15214 – (CVE-2022-45141) CVE-2022-45141 [SECURITY] Samba 4.15 and prior using Heimdal KDC allows selection of weaker ticket types

Bug 15214 (CVE-2022-45141) - CVE-2022-45141 [SECURITY] Samba 4.15 and prior using Heimdal KDC allows selection of weaker ticket types

Summary: CVE-2022-45141 [SECURITY] Samba 4.15 and prior using Heimdal KDC allows selec...

Status:	RESOLVED FIXED

Alias:	CVE-2022-45141

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	AD: LDB/DSDB/SAMDB (show other bugs)
Version:	4.15.10
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Samba QA Contact
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:	CVE-2022-37966
Blocks:	15199 15232 15233 15234 15235 15238
	Show dependency tree / graph

Reported:	2022-10-25 01:14 UTC by Andrew Bartlett
Modified:	2022-12-16 11:54 UTC (History)
CC List:	6 users (show)

See Also:	15048 15199

Attachments
Patches for Heimdal that seem to be the upstream fix for selecting the strongest key (3.34 KB, patch) 2022-10-25 01:14 UTC, Andrew Bartlett	no flags	Details
Initial advisory without versions (2.60 KB, text/plain) 2022-11-14 03:08 UTC, Andrew Bartlett	no flags	Details
Patches for v4-15-test (4.15 KB, text/plain) 2022-12-07 19:11 UTC, Stefan Metzmacher	metze: ci-passed+	Details
CVE-2022-45141-avoid-arcfour-tickets-v02-ready.txt (2.60 KB, text/plain) 2022-12-15 13:54 UTC, Stefan Metzmacher	slow: review+	Details
Show Obsolete (1) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2022-10-25 01:14:08 UTC

Created attachment 17599 [details]
Patches for Heimdal that seem to be the upstream fix for selecting the strongest key

I've been looking over how, in a TGS-REP, we select the encryption type of ticket.  

The Kerberos ticket only needs to be readable to/decrypted by the target server, not the client. 

In Samba 4.15 (eg a version with the older Heimdal) we allow the client etypes to control this, and select the same type as the session key.

In Samba 4.16/4.17/master (eg a version with the modern Heimdal) we only use the strongest encryption type from the keys in our DB.  This is via _kdc_get_preferred_key(), which is not subject to client input. 

Therefore Samba 4.15 and older are the most vulnerable to the extent that arcfour-hmac-md5 is weak.

As a malicious client can get the KDC to issue a ticket encrypted with arcfour-hmac-md5, even if the server could have accepted an KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 key.

If, as warned in RFC 8429, arcfour-hmac-md5 is weak that may in turn allow discovery of the shared secret between the target server and the KDC.

Comment 1 Andrew Bartlett 2022-10-25 01:14:52 UTC

Samba 4.15 is in security fixes only mode, so this is marked [EMBARGOED] while we work out if we will do an embargoed security fix for this.

Comment 2 Andrew Bartlett 2022-11-11 18:42:23 UTC

The additional backport work here will depend on and interact with bug 15237 / CVE-2022-3938 which is to force in aes256-cts-hmac-sha1-96 keys in situations where arcfour-hmac-md5 would be used.

Comment 3 nico 2022-11-11 20:12:34 UTC

To clarify, we don't need to do anything about this in Heimdal, right, it's just Heimdal patches being backported to Samba?

Comment 4 Andrew Bartlett 2022-11-11 20:39:48 UTC

(In reply to nico from comment #3)
Yes, Heimdal fixed this in 2011 as far as I read it.  We just got really unlucky with when we last did an import before we gave ourself a scare and stopped syncing back up.

Comment 5 Andrew Bartlett 2022-11-14 03:08:43 UTC

Created attachment 17649 [details]
Initial advisory without versions

Comment 6 Samba QA Contact 2022-12-07 18:57:44 UTC

This bug was referenced in samba v4-15-test:

2be27ec1d7f3bfcdcac65bca1db53772535fe7bf
2ea3f2db8087e0a2c4a18c633b039c722cb6f829

Comment 7 Stefan Metzmacher 2022-12-07 19:11:40 UTC

Created attachment 17680 [details]
Patches for v4-15-test

These are already in v4-15-test, they passed a private autobuild

Comment 8 Stefan Metzmacher 2022-12-12 15:58:18 UTC

Will be in the next 4.15 release.

Comment 9 Andrew Bartlett 2022-12-12 21:05:10 UTC

Removing embargo as the patch in now in the v4-15-test branch pending a release.

Comment 10 Stefan Metzmacher 2022-12-15 10:24:02 UTC

Reopen in order to remember the advisory

Comment 11 Stefan Metzmacher 2022-12-15 13:54:56 UTC

Created attachment 17703 [details]
CVE-2022-45141-avoid-arcfour-tickets-v02-ready.txt

Comment 12 Samba QA Contact 2022-12-15 16:34:27 UTC

This bug was referenced in samba v4-15-stable (Release samba-4.15.13):

2be27ec1d7f3bfcdcac65bca1db53772535fe7bf
2ea3f2db8087e0a2c4a18c633b039c722cb6f829