[38846] in Kerberos
Re: CVE-2020-17049
daemon@ATHENA.MIT.EDU (James Ralston)
Tue Nov 17 14:23:00 2020
MIME-Version: 1.0
In-Reply-To: <CAH-c_Ehqw+ajLy0yFaNSeAfj3He7RCAw3rgthkWyOJT8DGzVXw@mail.gmail.com>
From: James Ralston <ralston@pobox.com>
Date: Tue, 17 Nov 2020 14:19:56 -0500
Message-ID: <CAEkxbZvuG9q8-x8vaFkAa_zqdD+tnnc9EBn7gJGKdmGoEcQCQw@mail.gmail.com>
To: kerberos@mit.edu
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On Mon, Nov 16, 2020 at 10:48 AM Luke Hebert <lhebert@cloudera.com> wrote:
> We've just started encountering problems at customer sites with
> Kerberos enabled clients as a result of how Microsoft appears to be
> approaching CVE-2020-17049
> <https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17049>. The
> details on this CVE are slim on Mitre and there is a small amount of
> additional information on the microsoft portal. I thought I'd ask
> the list what their thoughts are on what is being done here.
> Disabling service ticket and tgt renewability is not great and it
> obviously breaks long running processes that rely on renewability of
> these items.
I believe we are being bitten by this change as well. Here’s what we
see.
I perform an initial kinit, and request a renewable ticket:
$ kinit username@EXAMPLE.ORG
Password for username@EXAMPLE.ORG:
As klist shows, the ticket is renewable:
$ klist -f
Ticket cache: KCM:2000:78917
Default principal: username@EXAMPLE.ORG
Valid starting Expires Service principal
2020-11-13 13:15:57 2020-11-14 13:15:50 krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
renew until 2020-11-20 13:15:50, Flags: FRIA
Decoding the Flags field:
+------+------------------+
| flag | meaning |
+------+------------------+
| F | Forwardable |
| R | Renewable |
| I | Initial |
| A | preAuthenticated |
+------+------------------+
But attempting to renew this ticket throws an error:
$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials
From packet tracing, the TGS-REQ packet contains the following options:
kdc-options: 40800002
.1.. .... = forwardable: True
1... .... = renewable: True
.... ..1. = renew: True
This is exactly what a renewal request should contain: a renew request
(renew: True) using a non-expired renewable ticket (renewable: True).
But the reply from the server is KRB-ERROR, and contains:
krb-error
msg-type: krb-error (30)
error-code: eRR-BADOPTION (13)
Curiously, we have multiple AD realms, and not all of them show this
problem, despite the fact that our Windows admins assert that all
realms received the Microsoft updates that contain the fix for
CVE-2020-17049.
I’ve asked our Windows admins to enumerate what the
PerformTicketSignature registry keys are set to for all of our DCs,
for all realms.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
