[cifs-protocol] [EXTERNAL] Re: Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931 - TrackingID#2205110040000723
Obaid Farooqi
obaidf at microsoft.com
Tue May 31 19:32:44 UTC 2022
Hi Andrew:
In addition to MS-WCCE and MS-CRTD, MS-PKCA was modified for CVE-2022-26931. The changes are published as errata. You can find the changes here:
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-winerrata/85d75079-92de-47e6-a1c1-7e4fd7f27a10
No changes were made to any AD related documents.
Please let me know if this does not answer your question.
Regards,
Obaid Farooqi
Escalation Engineer | Microsoft
-----Original Message-----
From: Andrew Bartlett <abartlet at samba.org>
Sent: Wednesday, May 25, 2022 6:36 PM
To: Obaid Farooqi <obaidf at microsoft.com>
Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Obaid Farooqi <obaidf at microsoftsupport.com>; Tom Devey <Tom.Devey at microsoft.com>
Subject: [EXTERNAL] Re: Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931 - TrackingID#2205110040000723
Thanks so much. The CVE is listed as being for "Windows Kerberos".
Are there any updates public for MS-KILE and MS-ADTS for CVE-2022-26931 and CVE-2022-26923 yet?
I realise the balance on disclosure here, but it would be awesome to have the canonical protocol changes documented before my SambaXP talk next week - 31 May - so I can talk about it more freely and concretely given there is now public exploits for what they are calling "Certifried" (the dnsHostName version of the attack).
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fresearch.ifcr.dk%2Fcertifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aEMNzHUmGZuYYGHlGh6XaWUbf%2BS1HnfBhNutJpV84Ew%3D&reserved=0
I'm particularly interested in more details on the cryptic line in
https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fkb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n1OQMOehMAZSi3k4rwFoXrhiemSIV9FIgBabPIo3o0c%3D&reserved=0
> Additionally, conflicts between User Principal Names (UPN) and
> sAMAccountName introduced other emulation (spoofing) vulnerabilities
> that we also address with this security update.
Did Microsoft follow Samba and make implicit UPNs (from samAccountName) have to be unique against userPrincipalName attributes or is this just a note that there are still dragons here?
Thanks!
Andrew Bartlett
On Thu, 2022-05-12 at 18:20 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> The Errata is updated for the CVE-2022-26931. The links to changes are
> as follows:
>
> * MS-CRTD: [MS-WINERRATA]: Certificate Templates Structure |
> Microsoft Docs
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%
> 2F6898053e-8726-4209-ade2-37f8b0474c99&data=05%7C01%7Cobaidf%40mic
> rosoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d
> 7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIj
> oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C
> %7C%7C&sdata=YMywLkBnBh8lDmQNHO9NlnotpWEOVaHNvpAQRGaTUSo%3D&re
> served=0
>
>
> * MS-WCCE: [MS-WINERRATA]: Windows Client Certificate Enrollment
> Protocol | Microsoft Docs
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winerrata%
> 2Fc39fd72a-da21-4b13-b329-c35d61f74a60&data=05%7C01%7Cobaidf%40mic
> rosoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d
> 7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIj
> oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C
> %7C%7C&sdata=MZt5mVyPnkhZDB2hg4no7%2FQHbfx8w97%2BU7YdSlmQykM%3D&am
> p;reserved=0
>
> Please try these links and let us know if you still can't see the
> changes.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Sreekanth Nadendla <srenaden at microsoft.com>
> Sent: Tuesday, May 10, 2022 9:09 PM
> To: Andrew Bartlett <abartlet at samba.org>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> Subject: Can I please get any doc updates for
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc
> .microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2022-26931&dat
> a=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%
> 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnkn
> own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwi
> LCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8okEBhxCaSmK77neVN57qFHBW0rVA
> x4D9uzl9ezlA7w%3D&reserved=0
> - TrackingID#2205110040000723
>
> Dochelp in Bcc
>
> Hello Andrew, thank you for your question about open specifications
> concerning CVE-2022-26931. We have created incident 2205110040000723
> to track the investigation for this issue.
>
> Regards,
> Sreekanth Nadendla
> Microsoft Windows Open Specifications
>
> -----Original Message-----
> From: Andrew Bartlett <abartlet at samba.org>
> Sent: Tuesday, May 10, 2022 5:39 PM
> To: Interoperability Documentation Help <dochelp at microsoft.com>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> Subject: [EXTERNAL] Can I please get any doc updates for
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc
> .microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2022-26931&dat
> a=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%
> 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnkn
> own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwi
> LCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8okEBhxCaSmK77neVN57qFHBW0rVA
> x4D9uzl9ezlA7w%3D&reserved=0
>
> Kia Ora Dochelp,
>
> Can you please point me at the protocol Doc updates for CVE-2022-
> 26931 please, as no errata is showing at
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-winprotlp%2F8a9c667b-2825-46a8-8066-a80681233c33&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=jBEoQnRpr69ZxWkt6kM0STGUmp63xRb3XtGCMIYwsTo%3D&reserved=0 and I believe it is important for Samba to be able to mitigate this issue also.
>
> Thanks!
>
> Andrew Bartlett
> --
> Andrew Bartlett (he/him)
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamb
> a.org%2F~abartlet%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C03351
> 3048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0
> %7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQ
> IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=p
> G9r1w92Ss4xFl%2BAzzJcAFtkV2BQCjoS%2FGND2cKY2v4%3D&reserved=0
> Samba Team Member (since 2001)
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F1DGwaqSQoBTs%2FwGpUY2ul9kmUfU0fUWp9tWFKJpU3w%3D&reserved=0
> Samba Team Lead, Catalyst IT
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcata
> lyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cobaidf%40microsoft.c
> om%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db
> 47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLj
> AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&a
> mp;sdata=soAc8ETNBoHC5IT7A2ImHcPd3Soyb%2BzN6F8jxqiYlBE%3D&reserved
> =0
>
> Samba Development and Support, Catalyst IT - Expert Open Source
> Solutions
>
--
Andrew Bartlett (he/him) https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F~abartlet%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=pG9r1w92Ss4xFl%2BAzzJcAFtkV2BQCjoS%2FGND2cKY2v4%3D&reserved=0
Samba Team Member (since 2001) https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F1DGwaqSQoBTs%2FwGpUY2ul9kmUfU0fUWp9tWFKJpU3w%3D&reserved=0
Samba Team Lead, Catalyst IT https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcatalyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=soAc8ETNBoHC5IT7A2ImHcPd3Soyb%2BzN6F8jxqiYlBE%3D&reserved=0
Samba Development and Support, Catalyst IT - Expert Open Source Solutions
More information about the cifs-protocol
mailing list