Bug 2181311 - Make ticket signature optional during PAC verification [rawhide,f38]
Summary: Make ticket signature optional during PAC verification [rawhide,f38]
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: krb5
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Julien Rische
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On: 2178298
Blocks:
TreeView+ depends on / blocked
 
Reported: 2023-03-23 16:22 UTC by Julien Rische
Modified: 2023-07-11 01:27 UTC (History)
9 users (show)

Fixed In Version: krb5-1.21-2.fc38
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 2178298
Environment:
Last Closed: 2023-07-11 01:27:00 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Fedora Package Sources krb5 pull-request 36 0 None None None 2023-06-12 14:47:40 UTC
Red Hat Issue Tracker FREEIPA-9589 0 None None None 2023-03-23 16:24:13 UTC

Description Julien Rische 2023-03-23 16:22:03 UTC
+++ This bug was initially created as a clone of Bug #2178298 +++

As a response to the Kerberos Bronze Bit vulnerability (CVE-2020-17049), Microsoft added a "ticket signature" buffer to the PAC[1]. The presence of this signature is not required for AD to accept the PAC[2]. However, the MIT krb5 implementation[3] in 1.20.1 requires it to be present[4] in case the target is a service principal when the KDC verifies a S4U2Proxy TGS-REQ.

This is an issue for gradual upgrade. Let's consider this setup:

* "alice" user
* RHEL8 IPA server "rhel8.ipa.test" and RHEL9 "rhel9.ipa.test"
* Server "service1.ipa.test" and server "service2.ipa.test"

Alice want to authenticate to service1.ipa.test. Alice's client is configured to use rhel8.ipa.test as KDC. So she will obtain a alice->HTTP/service1.ipa.test ticket from rhel8.ipa.test without the ticket signature in the PAC.

service1.ipa.test is configured to use rhel9.ipa.test as KDC. service1.ipa.test receives the alice->HTTP/service1.ipa.test ticket from Alice. This service needs to impersonate Alice to authenticate to service2.ipa.test to function. So it sends a S4U2Proxy TGS request for alice->nfs/service2.ipatest using its own TGT and the alice->HTTP/service1.ipa.test ticket.

rhel9.ipa.test receives the S4U2Proxy TGS-REQ, but since it is using MIT krb5 1.20.1, it will try to verify the PAC ticket signature. But since this PAC was generated on RHEL8 with MIT krb5 1.18.2, the ticket signature will be absent. This will cause the TGS-REQ to fail.

This can be reproduced this way:

  # Configure rhel8.ipa.test as KDC in /etc/krb5.conf
  # Pre-authenticate as service1.ipa.test:
  kinit -kt service.keytab HTTP/service1.ipa.test
  # S4U2Self request against rhel8.ipa.test to mimic authentication of alice against service1.ipa.test:
  kvno -I alice HTTP/service1.ipa.test
  # Configure rhel9.ipa.test as KDC in /etc/krb5.conf
  # S4U2Proxy request against rhel9.ipa.test to impersonate alice as service1.ipa.test to service2.ipa.test:
  kvno -I alice -P -S nfs service2.ipa.test

This will result in the following error:

  kvno: KDC returned error string: 2ND_TKT_PAC nfs/service2.ipa.test@: constrained delegation failed

This is caused by the fact the KDC fails to find the ticket signature buffer in the PAC:

  #0  verify_checksum.constprop.0 (context=0x56428d516a60, pac=<optimized out>, buffer_type=16, key=0x7ffc0e0d79a0, data=0x56428d594260, usage=17) at krb/pac.c:534
  #1  0x00007f72928bc3e2 in krb5_kdc_verify_ticket (context=context@entry=0x56428d516a60, enc_tkt=enc_tkt@entry=0x56428d51b840, server_princ=server_princ@entry=0x56428d61af00, server=server@entry=0x56428d594240, privsvr=privsvr@entry=0x7ffc0e0d79a0, pac_out=pac_out@entry=0x7ffc0e0d78f0) at krb/pac.c:707
  #2  0x000056428bcbeb90 in get_verified_pac (pac_out=0x7ffc0e0d78f0, tgt_key=0x7ffc0e0d79a0, tgt=0x56428d6196d0, server_key=0x56428d594240, sprinc=0x56428d61af00, enc_tkt=0x56428d51b840, context=0x56428d516a60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/kdc_util.c:548
  #3  get_verified_pac (context=0x56428d516a60, enc_tkt=0x56428d51b840, sprinc=0x56428d61af00, server_key=0x56428d594240, tgt=tgt@entry=0x56428d6196d0, tgt_key=tgt_key@entry=0x7ffc0e0d79a0, pac_out=0x7ffc0e0d78f0) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/kdc_util.c:530
  #4  0x000056428bcc291b in decrypt_2ndtkt (status=0x7ffc0e0d7930, key_out=<synthetic pointer>, server_out=<synthetic pointer>, pac_out=0x7ffc0e0d78f0, stkt_out=<synthetic pointer>, local_tgt_key=0x7ffc0e0d79a0, local_tgt=0x56428d6196d0, flags=0, req=<optimized out>, kdc_active_realm=0x56428d61ab60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/do_tgs_req.c:900
  #5  process_tgs_req (request=<optimized out>, pkt=pkt@entry=0x56428d4e04f0, from=from@entry=0x56428d623e20, kdc_active_realm=kdc_active_realm@entry=0x56428d61ab60, response=response@entry=0x7ffc0e0d7c60) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/do_tgs_req.c:292
  #6  0x000056428bcc5c5d in dispatch (cb=<optimized out>, local_addr=0x56428d4e04d8, remote_addr=0x56428d623e20, pkt=0x56428d4e04f0, is_tcp=1, vctx=0x56428d4e2a80, respond=0x56428bcca8a0 <process_tcp_response>, arg=0x56428d4e0440) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/dispatch.c:165
  #7  0x000056428bccaca4 in process_tcp_connection_read (ctx=0x56428d4e2a80, ev=<optimized out>) at ../lib/apputils/net-server.c:1362
  #8  0x00007f72928257fc in verto_fire () from /lib64/libverto.so.1
  #9  0x00007f72815cfd83 in ev_invoke_pending () from /lib64/libev.so.4
  #10 0x00007f72815d3830 in ev_run () from /lib64/libev.so.4
  #11 0x000056428bcb9fa6 in main (argc=<optimized out>, argv=<optimized out>) at /usr/src/debug/krb5-1.20.1-8.el9.x86_64/src/kdc/main.c:1043


[1] https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-pac/76c10ef5-de76-44bf-b208-0d8750fc2edd
[2] https://i.blackhat.com/EU-22/Thursday-Briefings/EU-22-Tervoort-Breaking-Kerberos-RC4-Cipher-and-Spoofing-Windows-PACs-wp.pdf
    Page 6, 1st paragraph
[3] https://github.com/krb5/krb5/pull/1225
[4] https://github.com/krb5/krb5/blob/krb5-1.20.1-final/src/lib/krb5/krb/pac.c#L690

--- Additional comment from Julien Rische on 2023-03-17 16:20:38 UTC ---

Upstream pull request:
https://github.com/krb5/krb5/pull/1295

Comment 1 Julien Rische 2023-06-12 14:47:40 UTC
Fedora pull request:
https://src.fedoraproject.org/rpms/krb5/pull-request/36

Comment 2 Fedora Update System 2023-06-13 13:41:18 UTC
FEDORA-2023-5cd7789569 has been submitted as an update to Fedora 39. https://bodhi.fedoraproject.org/updates/FEDORA-2023-5cd7789569

Comment 3 Fedora Update System 2023-06-13 13:55:27 UTC
FEDORA-2023-5cd7789569 has been pushed to the Fedora 39 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 4 Fedora Update System 2023-07-10 08:51:50 UTC
FEDORA-2023-f7841e7a29 has been submitted as an update to Fedora 38. https://bodhi.fedoraproject.org/updates/FEDORA-2023-f7841e7a29

Comment 5 Fedora Update System 2023-07-11 01:27:00 UTC
FEDORA-2023-f7841e7a29 has been pushed to the Fedora 38 stable repository.
If problem still persists, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.