[Samba] CVE-2022-26923 (aka certifried)

Andrew Bartlett abartlet at samba.org
Tue Nov 22 17:49:57 UTC 2022

On Tue, 2022-11-22 at 18:33 +0100, Kacper via samba wrote:
> Hello!
> Is Samba vulnerable to the attack layed out in CVE-2022-26923? Are there
> any plans to do what Microsoft did with KB5014754 and drop support for weak
> certificate mappings?
> I know Andrew talked about related issues at SambaXP but I must not been
> paying good enough attention...
> certifried is mentioned in his keynote (
> https://www.samba.org/~abartlet/Kawaiicon-2022-kerberos-smaller.pdf) and
> again in Samba bug #14833 (https://bugzilla.samba.org/show_bug.cgi?id=14833
> ).
> It's my understanding that when using PKINIT (smart card logon) one is
> vulnerable to certifried even though AD CS is not used if the certificate
> authority responsible for issuing the certificates used for PKINIT is
> somehow tricked to sign or otherwise generate a "bad" certificate. If the
> CA is not part of the same organizational unit as the one that is managing
> the Samba AD forest they might even be unaware of the security implications
> of issuing a certificate that can be misused in a certifried attack.
> For reference here is the CVE disclosure;
> https://research.ifcr.dk/certifried-active-directory-domain-privilege-escalation-cve-2022-26923-9e098fe298f4

This is all correct.  Work to secure this will need development time
(either funding or direct engineering).


Andrew Bartlett

Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Developer, Catalyst IT https://catalyst.net.nz/services/samba

More information about the samba mailing list