Bug 2166001 - CVE-2022-37967: MS-PAC extended KDC signature [rawhide,f38]
Summary: CVE-2022-37967: MS-PAC extended KDC signature [rawhide,f38]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Julien Rische
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2165827 2169477 2182135
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-01-31 16:45 UTC by Julien Rische
Modified: 2023-07-11 01:26 UTC (History)
9 users (show)

Fixed In Version: krb5-1.20.1-9.fc39 krb5-1.21-2.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2165827
Environment:
Last Closed: 2023-07-11 01:26:48 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Package Sources krb5 pull-request 36 0 None None None 2023-06-12 14:48:10 UTC
Red Hat Issue Tracker FREEIPA-9393 0 None None None 2023-01-31 16:45:49 UTC

Description Julien Rische 2023-01-31 16:45:20 UTC
+++ This bug was initially created as a clone of Bug #2165827 +++

A paper by Tom Tervoort[1] noted that computing the PAC privsvr checksum over only the server checksum is vulnerable to collision attacks. In response, Microsoft has added a second KDC checksum over the full contents of the PAC[2].

This change will be required for PAC signatures to be accepted by AD from the 2023-07-11[3].

[1] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
[2] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PAC/%5bMS-PAC%5d-20221212-diff.pdf
[3] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

--- Additional comment from Julien Rische on 2023-01-31 08:50:37 UTC ---

The fix is available upstream:
https://github.com/krb5/krb5/pull/1284

Comment 1 Ben Cotton 2023-02-07 15:13:21 UTC
This bug appears to have been reported against 'rawhide' during the Fedora Linux 38 development cycle.
Changing version to 38.

Comment 2 Fedora Update System 2023-02-13 19:27:54 UTC
FEDORA-2023-43f5d964df has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-43f5d964df

Comment 3 Fedora Update System 2023-02-13 19:45:14 UTC
FEDORA-2023-43f5d964df has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Julien Rische 2023-02-14 10:07:35 UTC
This update will be backported to Fedora 38, 37, and 36.

Comment 5 Julien Rische 2023-06-12 14:48:10 UTC
Fedora pull request:
https://src.fedoraproject.org/rpms/krb5/pull-request/36

Comment 6 Fedora Update System 2023-06-13 13:41:14 UTC
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569

Comment 7 Fedora Update System 2023-06-13 13:55:24 UTC
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 8 Fedora Update System 2023-07-10 08:51:54 UTC
FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29

Comment 9 Fedora Update System 2023-07-11 01:26:48 UTC
FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.