Many current versions of the Samba SMB file server contain a vulnerability that can allow a user on the server to change the administrator’s password and take complete control of the domain.
The vulnerability (CVE-2022-32744) affects Samba versions 4.3 and later and is a result of the way that the Key Distribution Center for Kerberos handles password-reset requests. The root cause of the bug is that the KDC will accept kpasswd–or password reset–requests that are encrypted with any key that it knows. A valid user on the system could abuse this to forge a password-reset request for another user and encrypt it with his own key.
“Tickets received by the kpasswd service were decrypted without specifying that only that service’s own keys should be tried. By setting the ticket’s server name to a principal associated with their own account, or by exploiting a fallback where known keys would be tried until a suitable one was found, an attacker could have the server accept tickets encrypted with any key, including their own,” an advisory from the Samba maintainers says.
“A user could thus change the password of the Administrator account and gain total control over the domain. Full loss of confidentiality and integrity would be possible, as well as of availability by denying users access to their accounts.”
Samba released a fix for the issue on Wednesday, along with patches for several other vulnerabilities. The most serious of the other bugs is also related to the KDC and password resets. A user could exploit this vulnerability (CVE-2022-2031) to gain access to other services on the domain.
“The KDC and the kpasswd service share a single account and set of keys. In certain cases, this makes the two services susceptible to confusion. When a user’s password has expired, that user is requested to change their password. Until doing so, the user is restricted to only acquiring tickets to kpasswd,” the advisory says.
However, a vulnerability meant that the kpasswd’s principal, when canonicalized, was set to that of the TGS (Ticket-Granting Service), thus yielding TGTs from ordinary kpasswd requests. These TGTs could be used to perform an Elevation of Privilege attack by obtaining service tickets and using services in the forest. This vulnerability existed in versions of Samba built with Heimdal Kerberos. A separate vulnerability in Samba versions below 4.16, and in Samba built with MIT Kerberos, led the KDC to accept kpasswd tickets as if they were TGTs, with the same overall outcome.”
If installing the updated versions isn’t an immediate option, the workaround for both of these vulnerabilities is to disable the kpasswd protocol.
