=========================================================== == Subject: Kerberos constrained delegation ticket == forgery possible against Samba AD DC == == CVE ID#: CVE-2022-37967 == == Versions: All versions of the Samba AD DC == == Summary: This is the Samba CVE for the Windows == Kerberos Elevation of Privilege Vulnerability == disclosed by Microsoft on Nov 8 2022. == == A service account with the special constrained == delegation permission could forge a more powerful == ticket than the one it was presented with. =========================================================== =========== Description =========== Kerberos constrained delegation, known also as S4U2Proxy, requires that the intermediate service present to the KDC a valid Kerberos ticket obtained by the user as evidence that they had authenticated, so that a new ticket can be issued for the target server. This ticket is signed in multiple stages, but the important protection of the SID list is done first with the server's key, and then with the krbtgt key over that result. However HMAC-MD5 is weak in 2022, and given that the intermediate server knows its own password and can set it to arbitrary values, it is feasible to brute force a new server checksum that matches the value already signed by the krbtgt key, but including a privileged group. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2) ========== Workaround ========== Disable delegation for services that are not fully trusted. ======= Credits ======= Originally reported to Microsoft by Tom Tervoort of Secura. Advisory written by Andrew Bartlett of Catalyst and the Samba Team. Patches provided by Joseph Sutton of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================