The Samba-Bugzilla – Attachment 15635 Details for
Bug 14187
CVE-2019-14870 | DelegationNotAllowed not being enforced
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
first draft security advisory
CVE-2019-14870-advisory-01.txt (text/plain), 2.20 KB, created by
Andrew Bartlett
on 2019-11-27 04:30:00 UTC
(
hide
)
Description:
first draft security advisory
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2019-11-27 04:30:00 UTC
Size:
2.20 KB
patch
obsolete
>=========================================================== >== Subject: DelegationNotAllowed not being enforced >== on Samba AD DC. >== >== CVE ID#: CVE-2019-14870 >== >== Versions: All Samba versions since Samba 4.0 >== >== Summary: The DelegationNotAllowed Kerberos feature >== restriction was not being applied when processing >== constrained delegation requests in the AD DC KDC. >=========================================================== > >=========== >Description >=========== > >The S4U (MS-SFU) Kerberos delegation model includes a feature allowing >for a subset of clients to be opted out of constrained delegation in >any way, either S4U2Self or regular Kerberos authentication, by >forcing all tickets for that client to be non-forwardable. In AD this >is implemented by a user attribute delegation_not_allowed (aka >not-delegated), which translates to disallow-forwardable and >disallow-proxiable. > >However the Samba AD DC does not do that for S4U2Self and does set the >forwardable flag even if the impersonated client has the not-delegated >flag set. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.11.4, 4.10.11 and 4.9.17 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N > >========================= >Workaround and mitigation >========================= > >Only services configured directly in LDAP or via a Windows client >could have been marked as sensitive and so have been expected to have >this protection. Therefore most Samba sites will not have been using >this feature and so are not impacted either way. > >======= >Credits >======= > >Originally reported by Isaac Boukris of Red Hat and the Samba Team. > >Patches provided by Isaac Boukris of Red Hat and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 14187
:
15606
|
15611
|
15630
|
15631
|
15632
|
15635
|
15636
|
15637
|
15638
|
15639
|
15648
|
15662