Kerberos constrained delegation ticket

Description

Kerberos constrained delegation, known also as S4U2Proxy, requires
that the intermediate service present to the KDC a valid Kerberos
ticket (including the PAC) obtained by the user as evidence that they
had authenticated, so that a new ticket can be issued for the target
server.

The Kerberos PAC is signed in multiple stages, but the important
protection of the SID list (list of user groups) in the PAC is done
first with the server’s key, and then with the krbtgt key over that
result.

However the rc4-hmac cipher as implemented in Kerberos is weak in
2022, for two reasons:

• The implementation in Kerberos is HMAC-MD5(MD5(DATA),KEY), meaning
  that the attack on the PAC can be done using the chosen-prefix
  techinques for MD5 without knowing the key

• The intermediate server knows its own password (the key used in the
  HMAC-MD5 step) and can set it to arbitrary values.

It is therefore feasible to brute force a new server checksum that
matches the value already signed by the krbtgt key, but including a
privileged group in the PAC.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.15.13, 4.16.8 and 4.17.4 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)

Workaround and notes

This issue can be worked around by disable delegation for services
that are not fully trusted, or securing these services to the same
standard as the DC itself.

Note that this patch introduces a flag day, there is no partial
rollout of this feature (unlike KrbtgtFullPacSignature in Microsoft
Windows[2]), so service tickets issued prior to the update will be
rejected as evidence tickets for Kerberos constrained delegation.

While Kerberos constrained delegation (S4U2Proxy) is not a often-used
feature with Samba AD DCs, setting a 1 hour ticket lifetime:

kdc:service_ticket_lifetime = 1

and waiting for any existing tickets to expire would reduce the number
of tickets that are not accepted. Also ensure all DCs are upgraded
around the same time, as if a ticket is issued by a pre-upgrade DC it
will not be accepted by a new DC for Kerberos constrained Delegation.

References

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967
[2] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

Credits

Originally reported to Microsoft by Tom Tervoort of Secura.

Advisory written by Andrew Bartlett of Catalyst and the Samba Team.

Patches provided by Joseph Sutton of Catalyst and the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team