881497 – (CVE-2019-14870) [Tracker] Kerberos user attribute delegation mishandling

Bug 881497 (CVE-2019-14870) - [Tracker] Kerberos user attribute delegation mishandling

Summary: [Tracker] Kerberos user attribute delegation mishandling

Status:	RESOLVED FIXED

Alias:	CVE-2019-14870

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:
Keywords:

Depends on:	CVE-2019-14861 CVE-2021-44758, CVE-2022-3671, CVE-2022-41916, CVE-2022-44640, CVE-2022-44758
Blocks:
	Show dependency tree

Reported:	2022-11-16 15:23 UTC by John Helmert III
Modified:	2023-10-08 07:10 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description John Helmert III archtester

2022-11-16 15:23:05 UTC

CVE-2019-14870 (https://nvd.nist.gov/vuln/detail/CVE-2019-14870):
  All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x
  before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation
  model includes a feature allowing for a subset of clients to be opted out of
  constrained delegation in any way, either S4U2Self or regular Kerberos
  authentication, by forcing all tickets for these clients to be
  non-forwardable. In AD this is implemented by a user attribute
  delegation_not_allowed (aka not-delegated), which translates to
  disallow-forwardable. However the Samba AD DC does not do that for S4U2Self
  and does set the forwardable flag even if the impersonated client has the
  not-delegated flag set.