Lucene search

K
sambaSamba SecuritySAMBA:CVE-2022-37967
HistoryDec 15, 2022 - 12:00 a.m.

Kerberos constrained delegation ticket

2022-12-1500:00:00
Samba Security
www.samba.org
28
kerberos
delegation
s4u2proxy
rc4-hmac
samba
security
patch
cve-2022-37967
microsoft
vulnerability

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.058

Percentile

93.6%

Description

Kerberos constrained delegation, known also as S4U2Proxy, requires
that the intermediate service present to the KDC a valid Kerberos
ticket (including the PAC) obtained by the user as evidence that they
had authenticated, so that a new ticket can be issued for the target
server.

The Kerberos PAC is signed in multiple stages, but the important
protection of the SID list (list of user groups) in the PAC is done
first with the server’s key, and then with the krbtgt key over that
result.

However the rc4-hmac cipher as implemented in Kerberos is weak in
2022, for two reasons:

  • The implementation in Kerberos is HMAC-MD5(MD5(DATA),KEY), meaning
    that the attack on the PAC can be done using the chosen-prefix
    techinques for MD5 without knowing the key

  • The intermediate server knows its own password (the key used in the
    HMAC-MD5 step) and can set it to arbitrary values.

It is therefore feasible to brute force a new server checksum that
matches the value already signed by the krbtgt key, but including a
privileged group in the PAC.

Patch Availability

Patches addressing both these issues have been posted to:

https://www.samba.org/samba/security/

Additionally, Samba 4.15.13, 4.16.8 and 4.17.4 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)

Workaround and notes

This issue can be worked around by disable delegation for services
that are not fully trusted, or securing these services to the same
standard as the DC itself.

Note that this patch introduces a flag day, there is no partial
rollout of this feature (unlike KrbtgtFullPacSignature in Microsoft
Windows[2]), so service tickets issued prior to the update will be
rejected as evidence tickets for Kerberos constrained delegation.

While Kerberos constrained delegation (S4U2Proxy) is not a often-used
feature with Samba AD DCs, setting a 1 hour ticket lifetime:

kdc:service_ticket_lifetime = 1

and waiting for any existing tickets to expire would reduce the number
of tickets that are not accepted. Also ensure all DCs are upgraded
around the same time, as if a ticket is issued by a pre-upgrade DC it
will not be accepted by a new DC for Kerberos constrained Delegation.

References

[1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37967
[2] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

Credits

Originally reported to Microsoft by Tom Tervoort of Secura.

Advisory written by Andrew Bartlett of Catalyst and the Samba Team.

Patches provided by Joseph Sutton of Catalyst and the Samba Team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team

CVSS3

7.2

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

HIGH

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

EPSS

0.058

Percentile

93.6%