Bug 49490 - Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
Summary: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
Status: CLOSED DUPLICATE of bug 49432
Alias: None
Product: UCS
Classification: Unclassified
Component: Samba4
Version: UCS 4.4
Hardware: Other Linux
: P5 normal
Target Milestone: ---
Assignee: Erik Damrose
QA Contact: Felix Botner
URL: https://www.samba.org/samba/security/...
Keywords:
Depends on:
Blocks:
 
Reported: 2019-05-16 13:35 CEST by Christian Völker
Modified: 2019-06-04 13:53 CEST (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?: Yes
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number: 2019051621000637
Bug group (optional):
Customer ID:
Max CVSS v3 score: 7.5

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christian Völker univentionstaff 2019-05-16 13:35:35 CEST 
The checksum validation in the S4U2Self handler in the embedded Heimdal KDC did not first confirm that the checksum was keyed, allowing replacement of the requested target (client) principal.

Request to include the patch in UCS Samba4.
Comment 1 Felix Botner univentionstaff 2019-05-16 13:42:13 CEST 
Samba 4.10.1 (with patch for CVE-2018-16860) is to be released with Bug #49479 for UCS 4.3-4.

*** This bug has been marked as a duplicate of bug 49479 ***
Comment 2 Erik Damrose univentionstaff 2019-05-16 13:49:37 CEST 
Correction: This is already fixed in UCS.

Fix for UCS 4.4 is: http://errata.software-univention.de/ucs/4.4/91.html (bug 49432)
Fix for UCS 4.3 is: http://errata.software-univention.de/ucs/4.3/497.html (bug 49433)

*** This bug has been marked as a duplicate of bug 49432 ***
Comment 3 Felix Botner univentionstaff 2019-05-16 17:28:33 CEST 
OK