CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS
Percentile
93.6%
Kerberos constrained delegation, known also as S4U2Proxy, requires
that the intermediate service present to the KDC a valid Kerberos
ticket (including the PAC) obtained by the user as evidence that they
had authenticated, so that a new ticket can be issued for the target
server.
The Kerberos PAC is signed in multiple stages, but the important
protection of the SID list (list of user groups) in the PAC is done
first with the server’s key, and then with the krbtgt key over that
result.
However the rc4-hmac cipher as implemented in Kerberos is weak in
2022, for two reasons:
The implementation in Kerberos is HMAC-MD5(MD5(DATA),KEY), meaning
that the attack on the PAC can be done using the chosen-prefix
techinques for MD5 without knowing the key
The intermediate server knows its own password (the key used in the
HMAC-MD5 step) and can set it to arbitrary values.
It is therefore feasible to brute force a new server checksum that
matches the value already signed by the krbtgt key, but including a
privileged group in the PAC.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.15.13, 4.16.8 and 4.17.4 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)
This issue can be worked around by disable delegation for services
that are not fully trusted, or securing these services to the same
standard as the DC itself.
Note that this patch introduces a flag day, there is no partial
rollout of this feature (unlike KrbtgtFullPacSignature in Microsoft
Windows[2]), so service tickets issued prior to the update will be
rejected as evidence tickets for Kerberos constrained delegation.
While Kerberos constrained delegation (S4U2Proxy) is not a often-used
feature with Samba AD DCs, setting a 1 hour ticket lifetime:
kdc:service_ticket_lifetime = 1
and waiting for any existing tickets to expire would reduce the number
of tickets that are not accepted. Also ensure all DCs are upgraded
around the same time, as if a ticket is issued by a pre-upgrade DC it
will not be accepted by a new DC for Kerberos constrained Delegation.
[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967
[2] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb
Originally reported to Microsoft by Tom Tervoort of Secura.
Advisory written by Andrew Bartlett of Catalyst and the Samba Team.
Patches provided by Joseph Sutton of Catalyst and the Samba Team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team