Bug 1403114 (CVE-2016-2125)

Summary: CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers in trusted realms
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asn, gdeschner, jarrpa, kbost, madam, sbose, scott.a.nicholas4.ctr, security-response-team, sisharma, ssaha, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.5.3, samba 4.4.8, samba 4.3.13 Doc Type: If docs needed, set a value
Doc Text:
It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-08 03:04:03 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1405356, 1405358, 1405399, 1405984, 1435079, 1437741    
Bug Blocks: 1386080, 1392703, 1415638    

Description Huzaifa S. Sidhpurwala 2016-12-09 05:34:07 UTC 
As per upstream:

Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service.

The risks of impersonation of the client are similar to the well known risks from forwarding of NTLM credentials, with two important differences:
 - NTLM forwarding can and should be mitigated with packet signing
 - Kerberos forwarding can only be attempted after the trusted destination server decrypts the ticket.

Finally, it should be noted that typically the connections involved are either explicitly requested, or are between or to Domain Controllers already of ultimate privilege.
Comment 4 Siddharth Sharma 2016-12-19 12:36:03 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1405984]
Comment 5 Huzaifa S. Sidhpurwala 2016-12-20 03:21:08 UTC 
External Reference:

https://www.samba.org/samba/security/CVE-2016-2125.html
Comment 6 Huzaifa S. Sidhpurwala 2017-01-05 09:33:37 UTC 
Mitigation:

The following mitigation is suggested by upstream.

The samba-tool command and the AD DC mode honours the undocumented "gensec_gssapi:delegation=no" option in the [global] section of the smb.conf file.

Controlling Kerberos forwarding
===============================

In the Active Directory world it's possible for administrators to
limit the delegation. User and computer objects can both act as
Kerberos users and also as Kerberos services. Both types of objects have an
attribute called 'userAccountControl' which is a bitmask that controls the
behavior of the account. The following three values have impact on possible
delegation:

0x00100000: UF_NOT_DELEGATED:

The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT
for the account. It means the KDC will respond with an error if the client asks
for the forwardable ticket.  The client typically gives up and removes the
GSS_C_DELEG_FLAG flag and continues without passing delegated credentials.
Administrators can use this to disable possible delegation for the most
privileged accounts (e.g. administrator accounts).

0x00080000: UF_TRUSTED_FOR_DELEGATION

If the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC will include the
OK_AS_DELEGATE flag in a granted service ticket. If the client application
uses just GSS_C_DELEG_POLICY_FLAG (instead of GSS_C_DELEG_FLAG) gssapi/Kerberos
libraries typically only include delegated credentials when the service ticket
includes the OK_AS_DELEGATE flag.  Administrators can use this to control which
services will get delegated credentials, for example if the service runs in a
trusted environment and actually requires the presence of delegated
credentials.

0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really relevant for this
CVE and just listed here for completeness. This flag is relevant for the
S4U2Proxy feature, where a service can ask the KDC for a proxied service
ticket which can impersonate users to other services.
Comment 8 errata-xmlrpc 2017-03-21 10:15:17 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0662 https://rhn.redhat.com/errata/RHSA-2017-0662.html
Comment 9 errata-xmlrpc 2017-03-21 11:25:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0744 https://rhn.redhat.com/errata/RHSA-2017-0744.html
Comment 10 errata-xmlrpc 2017-03-23 05:12:40 UTC 
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.2 for RHEL 6

Via RHSA-2017:0494 https://rhn.redhat.com/errata/RHSA-2017-0494.html
Comment 12 errata-xmlrpc 2017-03-23 05:20:27 UTC 
This issue has been addressed in the following products:

   	Red Hat Gluster Storage 3.2 for RHEL 7

Via RHSA-2017:0495 https://rhn.redhat.com/errata/RHSA-2017-0495.html
Comment 14 errata-xmlrpc 2017-05-22 10:26:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1265 https://access.redhat.com/errata/RHSA-2017:1265