[cifs-protocol] Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931 - TrackingID#2205110040000723

Andrew Bartlett abartlet at samba.org
Wed May 25 23:36:06 UTC 2022 

Thanks so much.  The CVE is listed as being for "Windows Kerberos". 

Are there any updates public for MS-KILE and MS-ADTS for CVE-2022-26931 
and CVE-2022-26923 yet?

I realise the balance on disclosure here, but it would be awesome to
have the canonical protocol changes documented before my SambaXP talk
next week - 31 May - so I can talk about it more freely and concretely
given there is now public exploits for what they are calling
"Certifried" (the dnsHostName version of the attack). 

https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

I'm particularly interested in more details on the cryptic line in
https://support.microsoft.com/en-us/topic/kb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16

> Additionally, conflicts between User Principal Names (UPN) and
> sAMAccountName introduced other emulation (spoofing) vulnerabilities
> that we also address with this security update.

Did Microsoft follow Samba and make implicit UPNs (from samAccountName)
have to be unique against userPrincipalName attributes or is this just
a note that there are still dragons here?

Thanks!

Andrew Bartlett

On Thu, 2022-05-12 at 18:20 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> The Errata is updated for the CVE-2022-26931. The links to changes
> are as follows:
> 
> *	MS-CRTD: [MS-WINERRATA]: Certificate Templates Structure |
> Microsoft Docs
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2F6898053e-8726-4209-ade2-37f8b0474c99&data=05%7C01%7Cobaidf%40microsoft.com%7Cd383524aba8a4c9db31a08da32d84002%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878201609257051%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=4olfRxnNEpExyp83ltEe75EhRJ78RLddoDNaubG0duE%3D&reserved=0
> 
> 
> *	MS-WCCE: [MS-WINERRATA]: Windows Client Certificate Enrollment
> Protocol | Microsoft Docs
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%2Fc39fd72a-da21-4b13-b329-c35d61f74a60&data=05%7C01%7Cobaidf%40microsoft.com%7Cd383524aba8a4c9db31a08da32d84002%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878201609257051%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=vAJ3neS6K%2BpVLSowzpi0juwjB9tOqSxKlNDUyMk63Ys%3D&reserved=0
> 
> Please try these links and let us know if you still can't see the
> changes.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
> 
> -----Original Message-----
> From: Sreekanth Nadendla <srenaden at microsoft.com> 
> Sent: Tuesday, May 10, 2022 9:09 PM
> To: Andrew Bartlett <abartlet at samba.org>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> Subject: Can I please get any doc updates for 
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931
> - TrackingID#2205110040000723
> 
> Dochelp in Bcc
> 
> Hello Andrew, thank you for your question about open specifications
> concerning CVE-2022-26931. We have created incident 2205110040000723
> to track the investigation for this issue.
> 
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
> 
> -----Original Message-----
> From: Andrew Bartlett <abartlet at samba.org>
> Sent: Tuesday, May 10, 2022 5:39 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> Subject: [EXTERNAL] Can I please get any doc updates for 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc.microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2022-26931&data=05%7C01%7Cobaidf%40microsoft.com%7C0798fe63f20b4891ee4608da32f332cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878317356273580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=ICU12EK9ASPdbxU1QR2UYwIvatZJjBMXZ7QW%2FEFP4Bk%3D&reserved=0
> 
> Kia Ora Dochelp,
> 
> Can you please point me at the protocol Doc updates for CVE-2022-
> 26931 please, as no errata is showing at
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winprotlp%2F8a9c667b-2825-46a8-8066-a80681233c33&data=05%7C01%7Cobaidf%40microsoft.com%7C0798fe63f20b4891ee4608da32f332cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878317356273580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=3KrZSpA7YZ25zPp4A5gte%2BlU7eXCVOLNiDO9o%2Fbvz9g%3D&reserved=0 and I believe it is important for Samba to be able to mitigate this
> issue also.
> 
> Thanks!
> 
> Andrew Bartlett
> --
> Andrew Bartlett (he/him)       
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C0798fe63f20b4891ee4608da32f332cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878317356273580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=9kILDzxpT8gAQUnrJHt%2F%2FupWThqyw8QqaUvbJo%2FWEfM%3D&reserved=0
> Samba Team Member (since 2001) 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C0798fe63f20b4891ee4608da32f332cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878317356273580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8QGSPV6yIB8S%2FPQ%2BYKofDSFhbLChHt063xvlIqo621E%3D&reserved=0
> Samba Team Lead, Catalyst IT   
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cobaidf%40microsoft.com%7C0798fe63f20b4891ee4608da32f332cb%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637878317356273580%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=eo5crKGngoNk32G6FhGDg7Qb38yXTSi9wOeppan43rE%3D&reserved=0
> 
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
> 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the cifs-protocol mailing list