The Samba-Bugzilla – Attachment 17680 Details for
Bug 15214
CVE-2022-45141 [SECURITY] Samba 4.15 and prior using Heimdal KDC allows selection of weaker ticket types
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Patches for v4-15-test
bfixes-CVE-2022-45141-v4-15.txt (text/plain), 4.15 KB, created by
Stefan Metzmacher
on 2022-12-07 19:11:40 UTC
(
hide
)
Description:
Patches for v4-15-test
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2022-12-07 19:11:40 UTC
Size:
4.15 KB
patch
obsolete
>From 2be27ec1d7f3bfcdcac65bca1db53772535fe7bf Mon Sep 17 00:00:00 2001 >From: Nicolas Williams <nico@cryptonector.com> >Date: Tue, 11 Oct 2011 23:57:58 -0500 >Subject: [PATCH 1/2] CVE-2022-45141 source4/heimdal: Fix TGS ticket enc-part > key selection > > When I added support for configuring how the KDC selects session, > reply, and ticket enc-part keys I accidentally had the KDC use the > session key selection algorithm for selecting the ticket enc-part > key. This becomes a problem when using a Heimdal KDC with an MIT > KDB as the HDB backend and when the krbtgt keys are not in > strongest-to-weakest order, in which case forwardable tickets minted > by the Heimdal KDC will not be accepted by MIT KDCs with the same > KDB. > >(cherry picked from Heimdal commit 12cd2c9cbd1ca027a3ef9ac7ab3e79526b1348ae) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > source4/heimdal/kdc/krb5tgs.c | 7 ++----- > 1 file changed, 2 insertions(+), 5 deletions(-) > >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index 15be136496fa..7391393e4b64 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -1665,17 +1665,14 @@ server_lookup: > } else { > Key *skey; > >- ret = _kdc_find_etype(context, >- config->tgs_use_strongest_session_key, FALSE, >- server, b->etype.val, b->etype.len, NULL, >- &skey); >+ ret = _kdc_get_preferred_key(context, config, server, spn, >+ &etype, &skey); > if(ret) { > kdc_log(context, config, 0, > "Server (%s) has no support for etypes", spn); > goto out; > } > ekey = &skey->key; >- etype = skey->key.keytype; > kvno = server->entry.kvno; > } > >-- >2.34.1 > > >From 2ea3f2db8087e0a2c4a18c633b039c722cb6f829 Mon Sep 17 00:00:00 2001 >From: Nicolas Williams <nico@cryptonector.com> >Date: Wed, 12 Oct 2011 01:15:13 -0500 >Subject: [PATCH 2/2] CVE-2022-45141 source4/heimdal: Fix check-des > > The previous fix was incomplete. But it also finally uncovered an > old check-des problem that I'd had once and which may have gotten > papered over by changing the default of one of the *strongest* KDC > parameters. The old problem is that we were passing the wrong > enctype to _kdc_encode_reply(): we were passing the session key > enctype where the ticket enc-part key's enctype was expected. > > The whole enctype being passed in is superfluous anyways. Let's > clean that up next. > >(cherry picked from Heimdal commit 4c6976a6bdf8a76c6f3c650ae970d46c931e5c71) > >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15214 >BUG: https://bugzilla.samba.org/show_bug.cgi?id=15237 > >Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> >Reviewed-by: Stefan Metzmacher <metze@samba.org> >--- > source4/heimdal/kdc/krb5tgs.c | 15 ++++++++++++--- > 1 file changed, 12 insertions(+), 3 deletions(-) > >diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c >index 7391393e4b64..609649003ea5 100644 >--- a/source4/heimdal/kdc/krb5tgs.c >+++ b/source4/heimdal/kdc/krb5tgs.c >@@ -747,7 +747,7 @@ tgs_make_reply(krb5_context context, > etype list, even if we don't want a session key with > DES3? */ > ret = _kdc_encode_reply(context, config, >- &rep, &et, &ek, et.key.keytype, >+ &rep, &et, &ek, serverkey->keytype, > kvno, > serverkey, 0, replykey, rk_is_subkey, > e_text, reply); >@@ -1665,13 +1665,22 @@ server_lookup: > } else { > Key *skey; > >- ret = _kdc_get_preferred_key(context, config, server, spn, >- &etype, &skey); >+ ret = _kdc_find_etype(context, >+ config->tgs_use_strongest_session_key, FALSE, >+ server, b->etype.val, b->etype.len, &etype, >+ NULL); > if(ret) { > kdc_log(context, config, 0, > "Server (%s) has no support for etypes", spn); > goto out; > } >+ ret = _kdc_get_preferred_key(context, config, server, spn, >+ NULL, &skey); >+ if(ret) { >+ kdc_log(context, config, 0, >+ "Server (%s) has no supported etypes", spn); >+ goto out; >+ } > ekey = &skey->key; > kvno = server->entry.kvno; > } >-- >2.34.1 >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17680">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
ci-passed+
Actions:
View
Attachments on
bug 15214
:
17599
|
17649
| 17680 |
17703