15077 – [SECURITY][EMBARGOED] TGTs and kpasswd tickets can be substituted for one another

Bug 15077 - [SECURITY][EMBARGOED] TGTs and kpasswd tickets can be substituted for one another

Summary: [SECURITY][EMBARGOED] TGTs and kpasswd tickets can be substituted for one ano...

Status:	RESOLVED DUPLICATE of bug 15047

Alias:	None

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.14.13
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:

Reported:	2022-05-25 07:31 UTC by Jennifer Sutton
Modified:	2025-09-19 02:37 UTC (History)
CC List:	0 users

See Also:	CVE-2022-2031

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Jennifer Sutton 2022-05-25 07:31:17 UTC

Neither Samba nor Windows prevent TGTs being presented to the kpasswd service.

Samba >= 4.16 and Windows prevent the reverse scenario (incidentally) as a result of rejecting TGTs without a REQUESTER_SID buffer. We need to backport commit 38c5bad4a853b19fe9a51fb059e150b153c4632a to 4.14 and 4.15, or users are able to use kpasswd tickets to obtain service tickets despite having an expired password.

Additionally, Windows caps the lifetime (calculated as endtime - authtime) of tickets issued to kadmin/changepw to two minutes, and rejects any TGTs with a lifetime of two minutes or less, supposing them to be kadmin tickets. We might choose to follow this as an extra precaution against ticket misuse.

Comment 1 Andrew Bartlett 2022-06-07 08:52:54 UTC

This is a re-expression of the core issue in bug 15047 so close this to avoid confusion.

*** This bug has been marked as a duplicate of bug 15047 ***