<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.18.1.html">samba-4.18.1</a></li>
<li><a href="samba-4.18.0.html">samba-4.18.0</a></li>
+ <li><a href="samba-4.17.7.html">samba-4.17.7</a></li>
<li><a href="samba-4.17.6.html">samba-4.17.6</a></li>
<li><a href="samba-4.17.5.html">samba-4.17.5</a></li>
<li><a href="samba-4.17.4.html">samba-4.17.4</a></li>
<li><a href="samba-4.17.2.html">samba-4.17.2</a></li>
<li><a href="samba-4.17.1.html">samba-4.17.1</a></li>
<li><a href="samba-4.17.0.html">samba-4.17.0</a></li>
+ <li><a href="samba-4.16.10.html">samba-4.16.10</a></li>
<li><a href="samba-4.16.9.html">samba-4.16.9</a></li>
<li><a href="samba-4.16.8.html">samba-4.16.8</a></li>
<li><a href="samba-4.16.7.html">samba-4.16.7</a></li>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.16.10 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.16.10 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.10.tar.gz">Samba 4.16.10 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.10.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.16.9-4.16.10.diffs.gz">Patch (gzipped) against Samba 4.16.9</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.16.9-4.16.10.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ===============================
+ Release Notes for Samba 4.16.10
+ March 29, 2023
+ ===============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.16.9
+--------------------
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15270: VE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <rob@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15270: CVE-2023-0614.
+
+
+</pre>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.17.7 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.17.7 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.17.7.tar.gz">Samba 4.17.7 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.17.7.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.17.6-4.17.7.diffs.gz">Patch (gzipped) against Samba 4.17.6</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.17.6-4.17.7.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.17.7
+ March 29, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+ but otherwise unprivileged users to delete this attribute from
+ any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.17.6
+--------------------
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 15276: CVE-2023-0225.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <rob@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 14810: CVE-2020-25720 [SECURITY] Create Child permission should not
+ allow full write to all attributes (additional changes).
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15276: CVE-2023-0225.
+
+
+</pre>
+</p>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.18.1 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.18.1 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.18.1.tar.gz">Samba 4.18.1 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.18.1.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.18.0-4.18.1.diffs.gz">Patch (gzipped) against Samba 4.18.0</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.18.0-4.18.1.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.18.1
+ March 29, 2023
+ ==============================
+
+
+This is a security release in order to address the following defects:
+
+o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
+ but otherwise unprivileged users to delete this attribute from
+ any object in the directory.
+ https://www.samba.org/samba/security/CVE-2023-0225.html
+
+o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
+ remote LDAP server, will by default send new or reset
+ passwords over a signed-only connection.
+ https://www.samba.org/samba/security/CVE-2023-0922.html
+
+o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
+ Confidential attribute disclosure via LDAP filters was
+ insufficient and an attacker may be able to obtain
+ confidential BitLocker recovery keys from a Samba AD DC.
+ Installations with such secrets in their Samba AD should
+ assume they have been obtained and need replacing.
+ https://www.samba.org/samba/security/CVE-2023-0614.html
+
+
+Changes since 4.18.0
+--------------------
+
+o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+ * BUG 15276: CVE-2023-0225.
+
+o Andrew Bartlett <abartlet@samba.org>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15331: ldb wildcard matching makes excessive allocations.
+ * BUG 15332: large_ldap test is inefficient.
+
+o Rob van der Linde <rob@catalyst.net.nz>
+ * BUG 15315: CVE-2023-0922.
+
+o Joseph Sutton <josephsutton@catalyst.net.nz>
+ * BUG 15270: CVE-2023-0614.
+ * BUG 15276: CVE-2023-0225.
+
+
+</pre>
+</p>
+</body>
+</html>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>29 March 2023</td>
+ <td>
+ <a href="/samba/ftp/patches/security/samba-4.18.1-security-2023-03-29.patch">
+ patch for Samba 4.18.1</a><br/>
+ <a href="/samba/ftp/patches/security/samba-4.17.7-security-2023-03-29.patch">
+ patch for Samba 4.17.7</a><br/>
+ <a href="/samba/ftp/patches/security/samba-4.16.10-security-2023-03-29.patch">
+ patch for Samba 4.16.10</a><br/>
+ </td>
+ <td>
+ CVE-2023-0225, CVE-2023-0922 and CVE-2023-0614.
+ Please see announcements for details.
+ </td>
+ <td>All versions of Samba since 4.0 prior to 4.16.10, 4.17.7, 4.18.1.</td>
+ <td>
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0225">CVE-2023-0225</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0922">CVE-2023-0922</a>,
+<a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0614">CVE-2023-0614</a>.
+ </td>
+ <td>
+<a href="/samba/security/CVE-2023-0225.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-0922.html">Announcement</a>,
+<a href="/samba/security/CVE-2023-0614.html">Announcement</a>.
+ </td>
+ </tr>
+
<tr>
<td>15 December 2022</td>
<td>
--- /dev/null
+<!-- BEGIN: posted_news/20230329-144931.4.18.1.body.html -->
+<h5><a name="4.18.1">29 March 2023</a></h5>
+<p class=headline>Samba 4.18.1, 4.17.7 and 4.16.10 Security Releases are available for Download</p>
+<p>
+<a href="/samba/security/CVE-2023-0225.html">CVE-2023-0225</a>,
+<a href="/samba/security/CVE-2023-0922.html">CVE-2023-0922</a> and
+<a href="/samba/security/CVE-2023-0614.html">CVE-2023-0614</a>.
+</p>
+
+<p>
+The uncompressed Samba tarball has been signed using GnuPG (ID AA99442FB680B620).
+</p>
+
+<p>
+The Samba 4.18.1 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.18.1.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.18.0-4.18.1.diffs.gz">patch against Samba 4.18.0</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.18.1.html">the release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.17.7 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.17.7.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.17.6-4.17.7.diffs.gz">patch against Samba 4.17.6</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.17.7.html">the release notes for more info</a>.
+</p>
+
+<p>
+The Samba 4.16.10 source code can be
+<a href="https://download.samba.org/pub/samba/stable/samba-4.16.10.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.16.9-4.16.10.diffs.gz">patch against Samba 4.16.9</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.16.10.html">the release notes for more info</a>.
+</p>
+
+<!-- END: posted_news/20230329-144931.4.18.1.body.html -->
--- /dev/null
+<!-- BEGIN: posted_news/20230329-144931.4.18.1.headline.html -->
+<li> 29 March 2023 <a href="#4.18.1">Samba 4.18.1, 4.17.7 and 4.16.10 Security Releases are available for Download</a></li>
+<!-- END: posted_news/20230329-144931.4.18.1.headline.html -->
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-0225.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD DC "dnsHostname" attribute can be
+ deleted by unprivileged authenticated users.
+==
+== CVE ID#: CVE-2023-0225
+==
+== Versions: Samba 4.17.0 and later versions
+==
+== Summary: An incomplete access check on dnsHostName allows
+ authenticated but otherwise unprivileged users to
+ delete this attribute from any object in the directory.
+===========================================================
+
+===========
+Description
+===========
+
+In implementing the Validated dnsHostName permission check in Samba's
+Active Directory DC, and therefore applying correctly constraints on
+the values of a dnsHostName value for a computer in a Samba domain
+(CVE-2022-32743), the case where the dnsHostName is deleted, rather
+than modified or added, was incorrectly handled.
+
+Therefore, in Samba 4.17.0 and later an LDAP attribute value deletion
+of the dnsHostName attribute became possible for authenticated but
+otherwise unprivileged users, for any object.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba $VERSIONS have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4)
+
+==========
+Workaround
+==========
+
+The AD DC LDAP server is a critical component of the AD DC, and it
+should not be disabled. However it can be disabled by setting
+
+ server services = -ldap
+
+in the smb.conf and restarting Samba
+
+=======
+Credits
+=======
+
+Originally reported by Lukas Mitter of codemanufaktur GmbH.
+
+Patches provided by Joseph Sutton and Douglas Bagnall of Catalyst
+and the Samba Team.
+
+Advisory prepared by Andrew Bartlett of Catalyst and the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-0614.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Access controlled AD LDAP attributes can be discovered
+==
+== CVE ID#: CVE-2023-0614
+==
+== Versions: All Samba releases since Samba 4.0
+
+==
+== Summary: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for
+ CVE-2018-10919 Confidential attribute disclosure via
+ LDAP filters was insufficient and an attacker may be
+ able to obtain confidential BitLocker recovery keys
+ from a Samba AD DC.
+
+ Installations with such secrets in their Samba AD
+ should assume they have been obtained and need
+ replacing.
+===========================================================
+
+===========
+Description
+===========
+
+In Active Directory, there are essentially four different classes of
+attributes.
+
+ - Secret attributes (such as a user, computer or domain trust
+ password) that are never disclosed and are not available to search
+ against over LDAP. This is a hard-coded list, and since Samba 4.8
+ these are additionally encrypted in the DB with a per-DB key.
+
+ - Confidential attributes (marked as such in the schema) that have a
+ default access restriction allowing access only to the owner of the
+ object.
+
+ While a Samba AD Domain makes these attributes available,
+ thankfully by default it will not have any of these confidential
+ attributes set, as they are only added by clients after
+ configuration (typically via a GPO).
+
+ Examples of confidential data stored in Active Directory include
+ BitLocker recovery keys, TPM owner passwords, and certificate
+ secret keys stored with Credential Roaming.
+
+ - Access controlled attributes (for reads or writes), Samba will
+ honour the access control specified in the ntSecurityDescriptor.
+
+ - Public attributes for read. Most attributes in Active Directory
+ are available to read by all authenticated users.
+
+Because the access control rules for a given attribute are not
+consistent between objects, Samba implemented access control
+restrictions only after matching objects against the filter.
+
+Taking each of the above classes in turn:
+
+ - Secret attributes are prevented from disclosure firstly by
+ redaction of the LDAP filter, and secondly by the fact that they
+ are still encrypted during filter processing (by default).
+
+ - Confidential and access controlled attributes were subject to an
+ attack using LDAP filters.
+
+With this security patch, for attributes mentioned in the search
+filter, Samba will perform a per-object access control evaluation
+before LDAP filter matching on the attribute, preventing unauthorised
+disclosure of the value of (for example) BitLocker recovery keys.
+
+It is not expected that all similar attacks have been prevented, and
+it is likely still possible to determine if an object or attribute on
+an object is present, but not to obtain the contents.
+
+
+=============
+Further steps
+=============
+
+Evidence of an attack will not show up in the logs, except at the
+highly verbose level 10, and there is no record as to if a previous
+attribute disclosure has taken place.
+
+In addition to updating Samba, it is strongly recommended that steps
+be taken to ensure that data that may have been leaked from
+confidential or otherwise access-controlled attributes is no longer
+useful.
+
+Such steps may include, but are not limited to, re-encrypting
+BitLocker encrypted drives, changing TPM passwords, and revoking and
+re-issuing certificates that are stored by Credential Roaming (with
+new secret keys).
+
+
+===================
+Impacted attributes
+===================
+
+In addition to any per-object access control restrictions, the
+following attributes in the 2012R2 AD schema have
+SEARCH_FLAG_CONFIDENTIAL set in the searchFlags by default:
+
+ msDS-IssuerCertificates
+ msDS-TransformationRulesCompiled
+
+ Bitlocker:
+ msFVE-KeyPackage
+ msFVE-RecoveryPassword
+
+ Group Managed Service Accounts:
+ msKds-CreateTime
+ msKds-DomainID
+ msKds-KDFAlgorithmID
+ msKds-KDFParam
+ msKds-PrivateKeyLength
+ msKds-PublicKeyLength
+ msKds-RootKeyData
+ msKds-SecretAgreementAlgorithmID
+ msKds-SecretAgreementParam
+ msKds-UseStartTime
+ msKds-Version
+ (this AD DC feature is not implemented in Samba, and exists only
+ in Windows 2012 and later, but could have been replicated to Samba
+ in a mixed domain):
+
+ msPKIAccountCredentials
+ msPKI-CredentialRoamingTokens
+ msPKIDPAPIMasterKeys
+ msPKIRoamingTimeStamp
+ msTPM-OwnerInformation
+ msTPM-OwnerInformationTemp
+
+ unixUserPassword (this value is not used or updated by Samba)
+
+The confidential attributes on your server can be seen (adapt for your
+local environment) with:
+
+ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))' lDAPDisplayName
+
+However, please again note that while unlikely, it is possible via the
+nTSecurityDescriptor for any attribute to be made access controlled on
+any object, and these cases will not be shown by this command.
+
+==================================
+Limitations for indexed attributes
+==================================
+
+Additionally, due to the nature of our object indexes, Samba must
+evaluate these prior to ACL checking, so read access controlled
+information should not be stored in indexed attributes. This will
+allow a timing attack.
+
+Again, taking each of the above classes in turn:
+
+ - Secret attributes cannot be indexed or searched for, so have always
+ been protected
+
+ - Confidential attributes are further protected, as this patch will
+ prevent attributes marked as 'confidential' from being indexed.
+ Search results for these will be safer, but slower. The impacted
+ attributes on your server can be seen (adapt for your local
+ environment) with:
+
+ ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=129))' lDAPDisplayName
+
+ (This will normally return no results and no such attributes have
+ this combination by default)
+
+ - Access controlled attributes that are also indexed may be subject
+ to timing attacks.
+
+ The list of indexed attributes can be seen (adapt for your local
+ environment) with:
+
+ ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))' lDAPDisplayName
+
+==================
+Performance impact
+==================
+
+As candidate objects are ACL checked before being compared with the
+LDAP filter, avoiding this disclosure, Samba's AD DC LDAP read
+performance is reduced, with a 20% performance cost in the worst cases
+from our existing performance tests.
+
+Further optimisation of the Samba AD DC LDAP server to ameliorate this
+impact has been investigated and is technically possible, but is out
+of scope for this security release.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba $VERSIONS have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (7.7)
+
+==========
+Workaround
+==========
+
+Do not store confidential information in Active Directory, other than
+passwords or keys required for AD operation (as these are in the
+hard-coded secret attribute list).
+
+=======
+Credits
+=======
+
+Originally reported by Demi Marie Obenour of Invisible Things Lab.
+
+Patches provided by Joseph Sutton of Catalyst and the Samba team,
+reviewed by Andrew Bartlett of Catalyst and the Samba Team.
+
+Advisory by Andrew Bartlett of Catalyst and the Samba Team in
+collaboration with Joseph Sutton and Demi Marie Obenour.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
--- /dev/null
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2023-0922.html:</H2>
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD DC admin tool samba-tool sends passwords in cleartext
+==
+== CVE ID#: CVE-2023-0922
+==
+== Versions: All versions of Samba since 4.0
+==
+== Summary: The Samba AD DC administration tool, when operating
+ against a remote LDAP server, will by default send
+ new or reset passwords over a signed-only connection.
+===========================================================
+
+===========
+Description
+===========
+
+Active Directory allows passwords to be set and changed over LDAP.
+Microsoft's implementation imposes a restriction that this may only
+happen over an encrypted connection, however Samba does not have this
+restriction currently.
+
+Samba's samba-tool client tool likewise has no restriction regarding
+the security of the connection it will set a password over.
+
+An attacker able to observe the network traffic between samba-tool and
+the Samba AD DC could obtain newly set passwords if samba-tool
+connected using a Kerberos secured LDAP connection against a Samba AD
+DC.
+
+This would happen when samba-tool was used to reset a user's
+password, or to add a new user.
+
+This only impacts connections made using Kerberos as NTLM-protected
+connections are upgraded to encryption regardless.
+
+This patch changes all Samba AD LDAP client connections to use
+encryption, as well as integrity protection, by default, by changing
+the default value of "client ldap sasl wrapping" to "seal" in Samba's
+smb.conf.
+
+Administrators should confirm this value has not been overridden in
+their local smb.conf to obtain the benefit of this change.
+
+NOTE WELL: Samba, for consistency, uses a common smb.conf option for
+LDAP client behaviour. Therefore this will also encrypt the AD LDAP
+connections between Samba's winbindd and any AD DC, so this patch will
+also change behaviour for Samba Domain Member configurations.
+
+If this is a concern, the smb.conf value "client ldap sasl wrapping"
+can be reset to "sign".
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ https://www.samba.org/samba/security/
+
+Additionally, Samba $VERSIONS have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (5.9)
+
+==========
+Workaround
+==========
+
+Set "client ldap sasl wrapping = seal" in the smb.conf or add the
+--option=clientldapsaslwrapping=sign option to any samba-tool or
+ldbmodify invocation that sets a password.
+
+=======
+Credits
+=======
+
+Originally reported by Andrew Bartlett of Catalyst and the Samba Team
+working with Rob van der Linde of Catalyst.
+
+Patches provided by Rob van der Linde of Catalyst and Andrew Bartlett
+of Catalyst and the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+
+
+</pre>
+</body>
+</html>
\ No newline at end of file
git.samba.org / samba-web.git / commitdiff