system/freebsd-src
system/freebsd-src
1
0
Fork 0
mirror of https://github.com/freebsd/freebsd-src synced 2024-07-23 19:28:36 +00:00
Code Issues Actions 2 Packages Projects Releases Wiki Activity
freebsd-src/crypto/heimdal
History
Cy Schubert 2433937749 Heimdal: CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum 
Upstream's explanation of the problem:

    S4U2Self is an extension to Kerberos used in Active Directory to allow
    a service to request a kerberos ticket to itself from the Kerberos Key
    Distribution Center (KDC) for a non-Kerberos authenticated user
    (principal in Kerboros parlance). This is useful to allow internal
    code paths to be standardized around Kerberos.

    S4U2Proxy (constrained-delegation) is an extension of this mechanism
    allowing this impersonation to a second service over the network. It
    allows a privileged server that obtained a S4U2Self ticket to itself
    to then assert the identity of that principal to a second service and
    present itself as that principal to get services from the second
    service.

    There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
    KDC checks the checksum that is placed on the S4U2Self packet by the
    server to protect the requested principal against modification, it
    does not confirm that the checksum algorithm that protects the user
    name (principal) in the request is keyed.  This allows a
    man-in-the-middle attacker who can intercept the request to the KDC to
    modify the packet by replacing the user name (principal) in the
    request with any desired user name (principal) that exists in the KDC
    and replace the checksum protecting that name with a CRC32 checksum
    (which requires no prior knowledge to compute).

    This would allow a S4U2Self ticket requested on behalf of user name
    (principal) user@EXAMPLE.COM to any service to be changed to a
    S4U2Self ticket with a user name (principal) of
    Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
    the modified user name (principal).

Reported by:	emaste
Security:	CVE-2018-16860
Obtained from:	Upstream c6257cc2c
MFC after:	1 week
2024-02-15 13:27:54 -08:00
..
admin heimdal: Fix multiple security vulnerabilities 2022-11-15 13:12:37 -08:00
appl Correct three typos in manuals. 2024-01-04 21:35:25 +01:00
base
doc heimdal: Fix man page and documentation typos 2024-01-04 10:35:59 -08:00
etc
include
kadmin heimdal: Properly ix bus fault when zero-length request received 2022-12-09 06:09:54 -08:00
kcm Correct three typos in manuals. 2024-01-04 21:35:25 +01:00
kdc Heimdal: CVE-2018-16860 Heimdal KDC: Reject PA-S4U2Self with unkeyed checksum 2024-02-15 13:27:54 -08:00
kpasswd
kuser heimdal: Fix multiple security vulnerabilities 2022-11-15 13:12:37 -08:00
lib kerberos: Fix numerous segfaults when using weak crypto 2024-01-17 23:46:57 -08:00
tools
acinclude.m4
aclocal.m4
autogen.sh
ChangeLog
ChangeLog.1998
ChangeLog.1999
ChangeLog.2000
ChangeLog.2001
ChangeLog.2002
ChangeLog.2003
ChangeLog.2004
ChangeLog.2005
ChangeLog.2006
compile
config.guess
config.sub
configure
FREEBSD-Xlist
install-sh
krb5.conf
LICENSE
ltmain.sh
Makefile.am
Makefile.am.common
Makefile.in
missing
NEWS
README

README 

Heimdal is a Kerberos 5 implementation.

For information how to install see <http://www.h5l.org/compile.html>.

There are briefer man pages for most of the commands.

Bug reports and bugs are appreciated, see more under Bug reports in
the manual on how we prefer them: <heimdal-bugs@h5l.org>.

For more information see the web-page at
<http://www.h5l.org/> or the mailing lists:

heimdal-announce@sics.se	low-volume announcement
heimdal-discuss@sics.se		high-volume discussion

send a mail to heimdal-announce-request@sics.se and
heimdal-discuss-request@sics.se respectively to subscribe.