 |
Home ▼ Bookkeeping
Online ▼ Security
Audits ▼
Managed
DNS ▼
About
Order
FAQ
Acceptable Use Policy
Dynamic DNS Clients
Configure Domains Dyanmic DNS Update Password Network
Monitor ▼
Enterprise Package
Advanced Package
Standard Package
Free Trial
FAQ
Price/Feature Summary
Order/Renew
Examples
Configure/Status Alert Profiles | ||
| Test ID: | 1.3.6.1.4.1.25623.1.0.108575 |
| Category: | General |
| Title: | Samba AD DC Principal Modification Vulnerability (CVE-2018-16860) |
| Summary: | Samba is prone to a user impersonation vulnerability. |
| Description: | Summary: Samba is prone to a user impersonation vulnerability. Vulnerability Insight: S4U2Self is an extension to Kerberos used in Active Directory to allow a service to request a kerberos ticket to itself from the Kerberos Key Distribution Center (KDC) for a non-Kerberos authenticated user (principal in Kerboros parlance). This is useful to allow internal code paths to be standardized around Kerberos. S4U2Proxy (constrained-delegation) is an extension of this mechanism allowing this impersonation to a second service over the network. It allows a privileged server that obtained a S4U2Self ticket to itself to then assert the identity of that principal to a second service and present itself as that principal to get services from the second service. There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal KDC checks the checksum that is placed on the S4U2Self packet by the server to protect the requested principal against modification, it does not confirm that the checksum algorithm that protects the user name (principal) in the request is keyed. Vulnerability Impact: This allows a man-in-the-middle attacker who can intercept the request to the KDC to modify the packet by replacing the user name (principal) in the request with any desired user name (principal) that exists in the KDC and replace the checksum protecting that name with a CRC32 checksum (which requires no prior knowledge to compute). This would allow a S4U2Self ticket requested on behalf of user name (principal) user@EXAMPLE.COM to any service to be changed to a S4U2Self ticket with a user name (principal) of Administrator@EXAMPLE.COM. This ticket would then contain the PAC of the modified user name (principal). Affected Software/OS: All Samba versions since Samba 4.0. Solution: Update to version 4.8.12, 4.9.8, 4.10.3 or later. CVSS Score: 6.0 CVSS Vector: AV:N/AC:M/Au:S/C:P/I:P/A:P |
| Cross-Ref: |
Common Vulnerability Exposure (CVE) ID: CVE-2018-16860 Bugtraq: 20190814 APPLE-SA-2019-8-13-1 Additional information for APPLE-SA-2019-7-22-2 macOS Mojave 10.14.6, Security Update 2019-004 High Sierra, Security Update 2019-004 Sierra (Google Search) https://seclists.org/bugtraq/2019/Aug/21 Bugtraq: 20190814 APPLE-SA-2019-8-13-2 Additional information for APPLE-SA-2019-7-22-1 iOS 12.4 (Google Search) https://seclists.org/bugtraq/2019/Aug/25 Bugtraq: 20190814 APPLE-SA-2019-8-13-3 Additional information for APPLE-SA-2019-7-22-4 watchOS 5.3 (Google Search) https://seclists.org/bugtraq/2019/Aug/22 Bugtraq: 20190814 APPLE-SA-2019-8-13-4 Additional information for APPLE-SA-2019-7-22-5 tvOS 12.4 (Google Search) https://seclists.org/bugtraq/2019/Aug/23 http://seclists.org/fulldisclosure/2019/Aug/11 http://seclists.org/fulldisclosure/2019/Aug/13 http://seclists.org/fulldisclosure/2019/Aug/14 http://seclists.org/fulldisclosure/2019/Aug/15 https://security.gentoo.org/glsa/202003-52 https://www.samba.org/samba/security/CVE-2018-16860.html SuSE Security Announcement: openSUSE-SU-2019:1888 (Google Search) http://lists.opensuse.org/opensuse-security-announce/2019-08/msg00026.html |
| Copyright | Copyright (C) 2019 Greenbone Networks GmbH |
| This is only one of 145615 vulnerability tests in our test suite. Find out more about running a complete security audit. To run a free test of this vulnerability against your system, register below. |