summaryrefslogtreecommitdiff
path: root/repo/heimdal/CVE-2018-16860.patch
diff options
context:
space:
mode:
Diffstat (limited to 'repo/heimdal/CVE-2018-16860.patch')
-rw-r--r--repo/heimdal/CVE-2018-16860.patch147
1 files changed, 0 insertions, 147 deletions
diff --git a/repo/heimdal/CVE-2018-16860.patch b/repo/heimdal/CVE-2018-16860.patch
deleted file mode 100644
index 6424b9e..0000000
--- a/repo/heimdal/CVE-2018-16860.patch
+++ /dev/null
@@ -1,147 +0,0 @@
-From c6257cc2c842c0faaeb4ef34e33890ee88c4cbba Mon Sep 17 00:00:00 2001
-From: Isaac Boukris <iboukris@gmail.com>
-Date: Tue, 14 May 2019 09:03:18 -0400
-Subject: [PATCH] CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed
- checksum
-
-S4U2Self is an extension to Kerberos used in Active Directory to allow
-a service to request a kerberos ticket to itself from the Kerberos Key
-Distribution Center (KDC) for a non-Kerberos authenticated user
-(principal in Kerboros parlance). This is useful to allow internal
-code paths to be standardized around Kerberos.
-
-S4U2Proxy (constrained-delegation) is an extension of this mechanism
-allowing this impersonation to a second service over the network. It
-allows a privileged server that obtained a S4U2Self ticket to itself
-to then assert the identity of that principal to a second service and
-present itself as that principal to get services from the second
-service.
-
-There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
-KDC checks the checksum that is placed on the S4U2Self packet by the
-server to protect the requested principal against modification, it
-does not confirm that the checksum algorithm that protects the user
-name (principal) in the request is keyed. This allows a
-man-in-the-middle attacker who can intercept the request to the KDC to
-modify the packet by replacing the user name (principal) in the
-request with any desired user name (principal) that exists in the KDC
-and replace the checksum protecting that name with a CRC32 checksum
-(which requires no prior knowledge to compute).
-
-This would allow a S4U2Self ticket requested on behalf of user name
-(principal) user@EXAMPLE.COM to any service to be changed to a
-S4U2Self ticket with a user name (principal) of
-Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
-the modified user name (principal).
-
-==================
-CVSSv3 calculation
-==================
-
-CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
-
-=========================
-Workaround and Mitigation
-=========================
-
-If server does not take privileged actions based on Kerberos tickets
-obtained by S4U2Self nor obtains Kerberos tickets via further
-S4U2Proxy requests then this issue cannot be exploited.
-
-Note that the path to an exploit is not generic, the KDC is not harmed
-by the malicious checksum, it is the client service requesting the
-ticket being mislead, because it trusted the KDC to return the correct
-ticket and PAC.
-
-It is out of scope for Samba to describe all of the possible tool
-chains that might be vulnerable. Here are two examples of possible
-exploits in order to explain the issue more clearly.
-
-1). SFU2Self might be used by a web service authenticating an end user
-via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
-Kerberos service ticket for use by any Kerberos service principal the
-web service has a keytab for. One example is acquiring an AFS token
-by requesting an afs/cell@REALM service ticket for a client via
-SFU2Self. With this exploit an organization that deploys a KDC built
-from Heimdal (be it Heimdal directly or vendor versions such as found
-in Samba) is vulnerable to privilege escalation attacks.
-
-2). If a server authenticates users using X509 certificates, and then
-uses S4U2Self to obtain a Kerberos service ticket on behalf of the
-user (principal) in order to authorize access to local resources, a
-man-in-the-middle attacker could allow a non-privilaged user to access
-privilaged resources being protected by the server, or privilaged
-resources being protected by a second server, if the first server uses
-the S4U2Proxy extension in order to get a new Kerberos service ticket
-to obtain access to the second server.
-
-In both these scenarios under conditions allowing man-in-the-middle
-active network protocol manipulation, a malicious user could
-authenticate using the non-Kerborized credentials of an unprivileged
-user, and then elevate its privileges by intercepting the packet from
-the server to the KDC and changing the requested user name (principal).
-
-The only Samba clients that use S4U2Self are:
-
-- the "net ads kerberos pac dump" (debugging) tool.
-
-- the CIFS proxy in the deprecated/developer-only NTVFS file
-server. Note this code is not compiled or enabled by default.
-
-In particular, winbindd does *not* use S4U2Self.
-
-Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
-for Samba AD is understood not to be impacted.
-
-===============
-Further Reading
-===============
-
-There is more detail on and a description of the protocols in
-
-[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained
-Delegation Protocol
-https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
-
-=======
-Credits
-=======
-
-Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
-Team and Catalyst.
-
-Patches provided by Isaac Boukris.
-
-Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
-with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
-Allison.
-
-BUG: https://bugzilla.samba.org/show_bug.cgi?id=13685
-Change-Id: I4ac69ebf0503eb999a7d497a2c30fe4d293a8cc8
-Signed-off-by: Isaac Boukris <iboukris@gmail.com>
-Reviewed-by: Andrew Bartlett <abartlet@samba.org>
-Signed-off-by: Andrew Bartlett <abartlet@samba.org>
-Reviewed-by: Jeffrey Altman <jaltman@auristor.com>
-Signed-off-by: Jeffrey Altman <jaltman@auristor.com>
----
- kdc/krb5tgs.c | 7 +++++++
- 1 file changed, 7 insertions(+)
-
-diff --git a/kdc/krb5tgs.c b/kdc/krb5tgs.c
-index 8318bc0025..14943077a4 100644
---- a/kdc/krb5tgs.c
-+++ b/kdc/krb5tgs.c
-@@ -2031,6 +2031,13 @@ tgs_build_reply(krb5_context context,
- goto out;
- }
-
-+ if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
-+ free_PA_S4U2Self(&self);
-+ kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed checksum");
-+ ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
-+ goto out;
-+ }
-+
- ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
- if (ret)
- goto out;