1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2014-8143.html:</H2>
16 ===========================================================
17 == Subject: CVE-2014-8143: Elevation of privilege to Active Directory Domain Controller
19 == CVE ID#: CVE-2014-8143
21 == Versions: All versions of Samba's Active Directory Domain Controller
22 == (including 4.0.0 and all pre-releases)
24 == Summary: In Samba's AD DC we neglected to ensure that
25 == attempted modifications of the userAccountControl attribute
26 == did not allow the UF_SERVER_TRUST_ACCOUNT bit to be set.
28 == This is applicable only if the attribute is otherwise permitted
31 ===========================================================
37 Samba's AD DC allows the administrator to delegate
38 creation of user or computer accounts to specific users or groups.
40 However, all released versions of Samba's AD DC did not implement the
41 additional required check on the UF_SERVER_TRUST_ACCOUNT bit in the
42 userAccountControl attributes.
44 As this was found during an internal audit of the Samba code there are
45 no currently known exploits for this problem (as of January 15th 2015).
51 Most Samba deployments are not of the AD Domain Controller, but are of
52 the classic domain controller, the file server or print server. Only
53 the AD DC is affected by this issue.
55 Additionally, most sites running the AD Domain Controller do not
56 configure delegation for the creation of user or computer accounts,
57 and so are not vulnerable to this issue, as no writes are permitted to
58 the userAccountControl attribute, no matter what the value.
64 Patches addressing all these issues have been posted to:
66 http://www.samba.org/samba/security/
68 Samba versions 4.0.24, 4.1.16, and 4.2rc4 have been released to
69 address this issue. Patches for 3.x are not required, as these
70 do not contain the AD Domain Controller code.
76 Do not delegate permission to create users or computers beyond the
77 default of Domain Administrators.
83 This problem was found by an internal audit of the Samba code by
84 Andrew Bartlett of Catalyst IT. Special thanks also go to Zentyal.
86 Patches provided by Andrew Bartlett, Garming Sam of Catalyst IT and
89 ==========================================================
90 == Our Code, Our Bugs, Our Responsibility.
92 ==========================================================