Bug 1403114 (CVE-2016-2125) - CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers in trusted realms
Summary: CVE-2016-2125 samba: Unconditional privilege delegation to Kerberos servers i...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2016-2125
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard: impact=moderate,public=20161219,repor...
Depends On: 1405356 1405358 1405399 1405984 1435079 1437741
Blocks: 1386080 1392703 1415638
TreeView+ depends on / blocked
 
Reported: 2016-12-09 05:34 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-06-11 11:13 UTC (History)
11 users (show)

Fixed In Version: samba 4.5.3, samba 4.4.8, samba 4.3.13
Doc Type: If docs needed, set a value
Doc Text:
It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users.
Clone Of:
Environment:
Last Closed: 2019-06-08 03:04:03 UTC


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2017:0494 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 samba security, bug fixes and enhancement update 2017-03-23 09:06:59 UTC
Red Hat Product Errata RHSA-2017:0495 normal SHIPPED_LIVE Moderate: Red Hat Gluster Storage 3.2.0 samba security, bug fixes and enhancement update 2017-03-23 09:18:26 UTC
Red Hat Product Errata RHSA-2017:0662 normal SHIPPED_LIVE Moderate: samba security and bug fix update 2017-03-21 12:34:11 UTC
Red Hat Product Errata RHSA-2017:0744 normal SHIPPED_LIVE Moderate: samba4 security and bug fix update 2017-03-21 12:44:53 UTC
Red Hat Product Errata RHSA-2017:1265 normal SHIPPED_LIVE Moderate: samba security and bug fix update 2017-05-22 14:25:41 UTC

Description Huzaifa S. Sidhpurwala 2016-12-09 05:34:07 UTC
As per upstream:

Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service.

The risks of impersonation of the client are similar to the well known risks from forwarding of NTLM credentials, with two important differences:
 - NTLM forwarding can and should be mitigated with packet signing
 - Kerberos forwarding can only be attempted after the trusted destination server decrypts the ticket.

Finally, it should be noted that typically the connections involved are either explicitly requested, or are between or to Domain Controllers already of ultimate privilege.

Comment 4 Siddharth Sharma 2016-12-19 12:36:03 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1405984]

Comment 5 Huzaifa S. Sidhpurwala 2016-12-20 03:21:08 UTC
External Reference:

https://www.samba.org/samba/security/CVE-2016-2125.html

Comment 6 Huzaifa S. Sidhpurwala 2017-01-05 09:33:37 UTC
Mitigation:

The following mitigation is suggested by upstream.

The samba-tool command and the AD DC mode honours the undocumented "gensec_gssapi:delegation=no" option in the [global] section of the smb.conf file.

Controlling Kerberos forwarding
===============================

In the Active Directory world it's possible for administrators to
limit the delegation. User and computer objects can both act as
Kerberos users and also as Kerberos services. Both types of objects have an
attribute called 'userAccountControl' which is a bitmask that controls the
behavior of the account. The following three values have impact on possible
delegation:

0x00100000: UF_NOT_DELEGATED:

The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT
for the account. It means the KDC will respond with an error if the client asks
for the forwardable ticket.  The client typically gives up and removes the
GSS_C_DELEG_FLAG flag and continues without passing delegated credentials.
Administrators can use this to disable possible delegation for the most
privileged accounts (e.g. administrator accounts).

0x00080000: UF_TRUSTED_FOR_DELEGATION

If the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC will include the
OK_AS_DELEGATE flag in a granted service ticket. If the client application
uses just GSS_C_DELEG_POLICY_FLAG (instead of GSS_C_DELEG_FLAG) gssapi/Kerberos
libraries typically only include delegated credentials when the service ticket
includes the OK_AS_DELEGATE flag.  Administrators can use this to control which
services will get delegated credentials, for example if the service runs in a
trusted environment and actually requires the presence of delegated
credentials.

0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION

The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really relevant for this
CVE and just listed here for completeness. This flag is relevant for the
S4U2Proxy feature, where a service can ask the KDC for a proxied service
ticket which can impersonate users to other services.

Comment 8 errata-xmlrpc 2017-03-21 10:15:17 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0662 https://rhn.redhat.com/errata/RHSA-2017-0662.html

Comment 9 errata-xmlrpc 2017-03-21 11:25:20 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 6

Via RHSA-2017:0744 https://rhn.redhat.com/errata/RHSA-2017-0744.html

Comment 10 errata-xmlrpc 2017-03-23 05:12:40 UTC
This issue has been addressed in the following products:

  Red Hat Gluster Storage 3.2 for RHEL 6

Via RHSA-2017:0494 https://rhn.redhat.com/errata/RHSA-2017-0494.html

Comment 12 errata-xmlrpc 2017-03-23 05:20:27 UTC
This issue has been addressed in the following products:

   	Red Hat Gluster Storage 3.2 for RHEL 7

Via RHSA-2017:0495 https://rhn.redhat.com/errata/RHSA-2017-0495.html

Comment 14 errata-xmlrpc 2017-05-22 10:26:00 UTC
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2017:1265 https://access.redhat.com/errata/RHSA-2017:1265


Note You need to log in before you can comment on or make changes to this bug.