On November 8, 2022, Microsoft disclosed a significant vulnerability, dubbed CVE-2022-45141, that affects the Windows Kerberos implementation. This vulnerability, known as the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability, allows attackers to elevate their privileges once they have access to a vulnerable system. It has been discovered that Samba Active Directory Domain Controllers (DCs) are also susceptible to this issue, which is alarming, given the widespread use of Samba in various environments.

Original References

Microsoft's original disclosure of the vulnerability can be found here: Microsoft's Security Update Guide

A detailed explanation of the vulnerability, as well as steps to mitigate it, can be found here: Samba CVE-2022-45141 Advisory

Exploit Details

The root cause of this vulnerability lies in the way that the Kerberos implementation defaults to using the RC4-HMAC encryption algorithm for ticket granting tickets (TGTs). Despite RC4-HMAC being considered weak according to RFC8429, Samba Active Directory DCs continue to issue RC4-HMAC encrypted tickets even when the target server supports better encryption options such as AES256-CTS-HMAC-SHA1-96.

Attackers can exploit this vulnerability by forging a Privilege Attribute Certificate (PAC) within the ticket, allowing them to elevate their privileges in the target system.

A vulnerable configuration can be identified by finding the following line in the smb.conf file

kerberos encryption types = aes,rc4-hmac

This line indicates that Samba is configured to use both AES and RC4-HMAC encryption algorithms but defaults to RC4-HMAC when issuing tickets.

Mitigation Steps

To mitigate the CVE-2022-45141 vulnerability, administrators should ensure that Samba AD DCs only use strong encryption algorithms, such as AES, when issuing tickets. This can be achieved by updating the smb.conf file with the following line:

kerberos encryption types = aes

After updating the configuration file, administrators should restart the Samba services

sudo systemctl restart samba-ad-dc

Conclusion

CVE-2022-45141 is a critical Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability that affects not only Windows systems but also Samba Active Directory Domain Controllers. As a result, it is essential for administrators to take the necessary mitigation steps in order to protect their systems from being exploited. Employing strong encryption algorithms, such as AES, is crucial in ensuring that the authentication process remains secure and resilient against attackers.

Timeline

Published on: 03/06/2023 23:15:00 UTC
Last modified on: 03/13/2023 18:05:00 UTC