The Samba-Bugzilla – Attachment 17354 Details for
Bug 15074
CVE-2022-32744 [SECURITY] kpasswd service accepts forged tickets
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory draft #1
advisory.txt (text/plain), 2.19 KB, created by
Jo Sutton
on 2022-06-15 09:57:47 UTC
(
hide
)
Description:
Advisory draft #1
Filename:
MIME Type:
Creator:
Jo Sutton
Created:
2022-06-15 09:57:47 UTC
Size:
2.19 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD users can forge password change requests for >== any user. >== >== CVE ID#: CVE-2022-32744 >== >== Versions: Samba 4.3 and later >== >== Summary: The KDC accepts kpasswd requests encrypted with any >== key known to it. By encrypting forged kpasswd requests >== with its own key, a user can change the passwords of >== other users, enabling full domain takeover. >=========================================================== > >=========== >Description >=========== > >Tickets received by the kpasswd service were decrypted without >specifying that only that service's own keys should be tried. By >setting the ticket's server name to a principal associated with their >own account, or by exploiting a fallback where known keys would be >tried until a suitable one was found, an attacker could have the >server accept tickets encrypted with any key, including their own. > >A user could thus change the password of the Administrator account and >gain total control over the domain. Full loss of confidentiality and >integrity would be possible, as well as of availability by denying >users access to their accounts. > >In addition, the kpasswd service would accept tickets encrypted by the >krbtgt key of an RODC, in spite of the fact that RODCs should not have >been able to authorise password changes. > >================== >Patch Availability >================== > >Patches addressing this issue have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.14.next, 4.15.next, and 4.16.next have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8) > >========== >Workaround >========== > >None. > >======= >Credits >======= > >Initial report, patches, and this advisory by Joseph Sutton of >Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17354">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 15074
: 17354