jsonwebtoken's insecure implementation of key retrieval function could lead to Forgeable Public/Private Tokens from RSA to HMAC

Overview Versions =8.5.1 of jsonwebtoken library can be misconfigured so that passing a poorly implemented key retrieval function referring to the secretOrPublicKey argument from the readme link will result in incorrect verification of tokens. There is a possibility of using a different algorithm...

Samba Multiple Vulnerabilities (Dec 2022)

Samba is prone to multiple vulnerabilities. Copyright C 2022 Greenbone Networks GmbH Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-or-later This program is free software; you can...

Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities

Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in...

Slackware Linux 15.0 / current samba Multiple Vulnerabilities (SSA:2022-351-01)

The version of samba installed on the remote host is prior to 4.15.13 / 4.17.4. It is, therefore, affected by multiple vulnerabilities as referenced in the SSA:2022-351-01 advisory. - Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022...

CVE-2022-45141

Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption...

CVE-2022-38023

A flaw was found in samba. The Netlogon RPC implementations may use the rc4-hmac encryption algorithm, which is considered weak and should be avoided even if the client supports more modern encryption types. This issue could allow an attacker who knows the plain text content communicated between...

CVE-2022-37966

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability...

CVE-2022-45141

Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption...

Samba 加密问题漏洞

Samba is the standard Windows interoperability program suite for Linux and Unix. A security vulnerability exists in samba versions prior to samba 4.15.13, samba versions prior to samba 4.16.8, which stems from the fact that a Samba AD DC using Heimdal can force the issuance of Kerberos tickets...

RC4/HMAC-MD5 NetLogon Secure Channel is weak and should be avoided

Description This is Samba's response to Microsoft's CVE-2022-3802312. Following RFC8429 and as has been published for CVE-2022-3938, rc4-hmac also known as arcfour-hmac-md5 cryptography in Kerberos is weak, then it follows that the RC4 mode in the NETLOGON Secure Channel DCE/RPC bulk encryption i...

Kerberos constrained delegation ticket

Description Kerberos constrained delegation, known also as S4U2Proxy, requires that the intermediate service present to the KDC a valid Kerberos ticket including the PAC obtained by the user as evidence that they had authenticated, so that a new ticket can be issued for the target server. The...

rc4-hmac Kerberos session keys issued

Description Kerberos, the trusted third party authentication system at the heart of Active Directory, issues a session key known to the target server and the client, encrypted to both services in a TGS-REP. The key algorithm chosen for here is then used for the subsequent signed or encrypted...

dhcp security and enhancement update

12:4.4.2-17.b1 - omshell: add support for hmac-sha512 algorithm 2083553 12:4.4.2-16.b1 - Fix for CVE-2021-25220...

DEBIAN-CVE-2022-37966

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability...

CVE-2022-37966

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability...

CVE-2022-37966

CVE-2022-37966 is the Windows Kerberos RC4-HMAC Elevation of Privilege vulnerability. Reports in Samba advisories identify this CVE as affecting Samba deployments (e.g., Samba AD DC/members) where RC4-HMAC could be used for Kerberos tickets, allowing elevated access. Remediation focuses on applyi...

CVE-2022-37966 Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability

...

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability

...

PT-2022-5459 · Microsoft +7 · Windows Kerberos +9

Name of the Vulnerable Software and Affected Versions: Windows Kerberos versions prior to the update that addresses the RC4-HMAC vulnerability Samba Active Directory DC affected versions not specified Description: The issue is related to the implementation of the Kerberos protocol in Windows...

PT-2022-5501

Name of the Vulnerable Software and Affected Versions Windows versions prior to the fixed version Description The issue is related to errors in security settings of the Netlogon Remote Protocol MS-NRPC implementation in Windows operating systems. This allows a remote attacker to elevate their...