[cifs-protocol] [EXTERNAL] Re: Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931 - TrackingID#2205110040000723
Andrew Bartlett
abartlet at samba.org
Tue May 31 20:43:18 UTC 2022
Thanks!
Yes, that was the detail I was looking for on the Kerberos/PKINIT side
of things.
Andrew Bartlett
On Tue, 2022-05-31 at 19:32 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> In addition to MS-WCCE and MS-CRTD, MS-PKCA was modified for CVE-
> 2022-26931. The changes are published as errata. You can find the
> changes here:
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-winerrata/85d75079-92de-47e6-a1c1-7e4fd7f27a10
>
> No changes were made to any AD related documents.
> Please let me know if this does not answer your question.
>
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft
>
> -----Original Message-----
> From: Andrew Bartlett <abartlet at samba.org>
> Sent: Wednesday, May 25, 2022 6:36 PM
> To: Obaid Farooqi <obaidf at microsoft.com>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Obaid
> Farooqi <obaidf at microsoftsupport.com>; Tom Devey <
> Tom.Devey at microsoft.com>
> Subject: [EXTERNAL] Re: Can I please get any doc updates for
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931
> - TrackingID#2205110040000723
>
> Thanks so much. The CVE is listed as being for "Windows Kerberos".
>
> Are there any updates public for MS-KILE and MS-ADTS for CVE-2022-
> 26931 and CVE-2022-26923 yet?
>
> I realise the balance on disclosure here, but it would be awesome to
> have the canonical protocol changes documented before my SambaXP talk
> next week - 31 May - so I can talk about it more freely and
> concretely given there is now public exploits for what they are
> calling "Certifried" (the dnsHostName version of the attack).
>
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fresearch.ifcr.dk%2Fcertifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aEMNzHUmGZuYYGHlGh6XaWUbf%2BS1HnfBhNutJpV84Ew%3D&reserved=0
>
> I'm particularly interested in more details on the cryptic line in
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fkb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n1OQMOehMAZSi3k4rwFoXrhiemSIV9FIgBabPIo3o0c%3D&reserved=0
>
> > Additionally, conflicts between User Principal Names (UPN) and
> > sAMAccountName introduced other emulation (spoofing)
> > vulnerabilities
> > that we also address with this security update.
>
> Did Microsoft follow Samba and make implicit UPNs (from
> samAccountName) have to be unique against userPrincipalName
> attributes or is this just a note that there are still dragons here?
>
> Thanks!
>
> Andrew Bartlett
>
> On Thu, 2022-05-12 at 18:20 +0000, Obaid Farooqi wrote:
> > Hi Andrew:
> > The Errata is updated for the CVE-2022-26931. The links to changes
> > are
> > as follows:
> >
> > * MS-CRTD: [MS-WINERRATA]: Certificate Templates Structure |
> > Microsoft Docs
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-
> > winerrata%
> > 2F6898053e-8726-4209-ade2-
> > 37f8b0474c99&data=05%7C01%7Cobaidf%40mic
> > rosoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91a
> > b2d
> > 7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJ
> > WIj
> > oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000
> > %7C
> > %7C%7C&sdata=YMywLkBnBh8lDmQNHO9NlnotpWEOVaHNvpAQRGaTUSo%3D&
> > ;re
> > served=0
> >
> >
> > * MS-WCCE: [MS-WINERRATA]: Windows Client Certificate Enrollment
> > Protocol | Microsoft Docs
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-
> > winerrata%
> > 2Fc39fd72a-da21-4b13-b329-
> > c35d61f74a60&data=05%7C01%7Cobaidf%40mic
> > rosoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91a
> > b2d
> > 7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJ
> > WIj
> > oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000
> > %7C
> > %7C%7C&sdata=MZt5mVyPnkhZDB2hg4no7%2FQHbfx8w97%2BU7YdSlmQykM%3D
> > &am
> > p;reserved=0
> >
> > Please try these links and let us know if you still can't see the
> > changes.
> >
> > Regards,
> > Obaid Farooqi
> > Escalation Engineer | Microsoft
> >
> > -----Original Message-----
> > From: Sreekanth Nadendla <srenaden at microsoft.com>
> > Sent: Tuesday, May 10, 2022 9:09 PM
> > To: Andrew Bartlett <abartlet at samba.org>
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> > Subject: Can I please get any doc updates for
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc
> > .microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2022-
> > 26931&dat
> > a=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c
> > 8a%
> > 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CU
> > nkn
> > own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> > Wwi
> > LCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8okEBhxCaSmK77neVN57qFHBW0
> > rVA
> > x4D9uzl9ezlA7w%3D&reserved=0
> > - TrackingID#2205110040000723
> >
> > Dochelp in Bcc
> >
> > Hello Andrew, thank you for your question about open
> > specifications
> > concerning CVE-2022-26931. We have created incident
> > 2205110040000723
> > to track the investigation for this issue.
> >
> > Regards,
> > Sreekanth Nadendla
> > Microsoft Windows Open Specifications
> >
> > -----Original Message-----
> > From: Andrew Bartlett <abartlet at samba.org>
> > Sent: Tuesday, May 10, 2022 5:39 PM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> > Subject: [EXTERNAL] Can I please get any doc updates for
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc
> > .microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2022-
> > 26931&dat
> > a=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c
> > 8a%
> > 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CU
> > nkn
> > own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> > Wwi
> > LCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8okEBhxCaSmK77neVN57qFHBW0
> > rVA
> > x4D9uzl9ezlA7w%3D&reserved=0
> >
> > Kia Ora Dochelp,
> >
> > Can you please point me at the protocol Doc updates for CVE-2022-
> > 26931 please, as no errata is showing at
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-
> > winprotlp%2F8a9c667b-2825-46a8-8066-
> > a80681233c33&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b
> > 624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7
> > C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ
> > QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
> > ta=jBEoQnRpr69ZxWkt6kM0STGUmp63xRb3XtGCMIYwsTo%3D&reserved=0
> > and I believe it is important for Samba to be able to mitigate this
> > issue also.
> >
> > Thanks!
> >
> > Andrew Bartlett
> > --
> > Andrew Bartlett (he/him)
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamb
> > a.org%2F~abartlet%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C03
> > 351
> > 3048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%
> > 7C0
> > %7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
> > CJQ
> > IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> > a=p
> > G9r1w92Ss4xFl%2BAzzJcAFtkV2BQCjoS%2FGND2cKY2v4%3D&reserved=0
> > Samba Team Member (since 2001)
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F1DGwaqSQoBTs%2FwGpUY2ul9kmUfU0fUWp9tWFKJpU3w%3D&reserved=0
> > Samba Team Lead, Catalyst IT
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcata
> > lyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cobaidf%40microsof
> > t.c
> > om%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd01
> > 1db
> > 47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> > wLj
> > AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7
> > C&a
> > mp;sdata=soAc8ETNBoHC5IT7A2ImHcPd3Soyb%2BzN6F8jxqiYlBE%3D&reser
> > ved
> > =0
> >
> > Samba Development and Support, Catalyst IT - Expert Open Source
> > Solutions
> >
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the cifs-protocol
mailing list