ASA-2019-00266 – Samba: AD DC S4U2Self/S4U2Proxy unkeyed checksum

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00266

Identifier(s)

ASA-2019-00266, CVE-2018-16860

Title

AD DC S4U2Self/S4U2Proxy unkeyed checksum

Vendor(s)

The Samba Project

Product(s)

Samba

Affected version(s)

All Samba versions since Samba 4.0
All releases of Heimdal from 0.8 including 7.5.0 and any products that ship a KDC derived from one of those Heimdal releases.

Fixed version(s)

Samba 4.8.12, 4.9.8 and 4.10.3

Proof of concept

Unknown

Description

S4U2Self is an extension to Kerberos used in Active Directory to allow a service to request a kerberos ticket to itself from the Kerberos Key Distribution Center (KDC) for a non-Kerberos authenticated user (principal in Kerberos parlance). This is useful to allow internal code paths to be standardized around Kerberos.

S4U2Proxy (constrained-delegation) is an extension of this mechanism allowing this impersonation to a second service over the network. It allows a privileged server that obtained a S4U2Self ticket to itself to then assert the identity of that principal to a second service and present itself as that principal to get services from the second service.

There is a flaw in Samba’s AD DC in the Heimdal KDC. When the Heimdal KDC checks the checksum that is placed on the S4U2Self packet by the server to protect the requested principal against modification, it does not confirm that the checksum algorithm that protects the user name (principal) in the request is keyed. This allows a man-in-the-middle attacker who can intercept the request to the KDC to modify the packet by replacing the user name (principal) in the request with any desired user name (principal) that exists in the KDC and replace the checksum protecting that name with a CRC32 checksum (which requires no prior knowledge to compute).

This would allow a S4U2Self ticket requested on behalf of user name (principal) user@EXAMPLE.COM to any service to be changed to a S4U2Self ticket with a user name (principal) of Administrator@EXAMPLE.COM. This ticket would then contain the PAC of the modified user name (principal).

Technical details

Unknown

Credits

Isaac Boukris and Andrew Bartlett

Reference(s)

Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
https://www.samba.org/samba/security/CVE-2018-16860.html

Release Notes for Samba 4.10.3
https://www.samba.org/samba/history/samba-4.10.3.html

Release Notes for Samba 4.9.8
https://www.samba.org/samba/history/samba-4.9.8.html

Release Notes for Samba 4.8.12
https://www.samba.org/samba/history/samba-4.8.12.html

CVE-2018-16860
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860

CVE-2018-16860
https://nvd.nist.gov/vuln/detail/CVE-2018-16860

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: May 14, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.