Skip Menu |
 

Subject: Unable to renew ticket after CVE-2020-17049
To: krb5-bugs@mit.edu
From: "Morten Minde Neergaard" <m-krb@8d.no>
Date: Tue, 2 Feb 2021 00:05:39 +0100
Hi,

after Microsoft released their fix to CVE-2020-17049 a while back, I
can't renew my tickets made against upgraded Windows servers.

The details have apparently been reported to the kerberos mailing list
earlier[0] but I'll show the symptoms:

$ kinit
Password for username@DOMAIN:
$ klist -f
Ticket cache: FILE:/tmp/krb5cc_1116501893
Default principal: username@DOMAIN

Valid starting Expires Service principal
2021-02-01 23:57:41 2021-02-02 09:57:41 krbtgt/DOMAIN@DOMAIN
renew until 2021-02-02 23:57:37, Flags: RIA
$ kinit -R
kinit: KDC can't fulfill requested option while renewing credentials

If you need any further information, I can try to reproduce and help as
I can (although James Ralston, the author of the aforementioned email,
appears to know more about what he's talking about...)


[0]: https://mailman.mit.edu/pipermail/kerberos/2020-November/022582.html

--
Morten Minde Neergaard
I'm closing this as it isn't a bug in MIT krb5 or something we can work around, but I'll describe what I understand of the situation and how I believe people can work around it.

To address CVE-2020-17049, Microsoft added a third PAC signature field containing a checksum of the ticket, to prevent a service from using its knowledge of the ticket encryption key to modify the ticket containing the PAC.  When a ticket is renewed, the  PAC ticket signature must be recomputed for the new ticket.  A non-updated KDC won't know to do this and will just blindly copy the new PAC signature, which will not be valid for the new ticket.

The CVE fix comes with a three-valued setting PerformTicketSignature.  At value 0 nothing changes (and the security issue isn't fixed), at value 1 the new signature is added but not required, and at value 2 it is required.  The idea is that you can set it to 1 while you are incrementally upgrading your KDCs and waiting for tickets to expire, and then to 2.

Because PerformTicketSignature=1 admits the possibility of non-updated KDCs in the realm which might not process the ticket signature correctly during renewal, Microsoft chose to simply not issue renewable tickets at this setting.  We believe that, at a minimum, this could have been done in a more targeted fashion.  The PAC ticket signature is not required or included in TGTs, and the vast majority of renewal operations are done on TGTs, so they could have continued to issue renewable TGTs (with no PAC ticket signature) but not renewable service tickets.  We have pointed this out to Microsoft and received tentative agreement, but we don't know if they will make any changes to the code.

At PerformTicketSignature=2, all KDCs in the realm are assumed to properly handle the PAC ticket signature, and therefore the KDCs will once again be willing to issue renewable tickets.  So, to work around this problem, finish upgrading all of the realm's KDCs and set PerformTicketSignature=2.

More at: https://support.microsoft.com/en-us/topic/managing-deployment-of-kerberos-s4u-changes-for-cve-2020-17049-569d60b7-3267-e2b0-7d9b-e46d770332ab