The Samba-Bugzilla – Attachment 17655 Details for
Bug 15231
CVE-2022-37967 [SECURITY] Samba KDC needs to implement KrbtgtFullPacSignature to secure S4U2Proxy
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Updated v3 advisory with MS CVE
CVE-2022-37967-KrbtgtFullPacSignature-v03.txt (text/plain), 2.32 KB, created by
Andrew Bartlett
on 2022-11-15 21:38:09 UTC
(
hide
)
Description:
Updated v3 advisory with MS CVE
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2022-11-15 21:38:09 UTC
Size:
2.32 KB
patch
obsolete
>=========================================================== >== Subject: Kerberos constrained delegation ticket >== forgery possible against Samba AD DC >== >== CVE ID#: CVE-2022-37967 >== >== Versions: All versions of the Samba AD DC >== >== Summary: This is the Samba CVE for the Windows >== Kerberos Elevation of Privilege Vulnerability >== disclosed by Microsoft on Nov 8 2022. >== >== A service account with the special constrained >== delegation permission could forge a more powerful >== ticket than the one it was presented with. >=========================================================== > >=========== >Description >=========== > >Kerberos constrained delegation, known also as S4U2Proxy, requires >that the intermediate service present to the KDC a valid Kerberos >ticket obtained by the user as evidence that they had authenticated, >so that a new ticket can be issued for the target server. > >This ticket is signed in multiple stages, but the important protection >of the SID list is done first with the server's key, and then with the >krbtgt key over that result. > >However HMAC-MD5 is weak in 2022, and given that the intermediate >server knows its own password and can set it to arbitrary values, it >is feasible to brute force a new server checksum that matches the >value already signed by the krbtgt key, but including a privileged >group. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2) > >========== >Workaround >========== > >Disable delegation for services that are not fully trusted. > >======= >Credits >======= > >Originally reported to Microsoft by Tom Tervoort of Secura. > >Advisory written by Andrew Bartlett of Catalyst and the Samba Team. > >Patches provided by Joseph Sutton of Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17655">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15231
:
17643
|
17647
|
17655
|
17672
|
17685
|
17702