git.ipfire.org Git - thirdparty/samba.git/commit

author	Joseph Sutton <josephsutton@catalyst.net.nz>
	Fri, 10 Jun 2022 07:18:53 +0000 (19:18 +1200)
committer	Jule Anger <janger@samba.org>
	Sun, 24 Jul 2022 09:42:02 +0000 (11:42 +0200)
commit	d5af460403d3949ba266f5c74f051247cd7ce752
tree	a36dc6db13116557cc41c0d2db005c49eaf12b42	tree
parent	89c6e36938c27b572573b06d1b35db210bfda99b	commit \| diff

CVE-2022-2031 s4:kpasswd: Do not accept TGTs as kpasswd tickets

If TGTs can be used as kpasswd tickets, the two-minute lifetime of a
authentic kpasswd ticket may be bypassed. Furthermore, kpasswd tickets
are not supposed to be cached, but using this flaw, a stolen credentials
cache containing a TGT may be used to change that account's password,
and thus is made more valuable to an attacker.

Since all TGTs should be issued with a REQUESTER_SID PAC buffer, and
service tickets without it, we assert the absence of this buffer to
ensure we're not accepting a TGT.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=15047
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15049

Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz>
Reviewed-by: Andreas Schneider <asn@samba.org>
[jsutton@samba.org Fixed knownfail conflicts]

[jsutton@samba.org Fixed knownfail conflicts]

selftest/knownfail_heimdal_kdc		diff \| blob \| blame \| history
selftest/knownfail_mit_kdc		diff \| blob \| blame \| history
source4/kdc/kpasswd-helper.c		diff \| blob \| blame \| history
source4/kdc/kpasswd-helper.h		diff \| blob \| blame \| history
source4/kdc/kpasswd-service-heimdal.c		diff \| blob \| blame \| history
source4/kdc/kpasswd-service-mit.c		diff \| blob \| blame \| history