=========================================================== == Subject: Kerberos constrained delegation ticket == forgery possible against Samba AD DC == == CVE ID#: CVE-2022-37967 == == Versions: All versions of the Samba AD DC == == Summary: This is the Samba CVE for the Windows == Kerberos Elevation of Privilege Vulnerability == disclosed by Microsoft on Nov 8 2022[1]. == == A service account with the special constrained == delegation permission could forge a more powerful == ticket than the one it was presented with. =========================================================== =========== Description =========== Kerberos constrained delegation, known also as S4U2Proxy, requires that the intermediate service present to the KDC a valid Kerberos ticket (including the PAC) obtained by the user as evidence that they had authenticated, so that a new ticket can be issued for the target server. The Kerberos PAC is signed in multiple stages, but the important protection of the SID list (list of user groups) in the PAC is done first with the server's key, and then with the krbtgt key over that result. However the rc4-hmac cipher as implemented in Kerberos is weak in 2022, for two reasons: * The implementation in Kerberos is HMAC-MD5(MD5(DATA),KEY), meaning that the attack on the PAC can be done using the chosen-prefix techinques for MD5 without knowing the key * The intermediate server knows its own password (the key used in the HMAC-MD5 step) and can set it to arbitrary values. It is therefore feasible to brute force a new server checksum that matches the value already signed by the krbtgt key, but including a privileged group in the PAC. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.15.13, 4.16.8 and 4.17.4 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2) ==================== Workaround and notes ==================== This issue can be worked around by disable delegation for services that are not fully trusted, or securing these services to the same standard as the DC itself. Note that this patch introduces a flag day, there is no partial rollout of this feature (unlike KrbtgtFullPacSignature in Microsoft Windows[2]), so service tickets issued prior to the update will be rejected as evidence tickets for Kerberos constrained delegation. While Kerberos constrained delegation (S4U2Proxy) is not a often-used feature with Samba AD DCs, setting a 1 hour ticket lifetime: kdc:service_ticket_lifetime = 1 and waiting for any existing tickets to expire would reduce the number of tickets that are not accepted. Also ensure all DCs are upgraded around the same time, as if a ticket is issued by a pre-upgrade DC it will not be accepted by a new DC for Kerberos constrained Delegation. ========== References ========== [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967 [2] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb ======= Credits ======= Originally reported to Microsoft by Tom Tervoort of Secura. Advisory written by Andrew Bartlett of Catalyst and the Samba Team. Patches provided by Joseph Sutton of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================