Headline
CVE-2022-45141: Samba - Security Announcement Archive
Since the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability was disclosed by Microsoft on Nov 8 2022 and per RFC8429 it is assumed that rc4-hmac is weak, Vulnerable Samba Active Directory DCs will issue rc4-hmac encrypted tickets despite the target server supporting better encryption (eg aes256-cts-hmac-sha1-96).
CVE-2022-45141.html:
=========================================================== == Subject: Samba AD DC using Heimdal can be forced to == issue rc4-hmac encrypted Kerberos tickets == == CVE ID#: CVE-2022-45141 == == Versions: Heimdal builds of the Samba AD DC prior to Samba 4.16 == == Summary: Since the Windows Kerberos RC4-HMAC Elevation of Privilege == Vulnerability was disclosed by Microsoft on Nov 8 2022 == and per RFC8429 it is assumed that rc4-hmac is weak, == == Vulnerable Samba Active Directory DCs will issue rc4-hmac == encrypted tickets despite the target server supporting == better encryption (eg aes256-cts-hmac-sha1-96). ===========================================================
=========== Description ===========
Kerberos, the trusted third party authentication system at the heart of Active Directory, issues a ticket using a key known to the target server but nobody else, returned to the client in a TGS-REP.
This key needs to be of a type understood only by the KDC and target server.
However, due to a coding error subsequently addressed in all recent Heimdal versions and so fixed with Samba 4.16 (which imports Heimdal 8.0pre), the (attacking) client would be given the opportunity to select the encryption type, and so obtain a ticket encrypted with rc4-hmac, that it could attack offline.
This is possible unless rc4-hmac is totally removed from the server’s account, by removing the unicodePwd attribute, but this will break other aspects of the server’s operation in the domain (NETLOGON in particular).
================== Patch Availability ==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.15.13 has been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H (8.1)
================ (not) Workaround ================
Setting msDS-SupportedEncryptionTypes is not a workaround for this issue.
======= Credits =======
Originally reported by Joseph Sutton of Catalyst and the Samba Team.
Advisory written by Andrew Bartlett of Catalyst and the Samba Team.
Patches by Nicolas Williams were identified and backported by Joseph Sutton of Catalyst and the Samba Team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related news
Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.
Ubuntu Security Notice 5936-1 - Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos keys. A remote attacker could possibly use this issue to elevate privileges.
Ubuntu Security Notice 5822-2 - USN-5822-1 fixed vulnerabilities in Samba. The update for Ubuntu 20.04 LTS introduced regressions in certain environments. Pending investigation of these regressions, this update temporarily reverts the security fixes. It was discovered that Samba incorrectly handled the bad password count logic. It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure Channel. Greg Hudson discovered that Samba incorrectly handled PAC parsing. Joseph Sutton discovered that Samba could be forced to issue rc4-hmac encrypted Kerberos tickets.
Ubuntu Security Notice 5822-1 - It was discovered that Samba incorrectly handled the bad password count logic. A remote attacker could possibly use this issue to bypass bad passwords lockouts. This issue was only addressed in Ubuntu 22.10. Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service.
Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022. Samba is an open source Windows