=========================================================== == Subject: Samba AD users can bypass certain restrictions == associated with changing passwords. == == CVE ID#: CVE-2022-2031 == == Versions: All versions of Samba prior to 4.16.next == == Summary: The KDC and the kpasswd service share a single account == and set of keys, allowing them to decrypt each other's == tickets. A user who has been requested to change their == password can exploit this to obtain and use tickets to == other services. =========================================================== =========== Description =========== The KDC and the kpasswd service share a single account and set of keys. In certain cases, this makes the two services susceptible to confusion. When a user's password has expired, that user is requested to change their password. Until doing so, the user is restricted to only acquiring tickets to kpasswd. However, a vulnerability meant that the kpasswd's principal, when canonicalized, was set to that of the TGS (Ticket-Granting Service), thus yielding TGTs from ordinary kpasswd requests. These TGTs could be used to perform an Elevation of Privilege attack by obtaining service tickets and using services in the forest. This vulnerability existed in versions of Samba built with Heimdal Kerberos. A separate vulnerability in Samba versions below 4.16, and in Samba built with MIT Kerberos, led the KDC to accept kpasswd tickets as if they were TGTs, with the same overall outcome. On the reverse side of the issue, password changes could be effected by presenting TGTs as if they were kpasswd tickets. TGTs having potentially longer lifetimes than kpasswd tickets, the value of a stolen cache containing a TGT was hence increased to an attacker, with the possibility of indefinite control over an account by means of a password change. Finally, kpasswd service tickets would be accepted for changes to one's own password, contrary to the requirement that tickets be acquired with an initial KDC request in such cases. As part of the mitigations, the lifetime of kpasswd tickets has been restricted to a maximum of two minutes. The KDC will not longer accept TGTs with two minutes or less left to live, to make sure it does not accept kpasswd tickets. ================== Patch Availability ================== Patches addressing these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.14.next, 4.15.next, and 4.16.next have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) ========== Workaround ========== None. ======= Credits ======= Originally reported by Luke Howard. Patches provided by Joseph Sutton and Andreas Schneider of the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================