisory draft #1
Filename:
MIME Type:
Creator:
Andreas Schneider
Created:
2022-05-24 14:15:44 UTC
Size:
1.85 KB
patch
obsolete
>================================================================= >== Subject: kpasswd authentication with canonicalization >== enabled against Samba AD DC with Heimdal returns >== a krbtgt >== >== CVE ID#: CVE-2022-XXXXX >== >== Versions: All versions of Samba prior to 4.16.x >== >== Summary: This vulnerability allows a user who is requested >== to change his password get a normal krbtgt instead >== of a restricted ticket only for changing the password. >== This can only happen if Samba ist built with Heimdal >== Kerberos. >================================================================= > >=========== >Description >=========== > >All versions of Samba prior to 4.16.x built with Heimdal Kerberos are >vulnerable to an Elevation of Privilege attack. If the password of >a user expires and need to be changed, a user could get a krbtgt >using kpasswd with canonicalization turned on. >The KDC should only provide a ticket for kadmin/changepw but returns >a krbtgt. So a user could skip the password change and just use >the krbtgt to get service tickets and use services in the forest. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, 4.15.x and 4.14.x have been issued as >security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >======= >Credits >======= > >Originally reported by Luke Howard. > >Patches provided by Joseph Sutton and Andreas Schneider of the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15047
:
17299
|
17300
|
17302
|
17303
|
17305
|
17306
|
17307
|
17308
|
17309
|
17310
|
17311
|
17312
|
17313
|
17337
|
17342
|
17346
|
17352
|
17353
|
17357
|
17358
|
17359
|
17360
|
17361
|
17368
|
17372
|
17373
|
17394
|
17395
|
17396
|
17397
|
17398
|
17433
|
17446
|
17450