Implement suggestions outlined in https://www.samba.org/samba/security/CVE-2020-25721.html
In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and ideally long-term stable identifiers of a user to perform authorization. The AD PAC provides this, but the most useful information is kept in a buffer which is NDR encoded, which means that so far in Free Software only Samba and applications which use Samba components under the hood like FreeIPA and SSSD decode PAC. Recognising that the issues seen in Samba are not unique, Samba now provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a way that can be parsed using basic pointer handling. From this, future non-Samba based Kerberised applications can easily obtain the user's SID, in the same packing as objectSID in LDAP, confident that the ticket represents a specific user, not matter subsequent renames. This will allow such non-Samba applications to avoid confusing one Kerberos user for another, even if they have the same string name (due to the gap between time of ticket printing by the KDC and time of ticket acceptance).
In order to avoid issues like CVE-2020-25717 AD Kerberos accepting services need access to unique, and ideally long-term stable identifiers of a user to perform authorization.
The AD PAC provides this, but the most useful information is kept in a buffer which is NDR encoded, which means that so far in Free Software only Samba and applications which use Samba components under the hood like FreeIPA and SSSD decode PAC.
Recognising that the issues seen in Samba are not unique, Samba now provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a way that can be parsed using basic pointer handling.
From this, future non-Samba based Kerberised applications can easily obtain the user's SID, in the same packing as objectSID in LDAP, confident that the ticket represents a specific user, not matter subsequent renames.
This will allow such non-Samba applications to avoid confusing one Kerberos user for another, even if they have the same string name (due to the gap between time of ticket printing by the KDC and time of ticket acceptance).
Implement PAC_UPN_DNS_INFO_EX, PAC_ATTRIBUTES_INFO, PAC_REQUESTER_SID, and other hardening improvements as suggested by Samba Team and Microsoft.
Additional information: Microsoft: https://support.microsoft.com/en-us/topic/kb5008380-authentication-updates-cve-2021-42287-9dafac11-e0d0-4cb8-959a-143bd0201041 Samba Team: https://www.samba.org/samba/latest_news.html#4.15.2
PR: https://github.com/freeipa/freeipa/pull/6076
Metadata Update from @abbra: - Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6076
master:
ipa-4-9:
Metadata Update from @abbra: - Custom field changelog adjusted to FreeIPA now implements PAC structure hardening as coordinated with Samba Team and Microsoft in CVE-2020-25719 and CVE-2021-42287 correspondingly.
Metadata Update from @abbra: - Issue tagged with: rfe
We are trying to get more consistent details from Microsoft documented in MS-KILE, MS-PAC, and MS-SFU specs. It looks like there's still a need to tune the settings when these buffers issued and verified.
I am closing this now that RBCD support is merged.
Metadata Update from @abbra: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.