CVE-2022-45141: 
Samba vulnerability analysis and mitigation

CVE-2022-45141 affects Heimdal builds of the Samba Active Directory DC prior to Samba 4.16. The vulnerability allows Samba Active Directory DCs to issue rc4-hmac encrypted tickets despite the target server supporting better encryption methods like aes256-cts-hmac-sha1-96. This issue was discovered following Microsoft's disclosure of the Windows Kerberos RC4-HMAC Elevation of Privilege Vulnerability on November 8, 2022 (Vendor Advisory).

The vulnerability stems from a coding error in Heimdal versions that was subsequently addressed in recent versions. In Kerberos authentication, the KDC issues tickets using a key known only to the target server. Due to this vulnerability, an attacking client could select the encryption type and obtain a ticket encrypted with rc4-hmac, which could then be attacked offline. The vulnerability has been assigned a CVSS v3.1 base score of 9.8 (CRITICAL) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H (NVD).

The vulnerability allows attackers to force the use of weaker rc4-hmac encryption, potentially enabling offline attacks against the encrypted tickets. This weakness cannot be mitigated by removing rc4-hmac from the server's account (by removing the unicodePwd attribute) as this would break other domain operations, particularly NETLOGON (Vendor Advisory).

The vulnerability has been fixed in Samba 4.15.13 and later versions. Administrators are advised to upgrade to these releases or apply the available patches as soon as possible. It's important to note that setting msDS-SupportedEncryptionTypes is not a valid workaround for this issue (Vendor Advisory).