=========================================================== == Subject: rc4-hmac Kerberos session keys issued == to modern servers == == CVE ID#: CVE-2022-3938 (MS CVE-2022-37966) == == Versions: All versions of the Samba AD DC == == Summary: This is the Samba CVE for the Windows Kerberos == RC4-HMAC Elevation of Privilege Vulnerability == disclosed by Microsoft on Nov 8 2022. == == A Samba Active Directory DC will issue weak rc4-hmac == session keys for use between modern clients and servers == despite all modern Kerberos implementations supporting == the aes256-cts-hmac-sha1-96 cipher. =========================================================== =========== Description =========== Kerberos, the trusted third party authentication system at the heart of Active Directory, issues a session key known to the target server and the client, encrypted to both services in a TGS-REP. This key needs to be of a type understood by all parties. Traditionally it was assumed that the administrator would provision the strongest long term key possible for the software on the Kerberos target, so this long-term key list was also used as the set of possible session keys. This is a reasonable assumption where regular updates to msDS-SupportedEncryptionTypes are made, however if this is not updated, the default has been the rc4-hmac (arcfour-hmac-md5) cipher introduced in Active Directory in Windows 2000. It is not possible to, without specific testing, update msDS-SupportedEncryptionTypes to include the AES cipher bits arbitrarily (the target may not have AES keys in the keytab, or may have the wrong salt), but it is reasonable in 2022 to assert that all Kerberos clients understand the aes256-cts-hmac-sha1-96 cipher. After this update, the default for an unspecified msDS-SupportedEncryptionTypes becomes based on an smb.conf option "default domain supported enctypes", and this is set by default to "arc4-hmac, aes256-cts-hmac-sha1-96-sk". aes256-cts-hmac-sha1-96-sk is a non-IETF keytype name with the behaviour that if rc4-hmac (being the insecure algorithm being avoided, Samba does not support DES) is used for the ticket key, aes256-cts-hmac-sha1-96 session keys must be used instead. This avoids RC4 and HMAC-MD5 in the subsequent encrypted connection (eg GSSAPI secured LDAP or DCE/RPC) and also enforces the use of a secure checksum in the SPNEGO authentication negotiation system (this disables an insecure legacy fallback). However, the ticket itself will still be encrypted with rc4-hmac. The preferred solution is in the Workaround below. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1) It is noted that this score matches Microsoft's for the same issue. ============================ Workaround and long-term fix ============================ After confirming a valid key of aes256-cts-hmac-sha1-96 is present in the target service keytab setting msDS-SupportedEncryptionTypes to (base 10) 16 on that service's account in LDAP will avoid using rc4-hmac entirely. AES256 support can also be set in Active Directory Users and computers. ======= Credits ======= Originally reported to Microsoft by Tom Tervoort with Secura https://www.secura.com/ and released as CVE-2022-37966. Advisory written by Andrew Bartlett of Catalyst and the Samba Team. Patches provided by Joseph Sutton of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================