The Samba-Bugzilla – Bug 12894
[SECURITY] [CVE-2017-11103] Orpheus' Lyre KDC-REP service name validation (mutual auth bypass) in embedded Heimdal
Last modified: 2017-09-21 18:57:50 UTC
Heimdal upstream has just disclosed (sadly without prior notice to Samba):
Changes in Heimdal 7.4:
- Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation
This is a critical vulnerability.
In _krb5_extract_ticket() the KDC-REP service name must be obtained from
encrypted version stored in 'enc_part' instead of the unencrypted version
stored in 'ticket'. Use of the unecrypted version provides an
opportunity for successful server impersonation and other attacks.
Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.
See https://www.orpheus-lyre.info/ for more details.
This impacts on Samba as a client, as well as Samba as a server where it talks to other servers, such as in winbindd and AD DC replication traffic.
CVE-2017-8495 / KB-4022746 (Microsoft)
To answer the questions that will come up:
In short, the issue is a bypass of mutual authentication.
- The biggest impact of this is on the AD DC, because of the risk to DRS replication
- If your samba is built using MIT Kerberos, upstream Heimdal advisory says:
"The MIT implementation is not vulnerable, and looking through its version history, never had been. "
- If you or your distributor built with --with-system-mitkrb5 then the above applies.
Created attachment 13359 [details]
Patch taken from the heimdal repository for 4.7, 4.6, 4.5 and master
Created attachment 13361 [details]
The patch is on top of 4.4, 4.5 & 4.6 in these branches:
The WHATSNEW and VERSION are also updated on these branches. The ntlm_auth patch is just so that they can pass autobuild on our cloud and should not be included with the releases.
We are trying to work out if the fix from Heimdal is bypassed by this in Samba:
* this is really a ugly hack, to support using the Netbios Domain Name
* as realm against windows KDC's, they always return the full realm
* based on the DNS Name.
flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;
If so, then the fix will not be as simple on our end. More to come.
(In reply to Andrew Bartlett from comment #5)
As there isn't a public exploit yet, I'm working on a reproducer so we can understand the impact on Samba given the flags we have forced on.
We should drop the flags in the medium term, but right now I don't want a behaviour change. I still think the upstream patch helps, but I need to be sure before we do a release.
I'll see what I can get done tonight NZ time.
(In reply to Andrew Bartlett from comment #6)
I think we need this fix and I'll prepare security releases, with it,
which will then be released today or tomorrow.
The problem is that the attacker is able to form the server field
in the victims credential cache. Which means the client
will use the ticket for a different service, which breaks the
mutual auth. The attacker needs to have control over an account
that is able to act a service principal or a cross-realm trust.
(In reply to Stefan Metzmacher from comment #7)
That is the conclusion I want to come to also.
Please let me know if there is anything more I can do to help.
Private autobuilds on Samba 4.6 and 4.4 with this patch passed.
The build of Samba 4.5 failed to due flapping tests, so I have re-submitted those just to be sure.
I continue to investigate writing the tests.
Do we need to get our own CVE number for this?
(In reply to Andrew Bartlett from comment #9)
As expected, a private autobuild of Samba 4.5 has also passed
(In reply to Stefan Metzmacher from comment #11)
I wasn't going to wait for one. We are just a downstream of Heimdal.
I've been told to get our own CVE when we have essentially the same issue as windows (rather than use theirs), but I think this is different, it really is the same bug, in the same code, at the same disclosure time.
Other CVEs seem to be across multiple downstreams with the same historical upstream:
We are just downstream Heimdal, so use the CVE from Heimdal.
(In reply to Andreas Schneider from comment #14)
Ok, I'm in progress of making the releases.
(In reply to Stefan Metzmacher from comment #15)
The tags are pushed and the tarballs are available at
I'll now work on the website and the announcement mail...
(In reply to Stefan Metzmacher from comment #16)
Also pushed to the autobuilds of master and v4-7-test.
Created attachment 13363 [details]
changes links to https:// and removed outdated reference to http://samba.org/samba/patches/
Comment on attachment 13363 [details]
Comment on attachment 13363 [details]
Thank you very much for all the hard work getting this pushed out!
To be clear, this was released yesterday, no embargo. We do apologise to our downstream users and distributors for the lack of notice this time.
Official packages from SuSE, RHEL and Fedora are not impacted, as they all use MIT Kerberos. I'm personally working with Debian to help push out updated packages.
Fixed in master with 3799a32e41134a2dff797ebeacf5abdb8d332e6e for Samba 4.7, plus new releases were made 4.7rc2, 4.6.6, 4.5.12 and 4.4.15.
Created attachment 13619 [details]
This applies before attachment 13364 [details]
Created attachment 13622 [details]
regression test patch for master
Attached is a complete regression test patch.