On Tue, 2022-11-22 at 18:33 +0100, Kacper via samba
wrote:> Hello!
>
> Is Samba vulnerable to the attack layed out in CVE-2022-26923? Are there
> any plans to do what Microsoft did with KB5014754 and drop support for weak
> certificate mappings?
>
> I know Andrew talked about related issues at SambaXP but I must not been
> paying good enough attention...
>
> certifried is mentioned in his keynote (
> https://www.samba.org/~abartlet/Kawaiicon-2022-kerberos-smaller.pdf) and
> again in Samba bug #14833 (https://bugzilla.samba.org/show_bug.cgi?id=14833
> ).
>
> It's my understanding that when using PKINIT (smart card logon) one is
> vulnerable to certifried even though AD CS is not used if the certificate
> authority responsible for issuing the certificates used for PKINIT is
> somehow tricked to sign or otherwise generate a "bad"
certificate. If the
> CA is not part of the same organizational unit as the one that is managing
> the Samba AD forest they might even be unaware of the security implications
> of issuing a certificate that can be misused in a certifried attack.
>
> For reference here is the CVE disclosure;
>
https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4
This is all correct. ?Work to secure this will need development time
(either funding or direct engineering).
Sorry,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba