=========================================================== == Subject: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum == == CVE ID#: CVE-2018-16860 == == Versions: All Samba versions since Samba 4.0 == == Summary: The checksum validation in the S4U2Self handler in == the KDC did not first confirm that the checksum == was keyed, allowing replacement of the requested == target principal. =========================================================== =========== Description =========== S4U2Self (aka protocol-transition) is an extension to Kerberos used in Active Directory to allow the creation of arbitrary Kerberos tickets, written only to the local server. This is helpful in obtaining a full list of the groups (SIDs) for a user given only a login name (see MS-SFU). S4U2Proxy (aka constrained-delegation) is an extension of this mechanism allowing this impersonation over the network, allowing a privileged server to assert the identity of any user (who has presumably asserted their own identity via a non-Kerberos protocol). The flaw in Samba's AD DC is that the Heimdal KDC, when checking the checksum that is placed on the S4U2Self packet by the server to protect the target principal against modification, it does not confirm that the checksum algorithm is keyed. This allows a MITM to modify the packet and to generate instead a CRC32 checksum (which requires no prior knowledge to compute). This in turn would allow a ticket requested on behalf of user@EXAMPLE.COM to be issued instead on behalf (and contain the PAC) of administrator@EXAMPLE.COM. ================== Patch Availability ================== Patches addressing both these issues have been posted to: http://www.samba.org/samba/security/ Additionally, Samba 4.8.12, 4.9.8 and 4.10.3 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5) ========================== Workaround and Mitigations ========================== If no server takes privileged actions based on tickets obtained by S4U2Self nor obtains tickets via S4U2Proxy then this issue cannot be exploited. The path to an exploit is not generic, the KDC is not harmed by the malicious checksum, it is the client service requesting the ticket being mislead, because it trusted the KDC to return the correct ticket and PAC. A possible path to exploit, if for instance the server authenticates users using X509 certificates, and then uses S4U2Self to obtain a ticket on behalf of the user in order to authorize access to local resources or to be used via S4U2Proxy extension in order to provide access to network resources. In such a scenario and under some conditions, a malicious user could authenticate using a certificate of an unprivileged user, and then elevate its privileges by intercepting the packet from the server to the KDC and changing the requested principal name. Samba clients that use S4U2Self are only: - the "net ads kerberos pac dump" (debugging) tool. - the CIFS proxy in the deprecated/developer-only NTVFS file server In particular, winbindd does not use S4U2Self. ======= Credits ======= Originally reported by Isaac Boukris and Andrew Bartlett of the Samba Team and Catalyst. Patches provided by Isaac Boukris. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================