Bug 1778589 (CVE-2019-14870)

Summary: CVE-2019-14870 samba: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, gdeschner, hvyas, iboukris, iboukris, jarrpa, jstephen, lmohanty, madam, puebele, rhs-smb, sbose, security-response-team, sisharma, ssorce, vbellur
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.11.3, samba 4.10.11, samba 4.9.17 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-12-17 02:09:26 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1781545    
Bug Blocks: 1778587    

Description Huzaifa S. Sidhpurwala 2019-12-02 05:36:36 UTC 
As per upstream advisory:

The S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable.  In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable.

However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.

Note: while the experimental MIT AD-DC build does not support S4U, it should still be patched due to a related bug in regular authentication.
Comment 1 Huzaifa S. Sidhpurwala 2019-12-02 05:38:15 UTC 
Acknowledgments:

Name: the Samba project
Upstream: Isaac Boukris (Red Hat and Samba Team)
Comment 2 Huzaifa S. Sidhpurwala 2019-12-02 05:38:18 UTC 
Mitigation:

Only clients configured directly in LDAP or via a Windows tools could have been marked as sensitive and so have been expected to have this protection.  Therefore most Samba sites will not have been using this feature and so are not impacted either way.
Comment 3 Huzaifa S. Sidhpurwala 2019-12-02 15:29:32 UTC 
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.
Comment 4 Huzaifa S. Sidhpurwala 2019-12-10 09:06:31 UTC 
External References:

https://www.samba.org/samba/security/CVE-2019-14870.html
Comment 5 Huzaifa S. Sidhpurwala 2019-12-10 09:09:48 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1781545]
Comment 6 Product Security DevOps Team 2019-12-17 02:09:26 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2019-14870