[freeipa PR#6076][opened] Harden PAC processing
by abbra
URL: https://github.com/freeipa/freeipa/pull/6076
Author: abbra
Title: #6076: Harden PAC processing
Action: opened
PR body:
"""
Implement suggestions outlined in https://www.samba.org/samba/security/CVE-2020-25721.html
> In order to avoid issues like CVE-2020-25717 AD Kerberos accepting
> services need access to unique, and ideally long-term stable
> identifiers of a user to perform authorization.
>
> The AD PAC provides this, but the most useful information is kept in a
> buffer which is NDR encoded, which means that so far in Free Software
> only Samba and applications which use Samba components under the hood
> like FreeIPA and SSSD decode PAC.
>
> Recognising that the issues seen in Samba are not unique, Samba now
> provides an extension to UPN_DNS_INFO, a component of the AD PAC, in a
> way that can be parsed using basic pointer handling.
>
> From this, future non-Samba based Kerberised applications can easily obtain
> the user's SID, in the same packing as objectSID in LDAP, confident
> that the ticket represents a specific user, not matter subsequent
> renames.
>
> This will allow such non-Samba applications to avoid confusing one
> Kerberos user for another, even if they have the same string name (due
> to the gap between time of ticket printing by the KDC and time of
> ticket acceptance).
Implement PAC_UPN_DNS_INFO_EX, PAC_ATTRIBUTES_INFO, PAC_REQUESTER_SID, and other hardening improvements as suggested by Samba Team and Microsoft.
Additional information:
Microsoft: https://support.microsoft.com/en-us/topic/kb5008380-authentication-update...
Samba Team: https://www.samba.org/samba/latest_news.html#4.15.2
"""
To pull the PR as Git branch:
git remote add ghfreeipa https://github.com/freeipa/freeipa
git fetch ghfreeipa pull/6076/head:pr6076
git checkout pr6076
2 years, 5 months