== Subject:     Samba AD users can bypass certain restrictions
==              associated with changing passwords.
== CVE ID#:     CVE-2022-2031
== Versions:    All versions of Samba prior to 4.16.4
== Summary:     The KDC and the kpasswd service share a single account
==              and set of keys, allowing them to decrypt each other's
==              tickets. A user who has been requested to change their
==              password can exploit this to obtain and use tickets to
==              other services.


The KDC and the kpasswd service share a single account and set of
keys. In certain cases, this makes the two services susceptible to

When a user's password has expired, that user is requested to change
their password. Until doing so, the user is restricted to only
acquiring tickets to kpasswd.

However, a vulnerability meant that the kpasswd's principal, when
canonicalized, was set to that of the TGS (Ticket-Granting Service),
thus yielding TGTs from ordinary kpasswd requests. These TGTs could be
used to perform an Elevation of Privilege attack by obtaining service
tickets and using services in the forest. This vulnerability existed
in versions of Samba built with Heimdal Kerberos.

A separate vulnerability in Samba versions below 4.16, and in Samba
built with MIT Kerberos, led the KDC to accept kpasswd tickets as if
they were TGTs, with the same overall outcome.

On the reverse side of the issue, password changes could be effected
by presenting TGTs as if they were kpasswd tickets. TGTs having
potentially longer lifetimes than kpasswd tickets, the value of a
stolen cache containing a TGT was hence increased to an attacker, with
the possibility of indefinite control over an account by means of a
password change.

Finally, kpasswd service tickets would be accepted for changes to
one's own password, contrary to the requirement that tickets be
acquired with an initial KDC request in such cases.

As part of the mitigations, the lifetime of kpasswd tickets has been
restricted to a maximum of two minutes. The KDC will not longer accept
TGTs with two minutes or less left to live, to make sure it does not
accept kpasswd tickets.

Patch Availability

Patches addressing these issues have been posted to:

Additionally, Samba 4.16.4, 4.15.9, and 4.14.14 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

CVSSv3 calculation

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)


kpasswd is not a critical protocol for the AD DC in most installations, it can
be disabled by setting "kpasswd port = 0" in the smb.conf.


Originally reported by Luke Howard.

Patches provided by Joseph Sutton and Andreas Schneider of the Samba

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team