Security
Headlines
HeadlinesLatestCVEs

Headline

Red Hat Enterprise Linux and Microsoft security update of November 2022

<p><span><span><span><span><span><span>On November 8th, 2022, Microsoft released a series of security updates for various Windows operating systems to fix two security issues:</span></span></span></span></span></span></p>

<ul> <li aria-level="1"><a href="https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-37966"&

Red Hat Blog
#vulnerability#mac#windows#microsoft#linux#red_hat#samba

On November 8th, 2022, Microsoft released a series of security updates for various Windows operating systems to fix two security issues:

  • CVE-2022-37966, knowledge base article
  • CVE-2022-37967, knowledge base article

Both security issues aren’t documented in detail. The security advisories talk about “Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability” and a generic “Windows Kerberos Elevation of Privilege Vulnerability,” correspondingly. From the accompanying knowledge base articles we can see that these vulnerabilities affect use of the standard RC4-HMAC encryption type in the Active Directory Kerberos implementation. It has been known for some time that RC4-HMAC is an encryption type that might be broken, and a recommendation has been to disable RC4-HMAC use in Active Directory environment, enforced via various STIG and CIS profiles for Windows systems.

This article outlines how Microsoft’s November 2022 security release for Active Directory vulnerabilities affects RHEL-based solutions. In order to do so, we need to dive deeper into what the Microsoft security release is attempting to fix, based on the incomplete information we have so far.

Active Directory Kerberos implementation

As described by Microsoft, Active Directory implementation provides a number of compatibility features that allow it to migrate from older Windows solutions. While neither Windows NT nor initial Active Directory versions through Windows Server 2008 are supported any more, even Windows Server 2022 contains the compatibility features that allow users to migrate from Windows NT domains without changing their passwords. The original passwords were encrypted with an algorithm that directly translates to Kerberos RC4-HMAC encryption type.

When Active Directory is deployed, one first installs a standalone Windows server. The standalone server defaults to use the same method for encrypted passwords that is directly translated to Kerberos RC4-HMAC encryption type. Deployment of the Active Directory domain controller on the standalone Windows server would then extend a list of supported encryption types for Kerberos keys in Active Directory. However, RC4-HMAC keys would still be present for the principals created prior to the Active Directory deployment (for example, Administrator) and for the primary Kerberos realm principal, krbtgt/REALM@REALM prior to application of the enforcing group policy.

In order to maintain compatibility to older releases, Microsoft Active Directory domain controllers follow a complex logic when choosing a particular encryption type for a key generated for a particular Kerberos ticket. The choice is not only dependent on an availability of common key types for both the Kerberos client and the Kerberos service principals, in some cases RC4-HMAC is used even when AES session keys are available. This is especially true for the cases when Kerberos service principals were created during the Active Directory deployment, when enforcement of more secure encryption types was not yet in place.

CVE-2022-37966 and CVE-2022-37967 security advisories hint that there are situations where an attacker might be able to affect Kerberos tickets which use RC4-HMAC keys. How this is accomplished is not entirely clear. What matters is that an attack is at least theoretically possible and the Microsoft team responsible for Active Directory Kerberos implementation finally decided to push through the removal of RC4-HMAC keys from any on-wire operations – not only in Kerberos itself but also in a Netlogon operations, essential to communication in an Active Directory domains between the enrolled Windows clients and domain controllers. This scope hints that some of the ticket payload might be affected and its validation might be under an attacker control, hence "elevation of privilege vulnerability".

AES encryption enforcement in Active Directory as of November 2022

Unfortunately, a laudable attempt to improve the security of Kerberos operations in Active Directory was spoiled by a bug in the code fixing this issue. When RC4 usage is already disabled in the Active Directory deployment, the code does not understand it and rejects all-AES communication as well. As Steve Syfuhs, a developer at Microsoft, said on Twitter:

“The issue is the absence of RC4 in the list. If that bit is not set, things fall back to a weird state. If only AES bits are set, that weird state conflicts with 'AES only’.”

The issue is now acknowledged by Microsoft and a fix would be published in upcoming weeks. This means the November 8, 2022 security update is not yet compatible with systems that already do not use RC4 cipher. This includes both Windows and Linux systems, as a faulty Active Directory domain controller would reject a request coming from an enrolled RHEL system similarly how it would reject a request from a Windows machine enrolled into the same domain. Red Hat has issued a small knowledgebase article about this. The article recommends making your Microsoft support partner aware your deployment is affected and get notified when the fix is available.

Open source activities

Further securing communications between Microsoft Active Directory and compatible open source solutions is an important effort. With the release of RHEL 9.0 earlier this year, Red Hat has already tightened up many defaults of the operating system, including disabling or removing some old cipher suites. For example, RC4-HMAC is not enabled by default in RHEL 9.0 and is not used by the RHEL IdM. Kerberos encryption types using SHA-1 algorithm to calculate a checksum were also disabled by default. RHEL IdM defaults use more secure variants of AES encryption types in its Kerberos implementation. This change also means there are no common encryption types for Active Directory interoperability because Active Directory does not support SHA-2-based algorithms for the checksums in Kerberos encryption types, as defined in RFC 8009.

In order to retain the compatibility with Active Directory, RHEL 9 provides several cryptographic subpolicies which enable older cipher sets: AD-SUPPORT, AD-SUPPORT-LEGACY, and SHA1. The AD-SUPPORT subpolicy allows use of AES-based encryption types which use SHA-1 algorithm for its checksum. The AD-SUPPORT-LEGACY subpolicy on top of that adds use of RC4-HMAC encryption type. Finally, the SHA1 subpolicy allows SHA1 use separately from Kerberos encryption types. This is useful when smartcards are enabled on the Active Directory side as SHA-1 checksum is still used in the PKINIT Kerberos protocol extension.

For many of these improvements to be useful without enabling legacy or weaker ciphers, we need updates to corresponding RFCs and to Kerberos implementations (MIT Kerberos, Heimdal, …) as well as Microsoft’s Active Directory. Use of AES encryption types with SHA-2 HMAC algorithms defined in RFC 8009 is one of the most obvious changes that would improve security.

Support for November 2022 security enhancements

While Microsoft’s November 2022 security enhancements had an interoperability issue in the implementation, they were still a good move. Once the bug in initial implementation is fixed, another interoperability trip needs to be performed, this time by the open source projects. Samba Team developers are working together with Microsoft’s documentation team to make sure corresponding specifications get updated. Updates are available only for one part of the security fix right now: an enforcement of the AES-based session key in Kerberos communications as a separate encryption key type. Details of the other changes, to add an additional checksum in the privilege attribute certificate structure of the Kerberos service ticket (PAC) and improvements in DCE RPC protocols, have not been published so far.

Once all the specifications are available, the open source community can add support for them to MIT Kerberos, Heimdal, Samba and FreeIPA. Hopefully, this happens before enforcement deadlines Microsoft has outlined in the original security bulletin. Linux distributions would then get those changes delivered to their users. Hopefully, this will happen more quickly, but that entirely depends on the collaboration between multiple vendors. For the past decade we have been enjoying a productive interaction with Microsoft as well and hope this joint effort to improve security of the enterprise infrastructure landscape continues onward.

Related news

Gentoo Linux Security Advisory 202309-06

Gentoo Linux Security Advisory 202309-6 - Multiple vulnerabilities have been discovered in Samba, the worst of which could result in root remote code execution. Versions greater than or equal to 4.18.4 are affected.

CVE-2023-23694: DSA-2023-071: Dell VxRail Security Update for Multiple Third-Party Component Vulnerabilities – 7.0.450

Dell VxRail versions earlier than 7.0.450, contain(s) an OS command injection vulnerability in VxRail Manager. A local authenticated attacker could potentially exploit this vulnerability, leading to the execution of arbitrary OS commands on the application's underlying OS, with the privileges of the vulnerable application. Exploitation may lead to a system take over by an attacker.

RHSA-2023:2570: Red Hat Security Advisory: krb5 security, bug fix, and enhancement update

An update for krb5 is now available for Red Hat Enterprise Linux 9. Red Hat Product Security has rated this update as having a security impact of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link(s) in the References section.This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Red Hat Inc. and provide a link to the original. Related CVEs: * CVE-2020-17049: It was found that the Kerberos Key Distribution Center (KDC) delegation feature, Service for User (S4U), did not sufficiently protect the tickets it's providing from tempering. A malicious, authenticated service principal allowed to delegate could use this flaw to impersonate a non-forwardable user.

Ubuntu Security Notice USN-5936-1

Ubuntu Security Notice 5936-1 - Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service. Tom Tervoort discovered that Samba incorrectly used weak rc4-hmac Kerberos keys. A remote attacker could possibly use this issue to elevate privileges.

Ubuntu Security Notice USN-5822-2

Ubuntu Security Notice 5822-2 - USN-5822-1 fixed vulnerabilities in Samba. The update for Ubuntu 20.04 LTS introduced regressions in certain environments. Pending investigation of these regressions, this update temporarily reverts the security fixes. It was discovered that Samba incorrectly handled the bad password count logic. It was discovered that Samba supported weak RC4/HMAC-MD5 in NetLogon Secure Channel. Greg Hudson discovered that Samba incorrectly handled PAC parsing. Joseph Sutton discovered that Samba could be forced to issue rc4-hmac encrypted Kerberos tickets.

Ubuntu Security Notice USN-5822-1

Ubuntu Security Notice 5822-1 - It was discovered that Samba incorrectly handled the bad password count logic. A remote attacker could possibly use this issue to bypass bad passwords lockouts. This issue was only addressed in Ubuntu 22.10. Evgeny Legerov discovered that Samba incorrectly handled buffers in certain GSSAPI routines of Heimdal. A remote attacker could possibly use this issue to cause Samba to crash, resulting in a denial of service.

Samba Issues Security Updates to Patch Multiple High-Severity Vulnerabilities

Samba has released software updates to remediate multiple vulnerabilities that, if successfully exploited, could allow an attacker to take control of affected systems. The high-severity flaws, tracked as CVE-2022-38023, CVE-2022-37966, CVE-2022-37967, and CVE-2022-45141, have been patched in versions 4.17.4, 4.16.8 and 4.15.13 released on December 15, 2022. Samba is an open source Windows

Microsoft Patch Tuesday November 2022: Exchange ProxyNotShell RCE, JScript9, MoTW, OpenSSL, Edge, CNG, Print Spooler

Hello everyone! This episode will be about Microsoft Patch Tuesday for November 2022, including vulnerabilities that were added between October and November Patch Tuesdays. As usual, I use my open source Vulristics project to create the report. Alternative video link (for Russia): https://vk.com/video-149273431_456239107 The most important news of this Patch Tuesday was a release of patches […]

CVE-2022-37966

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability.

CVE-2022-37966

Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability

CVE-2022-37967

Windows Kerberos Elevation of Privilege Vulnerability.

Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

By Deeba Ahmed Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed! This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

By Deeba Ahmed Microsoft has urged Windows Administrators to install the updates urgently so make sure you have the latest patches installed! This is a post from HackRead.com Read the original post: Microsoft Issues Patches to Fix 6 Active 0-Day Windows Vulnerabilities

Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days

Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately

Install Latest Windows Update ASAP! Patches Issued for 6 Actively Exploited Zero-Days

Microsoft's latest round of monthly security updates has been released with fixes for 68 vulnerabilities spanning its software portfolio, including patches for six actively exploited zero-days. 12 of the issues are rated Critical, two are rated High, and 55 are rated Important in severity. This also includes the weaknesses that were closed out by OpenSSL the previous week. Also separately

Microsoft Quashes Bevy of Actively Exploited Zero-Days for November Patch Tuesday

Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.

Microsoft Quashes Bevy of Actively Exploited Zero-Days for November Patch Tuesday

Long-awaited security fixes for ProxyNotShell and Mark of the Web bypasses are part of a glut of actively exploited zero-day vulnerabilities and other critical flaws that admins need to prioritize in the coming hours.

Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”

Microsoft Patch Tuesday for November 2022 — Snort rules and prominent vulnerabilities

Microsoft released its monthly security update on Tuesday, disclosing 62 vulnerabilities. Of these vulnerabilities, 8 are classified as “Critical” and the rest are classified as “Important.”