Bug 2166001

Summary: CVE-2022-37967: MS-PAC extended KDC signature [rawhide,f38]
Product: [Fedora] Fedora Reporter: Julien Rische <jrische>
Component: krb5Assignee: Julien Rische <jrische>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, antorres, fdvorak, ftrivino, ipa-qe, jrische, j, sbose, ssorce
Target Milestone: ---Keywords: Reopened, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: krb5-1.20.1-9.fc39 krb5-1.21-2.fc38 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 2165827 Environment:
Last Closed: 2023-07-11 01:26:48 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2165827, 2169477, 2182135    
Bug Blocks:    

Description Julien Rische 2023-01-31 16:45:20 UTC 
+++ This bug was initially created as a clone of Bug #2165827 +++

A paper by Tom Tervoort[1] noted that computing the PAC privsvr checksum over only the server checksum is vulnerable to collision attacks. In response, Microsoft has added a second KDC checksum over the full contents of the PAC[2].

This change will be required for PAC signatures to be accepted by AD from the 2023-07-11[3].

[1] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
[2] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PAC/%5bMS-PAC%5d-20221212-diff.pdf
[3] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

--- Additional comment from Julien Rische on 2023-01-31 08:50:37 UTC ---

The fix is available upstream:
https://github.com/krb5/krb5/pull/1284
Comment 1 Ben Cotton 2023-02-07 15:13:21 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.
Comment 2 Fedora Update System 2023-02-13 19:27:54 UTC 
FEDORA-2023-43f5d964df has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-43f5d964df
Comment 3 Fedora Update System 2023-02-13 19:45:14 UTC 
FEDORA-2023-43f5d964df has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 4 Julien Rische 2023-02-14 10:07:35 UTC 
This update will be backported to Fedora 38, 37, and 36.
Comment 5 Julien Rische 2023-06-12 14:48:10 UTC 
Fedora pull request:
https://src.fedoraproject.org/rpms/krb5/pull-request/36
Comment 6 Fedora Update System 2023-06-13 13:41:14 UTC 
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569
Comment 7 Fedora Update System 2023-06-13 13:55:24 UTC 
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 8 Fedora Update System 2023-07-10 08:51:54 UTC 
FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29
Comment 9 Fedora Update System 2023-07-11 01:26:48 UTC 
FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.