The Samba-Bugzilla – Attachment 14377 Details for
Bug 13434
[SECURITY] CVE-2018-10919 - Confidential attribute disclosure via substring search
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
proposed CVE text (needs CVE) v4
CVE-fCONFIDENTIAL.txt (text/plain), 2.74 KB, created by
Andrew Bartlett
on 2018-07-31 22:29:33 UTC
(
hide
)
Description:
proposed CVE text (needs CVE) v4
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2018-07-31 22:29:33 UTC
Size:
2.74 KB
patch
obsolete
>==================================================================== >== Subject: Confidential attribute disclosure AD LDAP server >== >== CVE ID#: CVE-2018-XXXX >== >== Versions: All versions of Samba from 4.0.0 onwards. >== >== Summary: Missing access control checks allow discovery of >== confidential attribute values via authenticated >== LDAP search expressions >== >==================================================================== > >=========== >Description >=========== > >All versions of Samba from 4.0.0 onwards are vulnerable to the >disclosure of confidential attribute values, both of attributes where >the schema SEARCH_FLAG_CONFIDENTIAL (0x80) searchFlags bit and where >an explicit Access Control Entry has been specified on the >ntSecurityDescriptor. > >The confidential attribute disclosure is via the search expression and >can be seen by the return (or failure to return) matching LDAP >objects. > >This issue does NOT apply to secret attributes such as unicodePwd. >These values are since Samba 4.8 encrypted at search expression >processing time and have always been prohibited in LDAP search >expressions. > >The following attributes in the 2008R2 AD schema have >SEARCH_FLAG_CONFIDENTIAL set in the searchFlags by default: > >unixUserPassword, msFVE-KeyPackage, msFVE-RecoveryPassword, >msPKIAccountCredentials, msPKIAccountCredentials, >msPKI-CredentialRoamingTokens, msPKIDPAPIMasterKeys, >msPKIRoamingTimeStamp, msTPM-OwnerInformation > >For clarity: unixUserPassword is NOT populated by Samba. > >================ >Remaining issues >================ > >Samba makes no attempt to address possible timing attacks against the >LDAP server. Data (aside from secret attributes, already subject to >special processing) of such a sensitivity such that a timing attack >would be worthwhile should not be stored in Active Directory. > > >================== >Patch Availability >================== > >A patch addressing this defect has been posted to > > http://www.samba.org/samba/security/ > >Additionally, Samba 4.8.4, Samba 4.7.9 and 4.6.16 have been issued as a >security release to correct the defect. Patches against older Samba >versions are available at http://samba.org/samba/patches/. Samba >vendors and administrators running affected versions are advised to >upgrade or apply the patch as soon as possible. > >========================== >Workarounds and Mitigation >========================== > >The only workaround is not to use the SEARCH_FLAG_CONFIDENTIAL >searchFlags bit, not to expect confidentiality of the attribute list >above nor to set access control entries of a similar nature on LDAP >objects. > >======= >Credits >======= > >The issue was reported by Phillip Kuhrt. Tim Beale of Catalyst >provided the test and patches. Andrew Bartlett of Catalyst and the >Samba Team wrote the CVE text.
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
dbagnall
:
review+
Actions:
View
Attachments on
bug 13434
:
14364
|
14367
|
14368
|
14372
|
14373
|
14374
|
14376
|
14377
|
14378
|
14379
|
14380
|
14383
|
14386
|
14387
|
14388
|
14389
|
14390
|
14391
|
14392
|
14400