Salvatore Bonaccorso <[email protected]> writes:
> Source: heimdal
> Version: 7.5.0+dfsg-2.1
> Severity: important
> Tags: security upstream
> Control: found -1 7.1.0+dfsg-13+deb9u2
> Control: found -1 7.1.0+dfsg-13
>
> Hi,
>
> The following vulnerability was published for heimdal, actually just
> what is affecting samba embedded copy of heimdal.
>
> CVE-2018-16860[0]:
> Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
>
> If you fix the vulnerability please also make sure to include the
> CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
>
> For further information see:
>
> [0] https://security-tracker.debian.org/tracker/CVE-2018-16860
> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860
>
> Please adjust the affected versions in the BTS as needed, all versions
> starting from 0.8 upwards including 7.5.0 are affected.
>
> What is your take on this? Does this need a DSA or is an update via an
> upcoming point release enough?
I am hardly authoritative on this, however my rough take right now is:
* There is a vulerability.
* The fix is simple. Looking at the Samba patches, I suspect we only
need the bit that alters krb5tgs.c - below.
* Not convinced this can actually be exploited without AD. It is
unlikely you would be using the stock Heimdal with AD. So possible
we don't need to worry.
diff --git a/source4/heimdal/kdc/krb5tgs.c b/source4/heimdal/kdc/krb5tgs.c
index a888788bb6f..ff7d93138c0 100644
--- a/source4/heimdal/kdc/krb5tgs.c
+++ b/source4/heimdal/kdc/krb5tgs.c
@@ -1925,6 +1925,13 @@ server_lookup:
goto out;
}
+ if (!krb5_checksum_is_keyed(context, self.cksum.cksumtype)) {
+ free_PA_S4U2Self(&self);
+ kdc_log(context, config, 0, "Reject PA-S4U2Self with unkeyed
checksum");
+ ret = KRB5KRB_AP_ERR_INAPP_CKSUM;
+ goto out;
+ }
+
ret = _krb5_s4u2self_to_checksumdata(context, &self, &datack);
if (ret)
goto out;
--
Brian May <[email protected]>
