6.5 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3.3 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
0.007 Low
EPSS
Percentile
79.2%
The Samba client code always requests a forwardable Kerberos ticket when
performing Kerberos authentication by passing the GSS_C_DELEG_FLAG to the
gss_init_sec_context() GSSAPI function.
The use of GSS_C_DELEG_FLAG, if accepted by the Kerberos KDC, results in
passing the forwardable TGT to the remote target service via Kerberos AP-REQ.
The target service by design must be part of the same or a trusted Kerberos
realm (a domain in the same or trusted Active Directory forest).
The service that accepts the AP-REQ from the client can thus do whatever the
client is also able to achieve with the Kerberos TGT.
The risks of impersonation of the client are similar to the well known risks
from forwarding of NTLM credentials, with two important differences:
Finally, it should be noted that typically the connections involved
are either explicitly requested, or are between or to Domain
Controllers already of ultimate privilege.
In the Active Directory world it’s possible for administrators to
limit the delegation. User and computer objects can both act as
Kerberos users and also as Kerberos services. Both types of objects have an
attribute called ‘userAccountControl’ which is a bitmask that controls the
behavior of the account. The following three values have impact on possible
delegation:
0x00100000: UF_NOT_DELEGATED:
The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT
for the account. It means the KDC will respond with an error if the client asks
for the forwardable ticket. The client typically gives up and removes the
GSS_C_DELEG_FLAG flag and continues without passing delegated credentials.
Administrators can use this to disable possible delegation for the most
privileged accounts (e.g. administrator accounts).
0x00080000: UF_TRUSTED_FOR_DELEGATION
If the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC will include the
OK_AS_DELEGATE flag in a granted service ticket. If the client application
uses just GSS_C_DELEG_POLICY_FLAG (instead of GSS_C_DELEG_FLAG) gssapi/Kerberos
libraries typically only include delegated credentials when the service ticket
includes the OK_AS_DELEGATE flag. Administrators can use this to control which
services will get delegated credentials, for example if the service runs in a
trusted environment and actually requires the presence of delegated
credentials.
0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really relevant for this
CVE and just listed here for completeness. This flag is relevant for the
S4U2Proxy feature, where a service can ask the KDC for a proxied service
ticket which can impersonate users to other services.
The patched Samba version will still use GSS_C_DELEG_POLICY_FLAG and provide
delegated credentials to services which have the UF_TRUSTED_FOR_DELEGATION
bitmask set on the user account.
A patch addressing this defect has been posted to
https://www.samba.org/samba/security/
Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as
security releases to correct the defect. Samba vendors and
administrators running affected versions are advised to upgrade or
apply the patch as soon as possible.
See the description about UF_NOT_DELEGATED above.
The samba-tool command and the AD DC mode honours the undocumented
“gensec_gssapi:delegation=no” option in the [global] section of the
smb.conf file.
This vulnerability was discovered by Simo Sorce of Red Hat and
researched by Stefan Metzmacher of SerNet (https://samba.plus) both
members of the Samba Team (https://www.samba.org). Stefan Metzmacher
also provided the fixes.
6.5 Medium
CVSS3
Attack Vector
ADJACENT_NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
3.3 Low
CVSS2
Access Vector
ADJACENT_NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:A/AC:L/Au:N/C:P/I:N/A:N
0.007 Low
EPSS
Percentile
79.2%