#17881 closed enhancement (fixed)
samba-4.18.1
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | elevated | Milestone: | 12.0 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
New point version
This appears to be a security update
Change History (6)
comment:1 by , 13 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:2 by , 13 months ago
comment:3 by , 13 months ago
Release Notes
==============================
Release Notes for Samba 4.18.1
March 29, 2023
==============================
This is a security release in order to address the following defects:
o CVE-2023-0225: An incomplete access check on dnsHostName allows authenticated
but otherwise unprivileged users to delete this attribute from
any object in the directory.
https://www.samba.org/samba/security/CVE-2023-0225.html
o CVE-2023-0922: The Samba AD DC administration tool, when operating against a
remote LDAP server, will by default send new or reset
passwords over a signed-only connection.
https://www.samba.org/samba/security/CVE-2023-0922.html
o CVE-2023-0614: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919
Confidential attribute disclosure via LDAP filters was
insufficient and an attacker may be able to obtain
confidential BitLocker recovery keys from a Samba AD DC.
Installations with such secrets in their Samba AD should
assume they have been obtained and need replacing.
https://www.samba.org/samba/security/CVE-2023-0614.html
Changes since 4.18.0
--------------------
o Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
* BUG 15276: CVE-2023-0225.
o Andrew Bartlett <abartlet@samba.org>
* BUG 15270: CVE-2023-0614.
* BUG 15331: ldb wildcard matching makes excessive allocations.
* BUG 15332: large_ldap test is inefficient.
o Rob van der Linde <rob@catalyst.net.nz>
* BUG 15315: CVE-2023-0922.
o Joseph Sutton <josephsutton@catalyst.net.nz>
* BUG 15270: CVE-2023-0614.
* BUG 15276: CVE-2023-0225.
CVE-2023-0225
CVE-2023-0225.html:
===========================================================
== Subject: Samba AD DC "dnsHostname" attribute can be
deleted by unprivileged authenticated users.
==
== CVE ID#: CVE-2023-0225
==
== Versions: Samba 4.17.0 and later versions
==
== Summary: An incomplete access check on dnsHostName allows
authenticated but otherwise unprivileged users to
delete this attribute from any object in the directory.
===========================================================
===========
Description
===========
In implementing the Validated dnsHostName permission check in Samba's
Active Directory DC, and therefore applying correctly constraints on
the values of a dnsHostName value for a computer in a Samba domain
(CVE-2022-32743), the case where the dnsHostName is deleted, rather
than modified or added, was incorrectly handled.
Therefore, in Samba 4.17.0 and later an LDAP attribute value deletion
of the dnsHostName attribute became possible for authenticated but
otherwise unprivileged users, for any object.
==================
Patch Availability
==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
==================
CVSSv3 calculation
==================
CVSS3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4)
==========
Workaround
==========
The AD DC LDAP server is a critical component of the AD DC, and it
should not be disabled. However it can be disabled by setting
server services = -ldap
in the smb.conf and restarting Samba
CVE-2023-0922
CVE-2023-0922.html:
===========================================================
== Subject: Samba AD DC admin tool samba-tool sends passwords in cleartext
==
== CVE ID#: CVE-2023-0922
==
== Versions: All versions of Samba since 4.0
==
== Summary: The Samba AD DC administration tool, when operating
against a remote LDAP server, will by default send
new or reset passwords over a signed-only connection.
===========================================================
===========
Description
===========
Active Directory allows passwords to be set and changed over LDAP.
Microsoft's implementation imposes a restriction that this may only
happen over an encrypted connection, however Samba does not have this
restriction currently.
Samba's samba-tool client tool likewise has no restriction regarding
the security of the connection it will set a password over.
An attacker able to observe the network traffic between samba-tool and
the Samba AD DC could obtain newly set passwords if samba-tool
connected using a Kerberos secured LDAP connection against a Samba AD
DC.
This would happen when samba-tool was used to reset a user's
password, or to add a new user.
This only impacts connections made using Kerberos as NTLM-protected
connections are upgraded to encryption regardless.
This patch changes all Samba AD LDAP client connections to use
encryption, as well as integrity protection, by default, by changing
the default value of "client ldap sasl wrapping" to "seal" in Samba's
smb.conf.
Administrators should confirm this value has not been overridden in
their local smb.conf to obtain the benefit of this change.
NOTE WELL: Samba, for consistency, uses a common smb.conf option for
LDAP client behaviour. Therefore this will also encrypt the AD LDAP
connections between Samba's winbindd and any AD DC, so this patch will
also change behaviour for Samba Domain Member configurations.
If this is a concern, the smb.conf value "client ldap sasl wrapping"
can be reset to "sign".
==================
Patch Availability
==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
==================
CVSSv3 calculation
==================
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (5.9)
==========
Workaround
==========
Set "client ldap sasl wrapping = seal" in the smb.conf or add the
--option=clientldapsaslwrapping=sign option to any samba-tool or
ldbmodify invocation that sets a password.
CVE-2023-0614
CVE-2023-0614.html:
===========================================================
== Subject: Access controlled AD LDAP attributes can be discovered
==
== CVE ID#: CVE-2023-0614
==
== Versions: All Samba releases since Samba 4.0
==
== Summary: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for
CVE-2018-10919 Confidential attribute disclosure via
LDAP filters was insufficient and an attacker may be
able to obtain confidential BitLocker recovery keys
from a Samba AD DC.
Installations with such secrets in their Samba AD
should assume they have been obtained and need
replacing.
===========================================================
===========
Description
===========
In Active Directory, there are essentially four different classes of
attributes.
- Secret attributes (such as a user, computer or domain trust
password) that are never disclosed and are not available to search
against over LDAP. This is a hard-coded list, and since Samba 4.8
these are additionally encrypted in the DB with a per-DB key.
- Confidential attributes (marked as such in the schema) that have a
default access restriction allowing access only to the owner of the
object.
While a Samba AD Domain makes these attributes available,
thankfully by default it will not have any of these confidential
attributes set, as they are only added by clients after
configuration (typically via a GPO).
Examples of confidential data stored in Active Directory include
BitLocker recovery keys, TPM owner passwords, and certificate
secret keys stored with Credential Roaming.
- Access controlled attributes (for reads or writes), Samba will
honour the access control specified in the ntSecurityDescriptor.
- Public attributes for read. Most attributes in Active Directory
are available to read by all authenticated users.
Because the access control rules for a given attribute are not
consistent between objects, Samba implemented access control
restrictions only after matching objects against the filter.
Taking each of the above classes in turn:
- Secret attributes are prevented from disclosure firstly by
redaction of the LDAP filter, and secondly by the fact that they
are still encrypted during filter processing (by default).
- Confidential and access controlled attributes were subject to an
attack using LDAP filters.
With this security patch, for attributes mentioned in the search
filter, Samba will perform a per-object access control evaluation
before LDAP filter matching on the attribute, preventing unauthorised
disclosure of the value of (for example) BitLocker recovery keys.
It is not expected that all similar attacks have been prevented, and
it is likely still possible to determine if an object or attribute on
an object is present, but not to obtain the contents.
=============
Further steps
=============
Evidence of an attack will not show up in the logs, except at the
highly verbose level 10, and there is no record as to if a previous
attribute disclosure has taken place.
In addition to updating Samba, it is strongly recommended that steps
be taken to ensure that data that may have been leaked from
confidential or otherwise access-controlled attributes is no longer
useful.
Such steps may include, but are not limited to, re-encrypting
BitLocker encrypted drives, changing TPM passwords, and revoking and
re-issuing certificates that are stored by Credential Roaming (with
new secret keys).
===================
Impacted attributes
===================
In addition to any per-object access control restrictions, the
following attributes in the 2012R2 AD schema have
SEARCH_FLAG_CONFIDENTIAL set in the searchFlags by default:
msDS-IssuerCertificates
msDS-TransformationRulesCompiled
Bitlocker:
msFVE-KeyPackage
msFVE-RecoveryPassword
Group Managed Service Accounts:
msKds-CreateTime
msKds-DomainID
msKds-KDFAlgorithmID
msKds-KDFParam
msKds-PrivateKeyLength
msKds-PublicKeyLength
msKds-RootKeyData
msKds-SecretAgreementAlgorithmID
msKds-SecretAgreementParam
msKds-UseStartTime
msKds-Version
(this AD DC feature is not implemented in Samba, and exists only
in Windows 2012 and later, but could have been replicated to Samba
in a mixed domain):
msPKIAccountCredentials
msPKI-CredentialRoamingTokens
msPKIDPAPIMasterKeys
msPKIRoamingTimeStamp
msTPM-OwnerInformation
msTPM-OwnerInformationTemp
unixUserPassword (this value is not used or updated by Samba)
The confidential attributes on your server can be seen (adapt for your
local environment) with:
ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=128))' lDAPDisplayName
However, please again note that while unlikely, it is possible via the
nTSecurityDescriptor for any attribute to be made access controlled on
any object, and these cases will not be shown by this command.
==================================
Limitations for indexed attributes
==================================
Additionally, due to the nature of our object indexes, Samba must
evaluate these prior to ACL checking, so read access controlled
information should not be stored in indexed attributes. This will
allow a timing attack.
Again, taking each of the above classes in turn:
- Secret attributes cannot be indexed or searched for, so have always
been protected
- Confidential attributes are further protected, as this patch will
prevent attributes marked as 'confidential' from being indexed.
Search results for these will be safer, but slower. The impacted
attributes on your server can be seen (adapt for your local
environment) with:
ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=129))' lDAPDisplayName
(This will normally return no results and no such attributes have
this combination by default)
- Access controlled attributes that are also indexed may be subject
to timing attacks.
The list of indexed attributes can be seen (adapt for your local
environment) with:
ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))' lDAPDisplayName
==================
Performance impact
==================
As candidate objects are ACL checked before being compared with the
LDAP filter, avoiding this disclosure, Samba's AD DC LDAP read
performance is reduced, with a 20% performance cost in the worst cases
from our existing performance tests.
Further optimisation of the Samba AD DC LDAP server to ameliorate this
impact has been investigated and is technically possible, but is out
of scope for this security release.
==================
Patch Availability
==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
==================
CVSSv3 calculation
==================
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N (7.7)
==========
Workaround
==========
Do not store confidential information in Active Directory, other than
passwords or keys required for AD operation (as these are in the
hard-coded secret attribute list).
comment:4 by , 13 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Note:
See TracTickets
for help on using tickets.
I read the CVE's, and even for me using Samba over LDAP, they seem not all that critcal. I guess we can do without an advisory.