2169477 – CVE-2022-37967: MS-PAC extended KDC signature [rhel-8]

Bug 2169477 - CVE-2022-37967: MS-PAC extended KDC signature [rhel-8]

Summary: CVE-2022-37967: MS-PAC extended KDC signature [rhel-8]

Keywords:
Status:	VERIFIED
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	krb5
Sub Component:
Version:	8.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	Julien Rische
QA Contact:	Michal Polovka
Docs Contact:
URL:
Whiteboard:
Depends On:	2165827
Blocks:	2176406 2166001 2182135 2211390
TreeView+	depends on / blocked

Reported:	2023-02-13 17:15 UTC by Julien Rische
Modified:	2023-07-17 10:03 UTC (History)
CC List:	4 users (show)
Fixed In Version:	krb5-1.18.2-25.el8_8
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	2165827
Clones:	2182135 2211390 (view as bug list)
Environment:
Last Closed:
Type:	Bug
Target Upstream Version:
Embargoed:
Dependent Products:
Flags:	jrische: needinfo- jrische: needinfo-

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FREEIPA-9452	0	None	None	None	2023-02-13 17:19:47 UTC
Red Hat Issue Tracker	RHELPLAN-148510	0	None	None	None	2023-02-13 17:19:56 UTC

Description Julien Rische 2023-02-13 17:15:58 UTC

+++ This bug was initially created as a clone of Bug #2165827 +++

A paper by Tom Tervoort[1] noted that computing the PAC privsvr checksum over only the server checksum is vulnerable to collision attacks. In response, Microsoft has added a second KDC checksum over the full contents of the PAC[2].

This change will be required for PAC signatures to be accepted by AD from the 2023-07-11[3].

[1] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
[2] https://winprotocoldoc.blob.core.windows.net/productionwindowsarchives/MS-PAC/%5bMS-PAC%5d-20221212-diff.pdf
[3] https://support.microsoft.com/en-us/topic/kb5020805-how-to-manage-kerberos-protocol-changes-related-to-cve-2022-37967-997e9acc-67c5-48e1-8d0d-190269bf4efb

--- Additional comment from Julien Rische on 2023-01-31 08:50:37 UTC ---

The fix is available upstream:
https://github.com/krb5/krb5/pull/1284

Note You need to log in before you can comment on or make changes to this bug.