==================================================================== == Subject: Unprivileged read of deleted object tombstones == in AD LDAP server == == CVE ID#: CVE-2018-XXXX == == Versions: All versions of Samba from 4.0.0 onwards. == == Summary: Missing access control checks (compared with Microsoft == Active Directory) allow read of object tombstones over == LDAP == ==================================================================== =========== Description =========== All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. Missing access control checks on the LDAP_SERVER_SHOW_DELETED_OID control in the DSDB database layer cause the LDAP server to disclose, to authenticated but not privileged users, the names and preserved attributes of deleted objects. (Microsoft AD simply does not return these objects on a search). No information that was hidden before the deletion is visible, but in Microsoft Active Directory the whole object is also not visible without administrative rights, whereas Samba allows read of limited set of attributes that are preserved after delete. There is no further vulnerability associated with this error, merely an information disclosure. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.7.x 4.8.x and 4.9.x have been issued as a security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== No workaround is possible while acting as a Samba AD DC. Disabling the 'ldap' services in the smb.conf (eg 'server services = -ldap) would remove essential elements in the AD DC. ======= Credits ======= The initial bugs were found by the Andrew Bartlett of Catalyst. Andrew Bartlett of Catalyst and the Samba Team did the investigation and provided the final fix.