The Samba-Bugzilla – Attachment 17703 Details for
Bug 15214
CVE-2022-45141 [SECURITY] Samba 4.15 and prior using Heimdal KDC allows selection of weaker ticket types
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE-2022-45141-avoid-arcfour-tickets-v02-ready.txt
CVE-2022-45141-avoid-arcfour-tickets-v02-ready.txt (text/plain), 2.60 KB, created by
Stefan Metzmacher
on 2022-12-15 13:54:56 UTC
(
hide
)
Description:
CVE-2022-45141-avoid-arcfour-tickets-v02-ready.txt
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2022-12-15 13:54:56 UTC
Size:
2.60 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD DC using Heimdal can be forced to >== issue rc4-hmac encrypted Kerberos tickets >== >== CVE ID#: CVE-2022-45141 >== >== Versions: Heimdal builds of the Samba AD DC prior to Samba 4.16 >== >== Summary: Since the Windows Kerberos RC4-HMAC Elevation of Privilege >== Vulnerability was disclosed by Microsoft on Nov 8 2022 >== and per RFC8429 it is assumed that rc4-hmac is weak, >== >== Vulnerable Samba Active Directory DCs will issue rc4-hmac >== encrypted tickets despite the target server supporting >== better encryption (eg aes256-cts-hmac-sha1-96). >=========================================================== > >=========== >Description >=========== > >Kerberos, the trusted third party authentication system at the heart >of Active Directory, issues a ticket using a key known to the target server >but nobody else, returned to the client in a TGS-REP. > >This key needs to be of a type understood only by the KDC and target server. > >However, due to a coding error subsequently addressed in all recent >Heimdal versions and so fixed with Samba 4.16 (which imports Heimdal >8.0pre), the (attacking) client would be given the opportunity to >select the encryption type, and so obtain a ticket encrypted with >rc4-hmac, that it could attack offline. > >This is possible unless rc4-hmac is totally removed from the server's >account, by removing the unicodePwd attribute, but this will break >other aspects of the server's operation in the domain (NETLOGON in >particular). > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.15.13 has been issued as security releases to correct the >defect. Samba administrators are advised to upgrade to these releases or apply >the patch as soon as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1) > >================ >(not) Workaround >================ > >Setting msDS-SupportedEncryptionTypes is not a workaround for this issue. > >======= >Credits >======= > >Originally reported by Joseph Sutton of Catalyst and the Samba Team. > >Advisory written by Andrew Bartlett of Catalyst and the Samba Team. > >Patches by Nicolas Williams were identified and backported by Joseph Sutton of Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17703">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
slow
:
review+
Actions:
View
Attachments on
bug 15214
:
17599
|
17649
|
17680
| 17703