Bug 12894 (CVE-2017-11103) - [SECURITY] [CVE-2017-11103] Orpheus' Lyre KDC-REP service name validation (mutual auth bypass) in embedded Heimdal
Summary: [SECURITY] [CVE-2017-11103] Orpheus' Lyre KDC-REP service name validation (mu...
Status: RESOLVED FIXED
Alias: CVE-2017-11103
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.6.5
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Andrew Bartlett
QA Contact: Samba QA Contact
URL: https://www.orpheus-lyre.info/
Keywords:
Depends on:
Blocks: 12902
  Show dependency treegraph
 
Reported: 2017-07-12 01:36 UTC by Andrew Bartlett
Modified: 2017-09-21 18:57 UTC (History)
11 users (show)

See Also:


Attachments
Patch taken from the heimdal repository for 4.7, 4.6, 4.5 and master (1.40 KB, patch)
2017-07-12 02:06 UTC, Bob Campbell
no flags Details
CVE text (2.46 KB, text/plain)
2017-07-12 02:40 UTC, Andrew Bartlett
no flags Details
CVE-2017-11103-description.txt (2.38 KB, text/plain)
2017-07-12 10:22 UTC, Stefan Metzmacher
ab: review+
abartlet: review+
Details
patch to add tests for this issue (14.60 KB, patch)
2017-07-12 12:43 UTC, Andrew Bartlett
no flags Details
missing patch (6.28 KB, patch)
2017-09-21 06:43 UTC, Andrew Bartlett
no flags Details
regression test patch for master (18.53 KB, patch)
2017-09-21 18:57 UTC, Andrew Bartlett
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2017-07-12 01:36:45 UTC
Heimdal upstream has just disclosed (sadly without prior notice to Samba):

Changes in Heimdal 7.4:

 Security

 - Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation

   This is a critical vulnerability.

   In _krb5_extract_ticket() the KDC-REP service name must be obtained from
   encrypted version stored in 'enc_part' instead of the unencrypted version
   stored in 'ticket'.  Use of the unecrypted version provides an
   opportunity for successful server impersonation and other attacks.

   Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

   See https://www.orpheus-lyre.info/ for more details.


This impacts on Samba as a client, as well as Samba as a server where it talks to other servers, such as in winbindd and AD DC replication traffic.

Relevant CVEs

    CVE-2017-8495 / KB-4022746 (Microsoft)
    CVE-2017-11103 (Heimdal)
Comment 1 Andrew Bartlett 2017-07-12 01:52:19 UTC
To answer the questions that will come up:

In short, the issue is a bypass of mutual authentication.

 - The biggest impact of this is on the AD DC, because of the risk to DRS replication 
 - If your samba is built using MIT Kerberos, upstream Heimdal advisory says:
   "The MIT implementation is not vulnerable, and looking through its version history, never had been. "
 - If you or your distributor built with --with-system-mitkrb5 then the above applies.
Comment 2 Bob Campbell 2017-07-12 02:06:01 UTC
Created attachment 13359 [details]
Patch taken from the heimdal repository for 4.7, 4.6, 4.5 and master
Comment 3 Andrew Bartlett 2017-07-12 02:40:42 UTC
Created attachment 13361 [details]
CVE text
Comment 4 Bob Campbell 2017-07-12 03:55:22 UTC
The patch is on top of 4.4, 4.5 & 4.6 in these branches:

http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/bob-17-07-heimdal-patch-4.4
http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/bob-17-07-heimdal-patch-4.5
http://git.catalyst.net.nz/gw?p=samba.git;a=shortlog;h=refs/heads/bob-17-07-heimdal-patch-4.6

The WHATSNEW and VERSION are also updated on these branches. The ntlm_auth patch is just so that they can pass autobuild on our cloud and should not be included with the releases.
Comment 5 Andrew Bartlett 2017-07-12 04:17:15 UTC
We are trying to work out if the fix from Heimdal is bypassed by this in Samba:

    /*
     * HACK:
     * this is really a ugly hack, to support using the Netbios Domain Name
     * as realm against windows KDC's, they always return the full realm
     * based on the DNS Name.
     */
    flags |= EXTRACT_TICKET_ALLOW_SERVER_MISMATCH;
    flags |= EXTRACT_TICKET_ALLOW_CNAME_MISMATCH;

If so, then the fix will not be as simple on our end.  More to come.
Comment 6 Andrew Bartlett 2017-07-12 05:42:16 UTC
(In reply to Andrew Bartlett from comment #5)
As there isn't a public exploit yet, I'm working on a reproducer so we can understand the impact on Samba given the flags we have forced on.  

We should drop the flags in the medium term, but right now I don't want a behaviour change.  I still think the upstream patch helps, but I need to be sure before we do a release.

I'll see what I can get done tonight NZ time.
Comment 7 Stefan Metzmacher 2017-07-12 07:02:23 UTC
(In reply to Andrew Bartlett from comment #6)

I think we need this fix and I'll prepare security releases, with it,
which will then be released today or tomorrow.

The problem is that the attacker is able to form the server field
in the victims credential cache. Which means the client
will use the ticket for a different service, which breaks the
mutual auth. The attacker needs to have control over an account
that is able to act a service principal or a cross-realm trust.
Comment 8 Andrew Bartlett 2017-07-12 07:30:51 UTC
(In reply to Stefan Metzmacher from comment #7)
Thanks.  

That is the conclusion I want to come to also. 

Please let me know if there is anything more I can do to help.
Comment 9 Andrew Bartlett 2017-07-12 07:45:33 UTC
Private autobuilds on Samba 4.6 and 4.4 with this patch passed.  

The build of Samba 4.5 failed to due flapping tests, so I have re-submitted those just to be sure. 

I continue to investigate writing the tests.
Comment 11 Stefan Metzmacher 2017-07-12 08:14:25 UTC
Do we need to get our own CVE number for this?
Comment 12 Andrew Bartlett 2017-07-12 08:14:45 UTC
(In reply to Andrew Bartlett from comment #9)
As expected, a private autobuild of Samba 4.5 has also passed
Comment 13 Andrew Bartlett 2017-07-12 08:21:32 UTC
(In reply to Stefan Metzmacher from comment #11)
I wasn't going to wait for one.  We are just a downstream of Heimdal.

I've been told to get our own CVE when we have essentially the same issue as windows (rather than use theirs), but I think this is different, it really is the same bug, in the same code, at the same disclosure time. 

Other CVEs seem to be across multiple downstreams with the same historical upstream:
https://nvd.nist.gov/vuln/detail/CVE-2010-3702
https://bugzilla.redhat.com/show_bug.cgi?id=789936
Comment 14 Andreas Schneider 2017-07-12 09:21:14 UTC
We are just downstream Heimdal, so use the CVE from Heimdal.
Comment 15 Stefan Metzmacher 2017-07-12 09:25:33 UTC
(In reply to Andreas Schneider from comment #14)

Ok, I'm in progress of making the releases.
Comment 16 Stefan Metzmacher 2017-07-12 09:45:49 UTC
(In reply to Stefan Metzmacher from comment #15)

The tags are pushed and the tarballs are available at
https://download.samba.org/pub/samba/

I'll now work on the website and the announcement mail...
Comment 17 Stefan Metzmacher 2017-07-12 10:08:08 UTC
(In reply to Stefan Metzmacher from comment #16)

Also pushed to the autobuilds of master and v4-7-test.
Comment 18 Stefan Metzmacher 2017-07-12 10:22:54 UTC
Created attachment 13363 [details]
CVE-2017-11103-description.txt

changes links to https:// and removed outdated reference to http://samba.org/samba/patches/
Comment 19 Alexander Bokovoy 2017-07-12 10:24:27 UTC
Comment on attachment 13363 [details]
CVE-2017-11103-description.txt

Looks good.
Comment 20 Andrew Bartlett 2017-07-12 10:26:09 UTC
Comment on attachment 13363 [details]
CVE-2017-11103-description.txt

Thank you very much for all the hard work getting this pushed out!
Comment 27 Andrew Bartlett 2017-07-13 07:00:27 UTC
To be clear, this was released yesterday, no embargo.  We do apologise to our downstream users and distributors for the lack of notice this time.

https://www.samba.org/samba/security/CVE-2017-11103.html

and (eg)
https://www.samba.org/samba/history/samba-4.6.6.html

Official packages from SuSE, RHEL and Fedora are not impacted, as they all use MIT Kerberos.  I'm personally working with Debian to help push out updated packages. 

Fixed in master with 3799a32e41134a2dff797ebeacf5abdb8d332e6e for Samba 4.7, plus new releases were made 4.7rc2, 4.6.6, 4.5.12 and 4.4.15.
Comment 29 Andrew Bartlett 2017-09-21 06:43:08 UTC
Created attachment 13619 [details]
missing patch

This applies before attachment 13364 [details]
Comment 30 Andrew Bartlett 2017-09-21 18:57:50 UTC
Created attachment 13622 [details]
regression test patch for master

Attached is a complete regression test patch.