The Samba-Bugzilla – Attachment 17360 Details for
Bug 15047
[SECURITY] CVE-2022-2031 kadmin/changew gets a krbtgt key as AS-REP
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory draft #4
advisory.txt (text/plain), 3.12 KB, created by
Jo Sutton
on 2022-06-16 05:10:16 UTC
(
hide
)
Description:
Advisory draft #4
Filename:
MIME Type:
Creator:
Jo Sutton
Created:
2022-06-16 05:10:16 UTC
Size:
3.12 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD users can bypass certain restrictions >== associated with changing passwords. >== >== CVE ID#: CVE-2022-2031 >== >== Versions: All versions of Samba prior to 4.16.next >== >== Summary: The KDC and the kpasswd service share a single account >== and set of keys, allowing them to decrypt each other's >== tickets. A user who has been requested to change their >== password can exploit this to obtain and use tickets to >== other services. >=========================================================== > >=========== >Description >=========== > >The KDC and the kpasswd service share a single account and set of >keys. In certain cases, this makes the two services susceptible to >confusion. > >When a user's password has expired, that user is requested to change >their password. Until doing so, the user is restricted to only >acquiring tickets to kpasswd. > >However, a vulnerability meant that the kpasswd's principal, when >canonicalized, was set to that of the TGS (Ticket-Granting Service), >thus yielding TGTs from ordinary kpasswd requests. These TGTs could be >used to perform an Elevation of Privilege attack by obtaining service >tickets and using services in the forest. This vulnerability existed >in versions of Samba built with Heimdal Kerberos. > >A separate vulnerability in Samba versions below 4.16, and in Samba >built with MIT Kerberos, led the KDC to accept kpasswd tickets as if >they were TGTs, with the same overall outcome. > >On the reverse side of the issue, password changes could be effected >by presenting TGTs as if they were kpasswd tickets. TGTs having >potentially longer lifetimes than kpasswd tickets, the value of a >stolen cache containing a TGT was hence increased to an attacker, with >the possibility of indefinite control over an account by means of a >password change. > >Finally, kpasswd service tickets would be accepted for changes to >one's own password, contrary to the requirement that tickets be >acquired with an initial KDC request in such cases. > >As part of the mitigations, the lifetime of kpasswd tickets has been >restricted to a maximum of two minutes. The KDC will not longer accept >TGTs with two minutes or less left to live, to make sure it does not >accept kpasswd tickets. > >================== >Patch Availability >================== > >Patches addressing these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.14.next, 4.15.next, and 4.16.next have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) > >========== >Workaround >========== > >None. > >======= >Credits >======= > >Originally reported by Luke Howard. > >Patches provided by Joseph Sutton and Andreas Schneider of the Samba >team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >==========================================================
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
abartlet
:
review+
Actions:
View
Attachments on
bug 15047
:
17299
|
17300
|
17302
|
17303
|
17305
|
17306
|
17307
|
17308
|
17309
|
17310
|
17311
|
17312
|
17313
|
17337
|
17342
|
17346
|
17352
|
17353
|
17357
|
17358
|
17359
| 17360 |
17361
|
17368
|
17372
|
17373
|
17394
|
17395
|
17396
|
17397
|
17398
|
17433
|
17446
|
17450