[krbdev.mit.edu #8982] Unable to renew ticket after CVE-2020-17049
Greg Hudson via RT
rt at krbdev.mit.edu
Tue Feb 2 00:17:46 EST 2021
<URL: https://krbdev.mit.edu/rt/Ticket/Display.html?id=8982 >
I'm closing this as it isn't a bug in MIT krb5 or something we can work around,
but I'll describe what I understand of the situation and how I believe people
can work around it.
To address CVE-2020-17049, Microsoft added a third PAC signature field
containing a checksum of the ticket, to prevent a service from using its
knowledge of the ticket encryption key to modify the ticket containing the PAC.
When a ticket is renewed, the PAC ticket signature must be recomputed for the
new ticket. A non-updated KDC won't know to do this and will just blindly copy
the new PAC signature, which will not be valid for the new ticket.
The CVE fix comes with a three-valued setting PerformTicketSignature. At value
0 nothing changes (and the security issue isn't fixed), at value 1 the new
signature is added but not required, and at value 2 it is required. The idea is
that you can set it to 1 while you are incrementally upgrading your KDCs and
waiting for tickets to expire, and then to 2.
Because PerformTicketSignature=1 admits the possibility of non-updated KDCs in
the realm which might not process the ticket signature correctly during
renewal, Microsoft chose to simply not issue renewable tickets at this setting.
We believe that, at a minimum, this could have been done in a more targeted
fashion. The PAC ticket signature is not required or included in TGTs, and the
vast majority of renewal operations are done on TGTs, so they could have
continued to issue renewable TGTs (with no PAC ticket signature) but not
renewable service tickets. We have pointed this out to Microsoft and received
tentative agreement, but we don't know if they will make any changes to the
code.
At PerformTicketSignature=2, all KDCs in the realm are assumed to properly
handle the PAC ticket signature, and therefore the KDCs will once again be
willing to issue renewable tickets. So, to work around this problem, finish
upgrading all of the realm's KDCs and set PerformTicketSignature=2.
More at:
https://support.microsoft.com/en-us/topic/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049-569d60b7-3267-e2b0-7d9b-e46d770332ab
More information about the krb5-bugs
mailing list