[cifs-protocol] [EXTERNAL] Re: Can I please get any doc updates for https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931 - TrackingID#2205110040000723

Andrew Bartlett abartlet at samba.org
Tue May 31 20:43:18 UTC 2022 

Thanks!

Yes, that was the detail I was looking for on the Kerberos/PKINIT side
of things.

Andrew Bartlett

On Tue, 2022-05-31 at 19:32 +0000, Obaid Farooqi wrote:
> Hi Andrew:
> In addition to MS-WCCE and MS-CRTD, MS-PKCA was modified for CVE-
> 2022-26931. The changes are published as errata. You can find the
> changes here:
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-winerrata/85d75079-92de-47e6-a1c1-7e4fd7f27a10
> 
> No changes were made to any AD related documents.
> Please let me know if this does not answer your question.
> 
> Regards,
> Obaid Farooqi
> Escalation Engineer | Microsoft 
> 
> -----Original Message-----
> From: Andrew Bartlett <abartlet at samba.org> 
> Sent: Wednesday, May 25, 2022 6:36 PM
> To: Obaid Farooqi <obaidf at microsoft.com>
> Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>; Obaid
> Farooqi <obaidf at microsoftsupport.com>; Tom Devey <
> Tom.Devey at microsoft.com>
> Subject: [EXTERNAL] Re: Can I please get any doc updates for 
> https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-26931
> - TrackingID#2205110040000723
> 
> Thanks so much.  The CVE is listed as being for "Windows Kerberos". 
> 
> Are there any updates public for MS-KILE and MS-ADTS for CVE-2022-
> 26931 and CVE-2022-26923 yet?
> 
> I realise the balance on disclosure here, but it would be awesome to
> have the canonical protocol changes documented before my SambaXP talk
> next week - 31 May - so I can talk about it more freely and
> concretely given there is now public exploits for what they are
> calling "Certifried" (the dnsHostName version of the attack). 
> 
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fresearch.ifcr.dk%2Fcertifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=aEMNzHUmGZuYYGHlGh6XaWUbf%2BS1HnfBhNutJpV84Ew%3D&reserved=0
> 
> I'm particularly interested in more details on the cryptic line in
> https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Ftopic%2Fkb5014754-certificate-based-authentication-changes-on-windows-domain-controllers-ad2c23b0-15d8-4340-a468-4d4f3b188f16&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=n1OQMOehMAZSi3k4rwFoXrhiemSIV9FIgBabPIo3o0c%3D&reserved=0
> 
> > Additionally, conflicts between User Principal Names (UPN) and 
> > sAMAccountName introduced other emulation (spoofing)
> > vulnerabilities 
> > that we also address with this security update.
> 
> Did Microsoft follow Samba and make implicit UPNs (from
> samAccountName) have to be unique against userPrincipalName
> attributes or is this just a note that there are still dragons here?
> 
> Thanks!
> 
> Andrew Bartlett
> 
> On Thu, 2022-05-12 at 18:20 +0000, Obaid Farooqi wrote:
> > Hi Andrew:
> > The Errata is updated for the CVE-2022-26931. The links to changes
> > are 
> > as follows:
> > 
> > *	MS-CRTD: [MS-WINERRATA]: Certificate Templates Structure |
> > Microsoft Docs
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-
> > winerrata%
> > 2F6898053e-8726-4209-ade2-
> > 37f8b0474c99&data=05%7C01%7Cobaidf%40mic
> > rosoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91a
> > b2d
> > 7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJ
> > WIj
> > oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000
> > %7C
> > %7C%7C&sdata=YMywLkBnBh8lDmQNHO9NlnotpWEOVaHNvpAQRGaTUSo%3D&amp
> > ;re
> > served=0
> > 
> > 
> > *	MS-WCCE: [MS-WINERRATA]: Windows Client Certificate Enrollment
> > Protocol | Microsoft Docs
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-
> > winerrata%
> > 2Fc39fd72a-da21-4b13-b329-
> > c35d61f74a60&data=05%7C01%7Cobaidf%40mic
> > rosoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91a
> > b2d
> > 7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJ
> > WIj
> > oiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000
> > %7C
> > %7C%7C&sdata=MZt5mVyPnkhZDB2hg4no7%2FQHbfx8w97%2BU7YdSlmQykM%3D
> > &am
> > p;reserved=0
> > 
> > Please try these links and let us know if you still can't see the 
> > changes.
> > 
> > Regards,
> > Obaid Farooqi
> > Escalation Engineer | Microsoft
> > 
> > -----Original Message-----
> > From: Sreekanth Nadendla <srenaden at microsoft.com>
> > Sent: Tuesday, May 10, 2022 9:09 PM
> > To: Andrew Bartlett <abartlet at samba.org>
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> > Subject: Can I please get any doc updates for
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc
> > .microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2022-
> > 26931&dat
> > a=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c
> > 8a%
> > 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CU
> > nkn
> > own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> > Wwi
> > LCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8okEBhxCaSmK77neVN57qFHBW0
> > rVA
> > x4D9uzl9ezlA7w%3D&reserved=0
> > - TrackingID#2205110040000723
> > 
> > Dochelp in Bcc
> > 
> > Hello Andrew, thank you for your question about open
> > specifications 
> > concerning CVE-2022-26931. We have created incident
> > 2205110040000723 
> > to track the investigation for this issue.
> > 
> > Regards,
> > Sreekanth Nadendla
> > Microsoft Windows Open Specifications
> > 
> > -----Original Message-----
> > From: Andrew Bartlett <abartlet at samba.org>
> > Sent: Tuesday, May 10, 2022 5:39 PM
> > To: Interoperability Documentation Help <dochelp at microsoft.com>
> > Cc: cifs-protocol mailing list <cifs-protocol at lists.samba.org>
> > Subject: [EXTERNAL] Can I please get any doc updates for
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmsrc
> > .microsoft.com%2Fupdate-guide%2Fvulnerability%2FCVE-2022-
> > 26931&dat
> > a=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c
> > 8a%
> > 7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CU
> > nkn
> > own%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> > Wwi
> > LCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=8okEBhxCaSmK77neVN57qFHBW0
> > rVA
> > x4D9uzl9ezlA7w%3D&reserved=0
> > 
> > Kia Ora Dochelp,
> > 
> > Can you please point me at the protocol Doc updates for CVE-2022-
> > 26931 please, as no errata is showing at
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs
> > .microsoft.com%2Fen-us%2Fopenspecs%2Fwindows_protocols%2Fms-
> > winprotlp%2F8a9c667b-2825-46a8-8066-
> > a80681233c33&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b
> > 624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7
> > C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJ
> > QIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sda
> > ta=jBEoQnRpr69ZxWkt6kM0STGUmp63xRb3XtGCMIYwsTo%3D&reserved=0
> > and I believe it is important for Samba to be able to mitigate this
> > issue also.
> > 
> > Thanks!
> > 
> > Andrew Bartlett
> > --
> > Andrew Bartlett (he/him)       
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamb
> > a.org%2F~abartlet%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C03
> > 351
> > 3048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%
> > 7C0
> > %7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiL
> > CJQ
> > IjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdat
> > a=p
> > G9r1w92Ss4xFl%2BAzzJcAFtkV2BQCjoS%2FGND2cKY2v4%3D&reserved=0
> > Samba Team Member (since 2001)
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fsamba.org%2F&data=05%7C01%7Cobaidf%40microsoft.com%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=F1DGwaqSQoBTs%2FwGpUY2ul9kmUfU0fUWp9tWFKJpU3w%3D&reserved=0
> > Samba Team Lead, Catalyst IT   
> > https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fcata
> > lyst.net.nz%2Fservices%2Fsamba&data=05%7C01%7Cobaidf%40microsof
> > t.c
> > om%7C033513048b624e81742408da3ea75c8a%7C72f988bf86f141af91ab2d7cd01
> > 1db
> > 47%7C1%7C0%7C637891185792154385%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4
> > wLj
> > AwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7
> > C&a
> > mp;sdata=soAc8ETNBoHC5IT7A2ImHcPd3Soyb%2BzN6F8jxqiYlBE%3D&reser
> > ved
> > =0
> > 
> > Samba Development and Support, Catalyst IT - Expert Open Source 
> > Solutions
> > 
-- 
Andrew Bartlett (he/him)       https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT   https://catalyst.net.nz/services/samba

Samba Development and Support, Catalyst IT - Expert Open Source
Solutions

More information about the cifs-protocol mailing list