Created attachment 17599 [details]
Patches for Heimdal that seem to be the upstream fix for selecting the strongest key
I've been looking over how, in a TGS-REP, we select the encryption type of ticket.
The Kerberos ticket only needs to be readable to/decrypted by the target server, not the client.
In Samba 4.15 (eg a version with the older Heimdal) we allow the client etypes to control this, and select the same type as the session key.
In Samba 4.16/4.17/master (eg a version with the modern Heimdal) we only use the strongest encryption type from the keys in our DB. This is via _kdc_get_preferred_key(), which is not subject to client input.
Therefore Samba 4.15 and older are the most vulnerable to the extent that arcfour-hmac-md5 is weak.
As a malicious client can get the KDC to issue a ticket encrypted with arcfour-hmac-md5, even if the server could have accepted an KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 key.
If, as warned in RFC 8429, arcfour-hmac-md5 is weak that may in turn allow discovery of the shared secret between the target server and the KDC.
Samba 4.15 is in security fixes only mode, so this is marked [EMBARGOED] while we work out if we will do an embargoed security fix for this.
The additional backport work here will depend on and interact with bug 15237 / CVE-2022-3938 which is to force in aes256-cts-hmac-sha1-96 keys in situations where arcfour-hmac-md5 would be used.
To clarify, we don't need to do anything about this in Heimdal, right, it's just Heimdal patches being backported to Samba?
(In reply to nico from comment #3)
Yes, Heimdal fixed this in 2011 as far as I read it. We just got really unlucky with when we last did an import before we gave ourself a scare and stopped syncing back up.
Created attachment 17649 [details]
Initial advisory without versions
This bug was referenced in samba v4-15-test:
Created attachment 17680 [details]
Patches for v4-15-test
These are already in v4-15-test, they passed a private autobuild
Will be in the next 4.15 release.
Removing embargo as the patch in now in the v4-15-test branch pending a release.
Reopen in order to remember the advisory
Created attachment 17703 [details]
This bug was referenced in samba v4-15-stable (Release samba-4.15.13):