Bug 12445 (CVE-2016-2125) - [SECURITY] CVE-2016-2125: don't send delegated credentials to all servers
Summary: [SECURITY] CVE-2016-2125: don't send delegated credentials to all servers
Alias: CVE-2016-2125
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.5.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Karolin Seeger
QA Contact: Samba QA Contact
Depends on:
Blocks: 12448
  Show dependency treegraph
Reported: 2016-11-24 07:53 UTC by Stefan Metzmacher
Modified: 2021-08-31 03:51 UTC (History)
12 users (show)

See Also:

CVE-2016-2125-description.metze01.txt (needs exact version numbers!!!) (3.87 KB, text/plain)
2016-12-02 15:24 UTC, Stefan Metzmacher
ab: review+
CVE-2016-2125-master.metze01.txt (3.71 KB, patch)
2016-12-02 15:26 UTC, Stefan Metzmacher
abartlet: review+
jra: review+
CVE-2016-2125-v4-5.metze01.txt (3.71 KB, patch)
2016-12-02 15:27 UTC, Stefan Metzmacher
abartlet: review+
metze: review? (idra)
jra: review+
CVE-2016-2125-v4-4.metze01.txt (3.71 KB, patch)
2016-12-02 15:27 UTC, Stefan Metzmacher
abartlet: review+
metze: review? (idra)
jra: review+
CVE-2016-2125-v4-3.metze01.txt (3.71 KB, patch)
2016-12-02 15:28 UTC, Stefan Metzmacher
abartlet: review+
metze: review? (idra)
jra: review+
CVE-2016-2125-description.metze02.txt (3.83 KB, text/plain)
2016-12-06 14:31 UTC, Stefan Metzmacher
no flags Details
Fixed up version (4.04 KB, text/plain)
2016-12-06 21:32 UTC, Jeremy Allison
no flags Details
Fixed up version v2 (4.04 KB, text/plain)
2016-12-07 03:10 UTC, Douglas Bagnall
no flags Details
Updated text with more context as to the problem (v3) (4.81 KB, text/plain)
2016-12-07 03:53 UTC, Andrew Bartlett
no flags Details
Updated description by ab (4.66 KB, text/plain)
2016-12-07 06:40 UTC, Alexander Bokovoy
abartlet: review+
CVE-2016-2125-v3.6.asn01.patch (1.04 KB, patch)
2016-12-07 10:01 UTC, Andreas Schneider
no flags Details
Updated description (4.65 KB, text/plain)
2016-12-07 11:42 UTC, Karolin Seeger
no flags Details
CVE-2016-2125-v3.6.asn02.patch (2.11 KB, patch)
2016-12-13 15:49 UTC, Andreas Schneider
metze: review-
CVE-2016-2125-v3.6.asn03.patch (1.69 KB, patch)
2016-12-16 13:21 UTC, Andreas Schneider
metze: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Stefan Metzmacher 2016-11-24 07:53:02 UTC
Comment 1 Stefan Metzmacher 2016-11-24 11:44:32 UTC
Using GSS_C_DELEG_FLAG means we unconditionally send delegated kerberos TGT
to all remote servers.

We should rely on GSS_C_DELEG_POLICY_FLAG and let the KDC decide if you
should send delegated credentials to a remote server.
Comment 2 Stefan Metzmacher 2016-12-02 15:24:56 UTC
Created attachment 12707 [details]
CVE-2016-2125-description.metze01.txt (needs exact version numbers!!!)

The exact version numbers need to be added once we know the release date.
Comment 3 Stefan Metzmacher 2016-12-02 15:26:38 UTC
Created attachment 12708 [details]
Comment 4 Stefan Metzmacher 2016-12-02 15:27:22 UTC
Created attachment 12709 [details]
Comment 5 Stefan Metzmacher 2016-12-02 15:27:44 UTC
Created attachment 12710 [details]
Comment 6 Stefan Metzmacher 2016-12-02 15:28:17 UTC
Created attachment 12711 [details]
Comment 7 Alexander Bokovoy 2016-12-05 13:43:42 UTC
Comment on attachment 12707 [details]
CVE-2016-2125-description.metze01.txt (needs exact version numbers!!!)

Looks good, thanks.
Comment 8 Stefan Metzmacher 2016-12-06 14:31:52 UTC
Created attachment 12730 [details]
Comment 9 Alexander Bokovoy 2016-12-06 15:24:10 UTC
Comment on attachment 12730 [details]

Please do s/RedHat/Red Hat/, the rest looks OK.
Comment 10 Jeremy Allison 2016-12-06 21:32:56 UTC
Created attachment 12732 [details]
Fixed up version

Metze, I think this version is clearer. Fixed up the English idioms and clarified the text.

Let me know.

Comment 11 Douglas Bagnall 2016-12-07 03:10:36 UTC
Created attachment 12733 [details]
Fixed up version v2

A couple of typos, and a reduction of "typically" overuse in one paragraph.
Comment 12 Andrew Bartlett 2016-12-07 03:53:27 UTC
Created attachment 12735 [details]
Updated text with more context as to the problem (v3)

This text tries to clarify that you can't just pick out forwarded credentials from thin air, you need to be the target service.
Comment 13 Alexander Bokovoy 2016-12-07 06:40:58 UTC
Created attachment 12736 [details]
Updated description by ab

I tried to re-read the text proposed by Andrew and decided to rewrite few paragraphs as they read awkward to me both in the original proposal and in the Andrew's one.

I also changed RedHat to Red Hat for correct spelling.
Comment 14 Andrew Bartlett 2016-12-07 07:24:03 UTC
These are really good improvements
Comment 15 Andreas Schneider 2016-12-07 10:01:13 UTC
Created attachment 12737 [details]
Comment 16 Karolin Seeger 2016-12-07 11:42:39 UTC
Created attachment 12739 [details]
Updated description

Fix some more typos (s/kerberos/Kerberos/, remove trailing whitepsaces, s/completness/completeness, ...)
Comment 17 Stefan Metzmacher 2016-12-07 12:26:57 UTC
Comment on attachment 12739 [details]
Updated description

I think we need to improve the following section:

  Finally, it should be noted that typically the connections involved
  are either explicitly requested, or are between or to Domain
  Controllers already of ultimate privilege.

For (at least) me (as a non native speaker) the wording is a bit confusing.
Maybe we can split this into multiple sentences to make it more clear.

I'm not 100% sure, but I guess we may also connect to a RODC
which doesn't have all passwords. So we need to that also into
the logic.
Comment 18 Karolin Seeger 2016-12-08 09:26:15 UTC
(In reply to Stefan Metzmacher from comment #17)
Could one of the native speakers could help out here, please? :-)
Comment 19 Stefan Metzmacher 2016-12-08 14:25:14 UTC
Comment on attachment 12737 [details]

source3/libsmb/clifsinfo.c also passes GSS_C_DELEG_FLAG to gss_init_sec_context()
Comment 20 Karolin Seeger 2016-12-09 07:43:34 UTC
Opening bug report for vendors.
Planned release date is Monday, December 19.
Comment 21 Karolin Seeger 2016-12-12 11:34:28 UTC
The tarballs and patches are available here:
Comment 22 Andreas Schneider 2016-12-13 15:49:07 UTC
Created attachment 12766 [details]
Comment 23 Stefan Metzmacher 2016-12-16 13:20:32 UTC
Comment on attachment 12766 [details]

The ads_krb5_mk_req() change is wrong, there
we have if( credsp->ticket_flags & TKT_FLG_OK_AS_DELEGATE ) which controls the protection.
Comment 24 Andreas Schneider 2016-12-16 13:21:43 UTC
Created attachment 12772 [details]
Comment 25 Karolin Seeger 2016-12-19 09:54:18 UTC
(In reply to Karolin Seeger from comment #21)
Samba 4.5.3, 4.4.8 and 4.3.13 have been released to address these defects.
Comment 26 Karolin Seeger 2016-12-19 10:00:15 UTC
Pushed to autobuild-master.
Comment 27 Karolin Seeger 2017-01-02 09:26:33 UTC
(In reply to Karolin Seeger from comment #26)
Pushed to master.
Closing out bug report.

Comment 28 Andrew Bartlett 2021-08-31 03:51:47 UTC
Removing embargo on long-fixed security bug.