Microsoft had released CVE-2022-37966 (Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability) and CVE-2022-37967 (Windows Kerberos Elevation of Privilege Vulnerability)
For Samba, Andrew Bartlett and Joseph Sutton of Catalyst and the Samba Team are investigating this issue, using our background in the protocol, the public advisories and our protocol testsuite. So far it is clear to us by the nature of disclosed and discoverable protocol changes that the issues are protocol weaknesses, and so will impact Samba
While the presence of these issues are essentially public, this notice is embargoed for now until it is clear that others not involved in fixing this issue have understood the attack. Sadly issues on the Microsoft side will be preventing deployment, and while we wait for MS to issue patches, Samba's response is also delayed as we will be seeking to match the new behaviour as much as possible.
As much as possible the Samba Team will still follow the Samba security process, with backports and a release, but for reasons of efficiency, code development will happen in the open, as this tooling is more efficient, cross-project coordination is needed and our time is limited.
Therefore you may see references to CVE-2022-3938, CVE-2022-45141 and CVE-2022-45142 in a Samba, Heimdal or MIT context.
Release dates will be set, possibly without significant notice, once patches are ready. This and the depends-on bugs will be opened to vendors and potentially the public as we get closer to that point.
Microsoft staff have also posted that public disclosure by their reporter can be expected in Dec 2022.
If you are able to offer practical assistance or had further information (public or private research on these, existing examples of detailed disclosure) please be in touch.
(In reply to Andrew Bartlett from comment #0)
Just to note that Samba will use the MS CVEs for CVE-2022-37966 and CVE-2022-37967 rather than CVE-2022-3938 and CVE-2022-45142.
This is per the CVE counting rules.
An initial set of patches for the most important issues is under development review at https://gitlab.com/samba-team/samba/-/merge_requests/2803
At Blackhat Europe, Tom Tervoort, Principal Security Specialist at Secura presented this attack:
In the paper https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf, he writes:
> In practice, I think it is pretty unlikely that this constrained delegation
> attack will be actually used by pentesters, red teamers or malicious
> attackers. The situations in which it offers an advantage are
> limited, the attack is difficult to perform and it requires
> spending a hours on computing an MD5 collision.
This underscores the Samba Team's response to this issue, which has been to develop a matching response to Microsoft's release once we were given the information.
The CVSS scores in the advisories are correct, in the way they run the CVSS3.1 algorithm, but neither is this a 'stop everything and panic' situation.
For this reason, and to ship important fixes and some other similar severity security fixes, Samba will be releasing these fixes shortly in new maintenance releases (including a 4.15 release), not as stand-alone security releases.
Removing the embargo tag as the code and now a clear description is now public.