The Samba-Bugzilla – Attachment 17702 Details for
Bug 15231
CVE-2022-37967 [SECURITY] Samba KDC needs to implement KrbtgtFullPacSignature to secure S4U2Proxy
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE-2022-37967-KrbtgtFullPacSignature-v06-ready.txt
CVE-2022-37967-KrbtgtFullPacSignature-v06-ready.txt (text/plain), 3.77 KB, created by
Stefan Metzmacher
on 2022-12-15 13:53:26 UTC
(
hide
)
Description:
CVE-2022-37967-KrbtgtFullPacSignature-v06-ready.txt
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2022-12-15 13:53:26 UTC
Size:
3.77 KB
patch
obsolete
>=========================================================== >== Subject: Kerberos constrained delegation ticket >== forgery possible against Samba AD DC >== >== CVE ID#: CVE-2022-37967 >== >== Versions: All versions of the Samba AD DC >== >== Summary: This is the Samba CVE for the Windows >== Kerberos Elevation of Privilege Vulnerability >== disclosed by Microsoft on Nov 8 2022[1]. >== >== A service account with the special constrained >== delegation permission could forge a more powerful >== ticket than the one it was presented with. >=========================================================== > >=========== >Description >=========== > >Kerberos constrained delegation, known also as S4U2Proxy, requires >that the intermediate service present to the KDC a valid Kerberos >ticket (including the PAC) obtained by the user as evidence that they >had authenticated, so that a new ticket can be issued for the target >server. > >The Kerberos PAC is signed in multiple stages, but the important >protection of the SID list (list of user groups) in the PAC is done >first with the server's key, and then with the krbtgt key over that >result. > >However the rc4-hmac cipher as implemented in Kerberos is weak in >2022, for two reasons: > * The implementation in Kerberos is HMAC-MD5(MD5(DATA),KEY), meaning > that the attack on the PAC can be done using the chosen-prefix > techinques for MD5 without knowing the key > > * The intermediate server knows its own password (the key used in the > HMAC-MD5 step) and can set it to arbitrary values. > >It is therefore feasible to brute force a new server checksum that >matches the value already signed by the krbtgt key, but including a >privileged group in the PAC. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.13, 4.16.8 and 4.17.4 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2) > >==================== >Workaround and notes >==================== > >This issue can be worked around by disable delegation for services >that are not fully trusted, or securing these services to the same >standard as the DC itself. > >Note that this patch introduces a flag day, there is no partial >rollout of this feature (unlike KrbtgtFullPacSignature in Microsoft >Windows[2]), so service tickets issued prior to the update will be >rejected as evidence tickets for Kerberos constrained delegation. > >While Kerberos constrained delegation (S4U2Proxy) is not a often-used >feature with Samba AD DCs, setting a 1 hour ticket lifetime: > > kdc:service_ticket_lifetime = 1 > >and waiting for any existing tickets to expire would reduce the number >of tickets that are not accepted. Also ensure all DCs are upgraded >around the same time, as if a ticket is issued by a pre-upgrade DC it >will not be accepted by a new DC for Kerberos constrained Delegation. > >========== >References >========== > >[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967 >[2] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb > >======= >Credits >======= > >Originally reported to Microsoft by Tom Tervoort of Secura. > >Advisory written by Andrew Bartlett of Catalyst and the Samba Team. > >Patches provided by Joseph Sutton of Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17702">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15231
:
17643
|
17647
|
17655
|
17672
|
17685
| 17702