Bug 15214 (CVE-2022-45141) - CVE-2022-45141 [SECURITY] Samba 4.15 and prior using Heimdal KDC allows selection of weaker ticket types
Summary: CVE-2022-45141 [SECURITY] Samba 4.15 and prior using Heimdal KDC allows selec...
Alias: CVE-2022-45141
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.15.10
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on: CVE-2022-37966
Blocks: 15199 15232 15233 15234 15235 15238
  Show dependency treegraph
Reported: 2022-10-25 01:14 UTC by Andrew Bartlett
Modified: 2022-12-16 11:54 UTC (History)
6 users (show)

See Also:

Patches for Heimdal that seem to be the upstream fix for selecting the strongest key (3.34 KB, patch)
2022-10-25 01:14 UTC, Andrew Bartlett
no flags Details
Initial advisory without versions (2.60 KB, text/plain)
2022-11-14 03:08 UTC, Andrew Bartlett
no flags Details
Patches for v4-15-test (4.15 KB, text/plain)
2022-12-07 19:11 UTC, Stefan Metzmacher
metze: ci-passed+
CVE-2022-45141-avoid-arcfour-tickets-v02-ready.txt (2.60 KB, text/plain)
2022-12-15 13:54 UTC, Stefan Metzmacher
slow: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-10-25 01:14:08 UTC
Created attachment 17599 [details]
Patches for Heimdal that seem to be the upstream fix for selecting the strongest key

I've been looking over how, in a TGS-REP, we select the encryption type of ticket.  

The Kerberos ticket only needs to be readable to/decrypted by the target server, not the client. 

In Samba 4.15 (eg a version with the older Heimdal) we allow the client etypes to control this, and select the same type as the session key.

In Samba 4.16/4.17/master (eg a version with the modern Heimdal) we only use the strongest encryption type from the keys in our DB.  This is via _kdc_get_preferred_key(), which is not subject to client input. 

Therefore Samba 4.15 and older are the most vulnerable to the extent that arcfour-hmac-md5 is weak.

As a malicious client can get the KDC to issue a ticket encrypted with arcfour-hmac-md5, even if the server could have accepted an KRB5_ENCTYPE_AES128_CTS_HMAC_SHA1_96 key.

If, as warned in RFC 8429, arcfour-hmac-md5 is weak that may in turn allow discovery of the shared secret between the target server and the KDC.
Comment 1 Andrew Bartlett 2022-10-25 01:14:52 UTC
Samba 4.15 is in security fixes only mode, so this is marked [EMBARGOED] while we work out if we will do an embargoed security fix for this.
Comment 2 Andrew Bartlett 2022-11-11 18:42:23 UTC
The additional backport work here will depend on and interact with bug 15237 / CVE-2022-3938 which is to force in aes256-cts-hmac-sha1-96 keys in situations where arcfour-hmac-md5 would be used.
Comment 3 nico 2022-11-11 20:12:34 UTC
To clarify, we don't need to do anything about this in Heimdal, right, it's just Heimdal patches being backported to Samba?
Comment 4 Andrew Bartlett 2022-11-11 20:39:48 UTC
(In reply to nico from comment #3)
Yes, Heimdal fixed this in 2011 as far as I read it.  We just got really unlucky with when we last did an import before we gave ourself a scare and stopped syncing back up.
Comment 5 Andrew Bartlett 2022-11-14 03:08:43 UTC
Created attachment 17649 [details]
Initial advisory without versions
Comment 6 Samba QA Contact 2022-12-07 18:57:44 UTC
This bug was referenced in samba v4-15-test:

Comment 7 Stefan Metzmacher 2022-12-07 19:11:40 UTC
Created attachment 17680 [details]
Patches for v4-15-test

These are already in v4-15-test, they passed a private autobuild
Comment 8 Stefan Metzmacher 2022-12-12 15:58:18 UTC
Will be in the next 4.15 release.
Comment 9 Andrew Bartlett 2022-12-12 21:05:10 UTC
Removing embargo as the patch in now in the v4-15-test branch pending a release.
Comment 10 Stefan Metzmacher 2022-12-15 10:24:02 UTC
Reopen in order to remember the advisory
Comment 11 Stefan Metzmacher 2022-12-15 13:54:56 UTC
Created attachment 17703 [details]
Comment 12 Samba QA Contact 2022-12-15 16:34:27 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.13):