Bug 15238 - [SECURITY] Samba AD DC response to Nov 2022 MS arcfour-hmac-md5 advisory
Summary: [SECURITY] Samba AD DC response to Nov 2022 MS arcfour-hmac-md5 advisory
Alias: None
Product: Samba 4.1 and newer
Classification: Unclassified
Component: AD: LDB/DSDB/SAMDB (show other bugs)
Version: 4.17.1
Hardware: All All
: P5 normal (vote)
Target Milestone: ---
Assignee: Samba QA Contact
QA Contact: Samba QA Contact
Depends on: CVE-2022-44640 15197 CVE-2022-45141 CVE-2022-37967 CVE-2022-37966 CVE-2022-38023 15253 15258
Blocks: 15244
  Show dependency treegraph
Reported: 2022-11-13 21:20 UTC by Andrew Bartlett
Modified: 2022-12-16 11:51 UTC (History)
11 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Andrew Bartlett 2022-11-13 21:20:50 UTC
Microsoft had released CVE-2022-37966 (Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability) and CVE-2022-37967 (Windows Kerberos Elevation of Privilege Vulnerability)

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1)
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)

For Samba, Andrew Bartlett and Joseph Sutton of Catalyst and the Samba Team are investigating this issue, using our background in the protocol, the public advisories and our protocol testsuite.  So far it is clear to us by the nature of disclosed and discoverable protocol changes that the issues are protocol weaknesses, and so will impact Samba

While the presence of these issues are essentially public, this notice is embargoed for now until it is clear that others not involved in fixing this issue have understood the attack.  Sadly issues on the Microsoft side will be preventing deployment[1], and while we wait for MS to issue patches, Samba's response is also delayed as we will be seeking to match the new behaviour as much as possible. 

As much as possible the Samba Team will still follow the Samba security process, with backports and a release, but for reasons of efficiency, code development will happen in the open, as this tooling is more efficient, cross-project coordination is needed and our time is limited.  

Therefore you may see references to CVE-2022-3938, CVE-2022-45141 and CVE-2022-45142 in a Samba, Heimdal or MIT context. 

Release dates will be set, possibly without significant notice, once patches are ready.  This and the depends-on bugs will be opened to vendors and potentially the public as we get closer to that point. 

Microsoft staff have also posted[2] that public disclosure by their reporter can be expected in Dec 2022.

If you are able to offer practical assistance or had further information (public  or private research on these, existing examples of detailed disclosure) please be in touch. 

[1] https://twitter.com/SteveSyfuhs/status/1590455509781733376
[2] https://twitter.com/SteveSyfuhs/status/1590087676992327681
Comment 1 Andrew Bartlett 2022-11-15 21:57:53 UTC
(In reply to Andrew Bartlett from comment #0)
Just to note that Samba will use the MS CVEs for CVE-2022-37966 and CVE-2022-37967 rather than CVE-2022-3938 and CVE-2022-45142.  

This is per the CVE counting rules.
Comment 2 Andrew Bartlett 2022-11-18 03:58:32 UTC
An initial set of patches for the most important issues is under development review at https://gitlab.com/samba-team/samba/-/merge_requests/2803
Comment 3 Andrew Bartlett 2022-12-12 20:53:24 UTC
At Blackhat Europe, Tom Tervoort, Principal Security Specialist at Secura presented this attack:

In the paper https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf, he writes:

> In practice, I think it is pretty unlikely that this constrained delegation
> attack will be actually used by pentesters, red teamers or malicious
> attackers. The situations in which it offers an advantage are
> limited, the attack is difficult to perform and it requires 
> spending a hours on computing an MD5 collision.

This underscores the Samba Team's response to this issue, which has been to develop a matching response to Microsoft's release once we were given the information. 

The CVSS scores in the advisories are correct, in the way they run the CVSS3.1 algorithm, but neither is this a 'stop everything and panic' situation. 

For this reason, and to ship important fixes and some other similar severity security fixes, Samba will be releasing these fixes shortly in new maintenance releases (including a 4.15 release), not as stand-alone security releases.
Comment 4 Andrew Bartlett 2022-12-12 20:59:40 UTC
Removing the embargo tag as the code and now a clear description is now public.