Bug 49490 - Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
Status: CLOSED DUPLICATE of bug 49432
Product: UCS
Classification: Unclassified
Component: Samba4
UCS 4.4
Other Linux
: P5 normal (vote)
: ---
Assigned To: Erik Damrose
Felix Botner
https://www.samba.org/samba/security/...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-05-16 13:35 CEST by Christian Völker
Modified: 2019-06-04 13:53 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Ticket number: 2019051621000637
Bug group (optional):
Max CVSS v3 score: 7.5


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2019-05-16 13:35:35 CEST
The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal.

Request to include the patch in UCS Samba4.
Comment 1 Felix Botner univentionstaff 2019-05-16 13:42:13 CEST
Samba 4.10.1 (with patch for CVE-2018-16860) is to be released with Bug #49479 for UCS 4.3-4.

*** This bug has been marked as a duplicate of bug 49479 ***
Comment 2 Erik Damrose univentionstaff 2019-05-16 13:49:37 CEST
Correction: This is already fixed in UCS.

Fix for UCS 4.4 is: http://errata.software-univention.de/ucs/4.4/91.html (bug 49432)
Fix for UCS 4.3 is: http://errata.software-univention.de/ucs/4.3/497.html (bug 49433)

*** This bug has been marked as a duplicate of bug 49432 ***
Comment 3 Felix Botner univentionstaff 2019-05-16 17:28:33 CEST
OK