==================================================================== == Subject: Confidential attribute disclosure AD LDAP server == == CVE ID#: CVE-2018-XXXX == == Versions: All versions of Samba from 4.0.0 onwards. == == Summary: Missing access control checks allow discovery of == confidential attribute values via authenticated == LDAP search expressions == ==================================================================== =========== Description =========== All versions of Samba from 4.0.0 onwards are vulnerable to the disclosure of confidential attribute values, both of attributes where the schema SEARCH_FLAG_CONFIDENTIAL (0x80) searchFlags bit and where an explicit Access Control Entry has been specified on the ntSecurityDescriptor. The confidential attribute disclosure is via the search expression and can be seen by the return (or failure to return) matching LDAP objects. This issue does NOT apply to secret attributes such as unicodePwd. These values are since Samba 4.8 encrypted at search expression processing time and have always been prohibited in LDAP search expressions. The following attributes in the 2008R2 AD schema have SEARCH_FLAG_CONFIDENTIAL set in the searchFlags by default: unixUserPassword, msFVE-KeyPackage, msFVE-RecoveryPassword, msPKIAccountCredentials, msPKIAccountCredentials, msPKI-CredentialRoamingTokens, msPKIDPAPIMasterKeys, msPKIRoamingTimeStamp, msTPM-OwnerInformation ================ Remaining issues ================ Due to an interaction with the dirsync protocol, SEARCH_FLAG_PRESERVEONDELETE and SEARCH_FLAG_CONFIDENTIAL the protection of the following attributes is NOT HONOURED for deleted objects: msFVE-KeyPackage, msFVE-RecoveryPassword, msTPM-OwnerInformation ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.8.4, Samba 4.7.9 and 4.6.16 have been issued as a security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========================== Workarounds and Mitigation ========================== Until Samba 4.9 introduced the 'samba-tool schema attribute modify' command, there has been no samba-supplied tool to modify the searchFlags, and modification to the schema is prohibited over LDAP by default, unless 'dsdb:schema updates allowed = yes' has been set in the smb.conf. The only workaround is not to use the SEARCH_FLAG_CONFIDENTIAL searchFlags bit, not to expect confidentiality of the attribute list above nor to set access control entries of a similar nature on LDAP objects. ======= Credits ======= The issue was reported by Phillip Kuhrt. Tim Beale of Catalyst provided the test and patches. Andrew Bartlett of Catalyst and the Samba Team wrote the CVE text.