Bug 1705877 (CVE-2018-16860)

Summary: CVE-2018-16860 samba: S4U2Self with unkeyed checksum
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, abo, anoopcs, asn, bmcclain, dblechte, dfediuck, eedri, gdeschner, jarrpa, jblaine, jstephen, ktdreyer, lmohanty, madam, mgoldboi, michal.skrivanek, rhs-smb, sankarshan, sbonazzo, sbose, security-response-team, sherold, sisharma, smohan, ssaha, ssorce, vbellur, yozone, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Samba 4.8.12, Samba 4.9.8, Samba 4.10.3 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in samba's Heimdal KDC implementation when used in AD DC mode. A man in the middle attacker could use this flaw to intercept the request to the KDC and replace the user name (principal) in the request with any desired user name (principal) that exists in the KDC effectively obtaining a ticket for that principal.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2019-05-14 09:43:06 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1709679, 1709680, 1709681    
Bug Blocks: 1705878    

Description Huzaifa S. Sidhpurwala 2019-05-03 06:11:06 UTC 
As per upstream advisory:

S4U2Self is an extension to Kerberos used in Active Directory to allow a service to request a kerberos ticket to itself from the Kerberos Key Distribution Center (KDC) for a non-Kerberos authenticated user (principal in Kerboros parlance). This is useful to allow internal code paths to be standardized around Kerberos.

S4U2Proxy (constrained-delegation) is an extension of this mechanism allowing this impersonation to a second service over the network. It allows a   privileged server that obtained a S4U2Self ticket to itself to then assert the identity of that principal to a second service and present itself as that principal to get services from the second service.

There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal KDC checks the checksum that is placed on the S4U2Self packet by the server to protect the requested principal against modification, it does not confirm that the checksum algorithm that protects the user name (principal) in the request is keyed.  This allows a man-in-the-middle attacker who can intercept the request to the KDC to modify the packet by replacing the user name (principal) in the request with any desired user name (principal) that exists in the KDC and replace the checksum protecting that name with a CRC32 checksum (which requires no prior knowledge to compute).

This would allow a S4U2Self ticket requested on behalf of user name (principal) user to any service to be changed to a S4U2Self ticket with a user name (principal) of Administrator. This ticket would then contain the PAC of the modified user name (principal).
Comment 1 Huzaifa S. Sidhpurwala 2019-05-03 06:11:11 UTC 
Acknowledgments:

Name: Isaac Boukris and Andrew Bartlett (Samba Team and Catalyst)
Comment 2 Huzaifa S. Sidhpurwala 2019-05-03 06:47:58 UTC 
Upstream bug: https://bugzilla.samba.org/show_bug.cgi?id=13685
Comment 4 Dhananjay Arunesh 2019-05-14 07:06:47 UTC 
Doing unembargo:
This issue has been made public today(14/05/2019).
https://www.samba.org/samba/history/security.html
https://www.samba.org/samba/security/CVE-2018-16860.html
Comment 5 Dhananjay Arunesh 2019-05-14 07:10:05 UTC 
Created heimdal tracking bugs for this issue:

Affects: fedora-all [bug 1709680]


Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1709679]
Comment 6 Dhananjay Arunesh 2019-05-14 07:10:31 UTC 
Created heimdal tracking bugs for this issue:

Affects: epel-all [bug 1709681]
Comment 7 Huzaifa S. Sidhpurwala 2019-05-14 09:43:14 UTC 
External References:

https://www.samba.org/samba/security/CVE-2018-16860.html
Comment 8 Jeff Blaine 2019-06-17 16:38:10 UTC 
Hello - could someone explain why this is "NOTABUG" on RHEL and there is not a new Samba release being developed at RH to address this? There is no explanation in this ticket/issue or at any of the links in this ticket/issue. The official Red Hat statement (https://access.redhat.com/security/cve/cve-2018-16860) on this CVE is similarly vague and just says "RHEL 7 not affected".

Our security compliance team requires more information from us, ideally, than "RH says its Samba is not affected. No reason why." I told them that RHEL Samba links to MIT Kerberos not Heimdal and that *might* be the reasoning for it not being a bug in RHEL, but admitted I was just guessing...

Any further info would be very much appreciated.
Comment 9 Guenther Deschner 2019-06-17 17:41:13 UTC 
Jeff, we are not shipping a Heimdal KDC for or with Samba at all in any Red Hat product. 

We do build Samba's AD DC components only in Fedora and even there in Fedora we use a MIT Kerberos KDC, not the Heimdal KDC which is coming along with the Samba tarballs. Thus a flaw in the S4U2SELF implementation in a Heimdal KDC does not affect us at all.