CVE-2016-2125
Find out more about CVE-2016-2125 from the MITRE CVE dictionary dictionary and NIST NVD.
CVSS v2 metrics
| Base Score | 4.3 |
|---|---|
| Base Metrics | AV:A/AC:M/Au:N/C:P/I:P/A:N |
| Access Vector | Adjacent Network |
| Access Complexity | Medium |
| Authentication | None |
| Confidentiality Impact | Partial |
| Integrity Impact | Partial |
| Availability Impact | None |
CVSS v3 metrics
| CVSS3 Base Score | 6.4 |
|---|---|
| CVSS3 Base Metrics | CVSS:3.0/AV:A/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N |
| Attack Vector | Adjacent Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | Required |
| Scope | Unchanged |
| Confidentiality | High |
| Integrity Impact | High |
| Availability Impact | None |
Find out more about Red Hat support for the Common Vulnerability Scoring System (CVSS).
Red Hat Security Errata
| Platform | Errata | Release Date |
|---|---|---|
| Red Hat Enterprise Linux 6 (samba) | RHSA-2017:0662 | 2017-03-21 |
| Red Hat Gluster 3.2 Samba on RHEL-6 (samba) | RHSA-2017:0494 | 2017-03-23 |
| Red Hat Enterprise Linux 7 (samba) | RHSA-2017:1265 | 2017-05-22 |
| Red Hat Gluster 3.2 Samba on RHEL-7 (samba) | RHSA-2017:0495 | 2017-03-23 |
| Red Hat Enterprise Linux 6 (samba4) | RHSA-2017:0744 | 2017-03-21 |
Affected Packages State
| Platform | Package | State |
|---|---|---|
| Red Hat Gluster Storage 3.1 | samba | Will not fix |
| Red Hat Enterprise Linux 5 | samba | Will not fix |
| Red Hat Enterprise Linux 5 | samba3x | Will not fix |
Mitigation
The following mitigation is suggested by upstream.
The samba-tool command and the AD DC mode honours the undocumented "gensec_gssapi:delegation=no" option in the [global] section of the smb.conf file.
Controlling Kerberos forwarding
===============================
In the Active Directory world it's possible for administrators to
limit the delegation. User and computer objects can both act as
Kerberos users and also as Kerberos services. Both types of objects have an
attribute called 'userAccountControl' which is a bitmask that controls the
behavior of the account. The following three values have impact on possible
delegation:
0x00100000: UF_NOT_DELEGATED:
The UF_NOT_DELEGATED can be used to disable the ability to get forwardable TGT
for the account. It means the KDC will respond with an error if the client asks
for the forwardable ticket. The client typically gives up and removes the
GSS_C_DELEG_FLAG flag and continues without passing delegated credentials.
Administrators can use this to disable possible delegation for the most
privileged accounts (e.g. administrator accounts).
0x00080000: UF_TRUSTED_FOR_DELEGATION
If the UF_TRUSTED_FOR_DELEGATION is set on an account a KDC will include the
OK_AS_DELEGATE flag in a granted service ticket. If the client application
uses just GSS_C_DELEG_POLICY_FLAG (instead of GSS_C_DELEG_FLAG) gssapi/Kerberos
libraries typically only include delegated credentials when the service ticket
includes the OK_AS_DELEGATE flag. Administrators can use this to control which
services will get delegated credentials, for example if the service runs in a
trusted environment and actually requires the presence of delegated
credentials.
0x01000000: UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION
The UF_TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION is not really relevant for this
CVE and just listed here for completeness. This flag is relevant for the
S4U2Proxy feature, where a service can ask the KDC for a proxied service
ticket which can impersonate users to other services.