--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-4154.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD DC password exposure to privileged
+== users and RODCs
+==
+== CVE ID#: CVE-2023-4154
+==
+== Versions: All versions since Samba 4.0.0
+==
+== Summary: An RODC and a user with the GET_CHANGES
+== right can view all attributes, including
+== secrets and passwords.
+==
+== Additionally, the access check fails open
+== on error conditions.
+===========================================================
+
+===========
+Description
+===========
+
+In normal operation, passwords and (most) secrets are never disclosed
+over LDAP in Active Directory.
+
+However, due to a design flaw in Samba's implementation of the DirSync
+control, Active Directory accounts authorized to do some replication,
+but not to replicate sensitive attributes, can instead replicate
+critical domain passwords and secrets.
+
+In a default installation, this means that RODC DC accounts (which
+should only be permitted to replicate some passwords) can instead
+obtain all domain secrets, including the core AD secret: the krbtgt
+password.
+
+RODCs are given this permission as part of their installation for DRS
+replication. This vulnerability removes the RODC / DC distinction.
+
+Secondly, and just as problematically, the access check for this
+functionality did not account for error conditions - errors like
+out of memory were regarded as success. This is sometimes described
+as "fail open". In these error conditions, some of which (eg out of
+memory) may be influenced by a low-privileged attacker, access to the
+secret attributes could be obtained!
+
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+For password disclosure to RODCs and other privileged accounts:
+CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)
+
+For the fail open on the DirSync access check:
+CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
+
+=================================
+Workaround and mitigating factors
+=================================
+
+If no RODC accounts are in use in the domain, and DirSync users set
+LDAP_DIRSYNC_OBJECT_SECURITY then there is no need to give this right
+to any users. If only privileged accounts have this right, only the
+error path vulnerability exists.
+
+Since Windows 2003 and in all versions of Samba, it has not been
+required to assign accounts this "Get Changes" / GUID_DRS_GET_CHANGES
+right to use LDAP DirSync, provided that the
+LDAP_DIRSYNC_OBJECT_SECURITY it set in the control.
+
+If any unprivileged accounts do have this right, and either no longer
+use DirSync or use LDAP_DIRSYNC_OBJECT_SECURITY, this should be
+removed.
+
+GUID_DRS_GET_CHANGES / 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 is an
+extended right set in the ntSecurityDescriptor on the NC root (the DN
+at the top of each partition). These are for example the domain DN,
+configuration DN etc. The domain DN is the most important.
+
+=======
+Credits
+=======
+
+Originally reported by Andrew Bartlett of Catalyst and the Samba Team
+during routine code review.
+
+Patches provided by Andrew Bartlett of Catalyst and the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
git.samba.org / samba-web.git / blobdiff