Bug 15231 (CVE-2022-37967) - CVE-2022-37967 [SECURITY] Samba KDC needs to implement KrbtgtFullPacSignature to secure S4U2Proxy
Summary: CVE-2022-37967 [SECURITY] Samba KDC needs to implement KrbtgtFullPacSignature...
Alias: CVE-2022-37967
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: unspecified
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Jo Sutton
QA Contact: Samba QA Contact
Depends on:
Blocks: 15238
  Show dependency treegraph
Reported: 2022-11-10 02:50 UTC by Andrew Bartlett
Modified: 2023-08-14 04:41 UTC (History)
7 users (show)

See Also:

Initial advisory without versions or CVE number (2.33 KB, text/plain)
2022-11-10 03:35 UTC, Andrew Bartlett
no flags Details
Draft advisory without versions (v2) (2.51 KB, text/plain)
2022-11-14 02:06 UTC, Andrew Bartlett
no flags Details
Updated v3 advisory with MS CVE (2.32 KB, text/plain)
2022-11-15 21:38 UTC, Andrew Bartlett
no flags Details
Advisory v4 (3.43 KB, text/plain)
2022-12-01 03:13 UTC, Andrew Bartlett
no flags Details
Advisory v5 (3.75 KB, text/plain)
2022-12-12 23:22 UTC, Andrew Bartlett
no flags Details
CVE-2022-37967-KrbtgtFullPacSignature-v06-ready.txt (3.77 KB, text/plain)
2022-12-15 13:53 UTC, Stefan Metzmacher
slow: review+

Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-11-10 02:50:05 UTC
https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb#thirdparty5020805 discloses a new Kerberos PAC buffer with a full-ticket signature.

This would appear to be important for securing the S4U2Proxy evidence ticket, as an attacker holding an account with the right to do constrained delegation could brute-force a HMAC-MD5 signature that matches the original but claims to be a privileged user, possibly by selecting it's own password carefully. 

The new PAC buffer is over the entire PAC, and is aes256-cts-hmac-sha1-96 or aes128-cts-hmac-sha1-96 only, so there is no reliance on the server signature.
Comment 1 Andrew Bartlett 2022-11-10 03:35:02 UTC
Created attachment 17643 [details]
Initial advisory without versions or CVE number
Comment 2 Andrew Bartlett 2022-11-11 18:11:40 UTC
For those trying to work out what this new signature is and how it is calculated, a WIP branch is here:


The new signature will eventually be documented as an MS-KILE errata, but we have worked it out in the meantime, using tests against a patched Windows 2019 server.
Comment 3 nico 2022-11-11 20:00:32 UTC
What is a good base commit to review jsutton24/kdc-fixes?
Comment 4 nico 2022-11-11 20:10:47 UTC
Where exactly is the definition of the new KrbtgtFullPacSignature PAC buffer?
Comment 5 Andrew Bartlett 2022-11-11 20:34:59 UTC
(In reply to nico from comment #4)
We have a thread with MS on cifs-protocol requesting this be documented.

C (in Heimdal) and Python implementations are here:

(In reply to nico from comment #3)
https://gitlab.com/samba-team/devel/lorikeet-heimdal/-/commits/lorikeet-heimdal-202210310104/ is the tree we imported and Samba master is based on.  That in turn follows up to ed406301740877c99ee5f0f8b9b30dbb67ae2da7 in Heimdal, but do see our patches in-between.
Comment 6 Andrew Bartlett 2022-11-12 05:10:22 UTC
https://twitter.com/SteveSyfuhs/status/1590087676992327681 suggests a disclosure date of Dec 2022 if not publicly disclosed earlier.
Comment 7 Andrew Bartlett 2022-11-14 02:06:24 UTC
Created attachment 17647 [details]
Draft advisory without versions (v2)
Comment 8 Andrew Bartlett 2022-11-14 22:51:15 UTC
Metze and I agreed that Samba will not do an incremental deployment of this feature.  It will be on and required as soon as the update is deployed.

The impact (need to get a new TGT) is on users accessing services that use constrained delegation (S4U2Proxy), and those will users will experience a 'flag day', with all DCs required to be upgraded at near the same time. 

This is because the evidence tickets they hold will not have the full signature on them.  However such tickets are typically obtained just before access to a service (but can be cached) so as long as all DCs are upgraded at the same point, disruption will be somewhat limited. 

The single-phase of deployment is due to resource and time constraints as we didn't get pre-disclosure of this issue.
Comment 9 nico 2022-11-14 23:46:39 UTC
Does AD still not support key history for principals?

What are the considerations around re-keying of manually-keyed cross-realm trust accounts?

For krbtgt/SOME-MIT-OR-HEIMDAL-REALM@SOME-AD-REALM you can just cpw/setkey on the principal on the MIT or Heimdal KDCs, wait for it to propagate, then change the password/key of that principal on the AD side.

For krbtgt/SOME-AD-REALM@SOME-MIT-OR-HEIMDAL-REALM, if AD still lacks key history, this is much harder, and requires first reducing the ticket lifetime of tickets issued for that service principal, then changing the keys on the AD and MIT or Heimdal sides at the same time, then restoring the long ticket lifetime setting after propagation.  Is this still correct?
Comment 10 Andrew Bartlett 2022-11-15 01:22:15 UTC
(In reply to nico from comment #9)
There is some support for re-key, less in Samba than in Windows AD (krbtgt key rollover in Samba can be disruptive), but comment #8 not not about changing keys or encryption types.

This bug is only about about adding in and enforcing the presence of the new PAC buffer ( KrbtgtFullPacSignature).

KrbtgtFullPacSignature is only in service tickets, so TGTs and trusts are not impacted, but a pre-update service ticket presented to Samba for constrained delegation will not be accepted.
Comment 11 Andrew Bartlett 2022-11-15 21:30:57 UTC
Removing Samba-only CVE, Red Hat points to CVE counting rules that say for the
same issue in multiple products but following one specification, use one CVE,
so we will use the MS one.
Comment 12 Andrew Bartlett 2022-11-15 21:38:09 UTC
Created attachment 17655 [details]
Updated v3 advisory with MS CVE
Comment 13 Andrew Bartlett 2022-12-01 03:13:20 UTC
Created attachment 17672 [details]
Advisory v4

Updated with clear documentation on the flag day.

The new smb.conf options and session key changes probably need documenting.
Comment 14 Andrew Bartlett 2022-12-01 03:28:16 UTC
(In reply to Andrew Bartlett from comment #13)
Sorry, this is in bug 15237
Comment 15 Andrew Bartlett 2022-12-12 20:31:38 UTC
This issue is now fully public with a paper published:

Comment 16 Andrew Bartlett 2022-12-12 20:58:17 UTC
Opening these bugs to the public, and the core issue that triggered this is now described in a BlackHat Europe Presentation by Tom Tervoort, Principal Security Specialist at Secura.
Comment 17 Andrew Bartlett 2022-12-12 21:00:15 UTC
Removing the embargo tag as the code and now a clear description is now public.
Comment 18 Andrew Bartlett 2022-12-12 23:22:39 UTC
Created attachment 17685 [details]
Advisory v5
Comment 19 Samba QA Contact 2022-12-13 14:07:21 UTC
This bug was referenced in samba master:

Comment 20 Samba QA Contact 2022-12-14 10:31:39 UTC
This bug was referenced in samba v4-15-test:

Comment 21 Samba QA Contact 2022-12-14 11:34:37 UTC
This bug was referenced in samba v4-16-test:

Comment 22 Samba QA Contact 2022-12-14 12:41:29 UTC
This bug was referenced in samba v4-17-test:

Comment 23 Stefan Metzmacher 2022-12-15 13:53:26 UTC
Created attachment 17702 [details]
Comment 24 Samba QA Contact 2022-12-15 16:32:15 UTC
This bug was referenced in samba v4-16-stable (Release samba-4.16.8):

Comment 25 Samba QA Contact 2022-12-15 16:33:40 UTC
This bug was referenced in samba v4-15-stable (Release samba-4.15.13):

Comment 26 Samba QA Contact 2022-12-15 16:33:49 UTC
This bug was referenced in samba v4-17-stable (Release samba-4.17.4):

Comment 27 Greg Hudson 2022-12-22 08:33:38 UTC
I have an initial implementation of this for MIT krb5 at https://github.com/krb5/krb5/pull/1284 .  Does the Samba team by chance have a captured DER-encoded service ticket with associated server and krbtgt key that I could use for testing?
Comment 28 Stefan Metzmacher 2023-01-09 09:28:28 UTC
(In reply to Greg Hudson from comment #27)

I have a captures with keytabs here:


This wireshark branch is also able to show which key
was used for the signature:
Comment 29 Stefan Metzmacher 2023-01-09 09:31:44 UTC
(In reply to Stefan Metzmacher from comment #28)

I guess w2022-l7.base-administrator-kinit-smbclient-w2022-118.w2022-l7.base-ok-01.* is what want to look at...
Comment 30 Greg Hudson 2023-01-09 17:39:48 UTC
I don't see full checksums in either of the tickets issued in that trace, presumably because they are both TGTs.
Comment 31 Stefan Metzmacher 2023-01-10 07:22:57 UTC
(In reply to Greg Hudson from comment #30)

w2022-l7.base-administrator-kinit-smbclient-w2022-118.w2022-l7.base-ok-01.pcap.gz frame 161 (gets the ticket from the KDC) and frame 186 (uses it for SMB3 access)
Comment 32 Greg Hudson 2023-01-10 15:14:05 UTC
Thanks; I had somehow downloaded the ub1404 failure trace thinking it was the w2022 base trace.  I see a PAC with a full checksum in frame 161 of the correct trace.
Comment 33 Samba QA Contact 2023-08-14 04:41:12 UTC
This bug was referenced in samba master: