Attachment 15738 Details for Bug 12497 – Updated advisory with version numbers

Updated advisory with version numbers

CVE-2019-14902-sd-repl-advisory-04.txt (text/plain), 3.09 KB, created by Karolin Seeger on 2020-01-17 08:51:46 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Karolin Seeger

Created: 2020-01-17 08:51:46 UTC

Size: 3.09 KB

patch

obsolete

>===========================================================
>== Subject:     Replication of ACLs set to inherit down a
>==              subtree on AD Directory not automatic
>==
>== CVE ID#:     CVE-2019-14902 
>==
>== Versions:    Samba 4.0 and later
>==
>== Summary:     The implementation of ACL inheritance in the
>==              Samba AD DC was not complete, and so absent a
>==              'full-sync' replication, ACLs could get out of
>==              sync between domain controllers.
>===========================================================
>
>===========
>Description
>===========
>
>A newly delegated right, but more importantly the removal of a
>delegated right, would not be inherited on any DC other than the one
>where the change was made.
>
>For example:
> - if a user or group was previously delegated the right to
>create or modify a subtree (say to allow desktop support to reset
>passwords and create users)
> - and subsequently this right was taken away
>
>The removal would not automatically be taken away on all domain
>controllers.
>
>Because this patch only fixes new replication into the future, it is
>vital that a full-sync be done TO each Domain Controller to ensure
>each ACL (ntSecurityDescriptor) is re-calculated on the whole set of
>DCs.  See the instructions in "workaround and required steps
>post-upgrade" below.
>
>==================
>Patch Availability
>==================
>
>Patches addressing both these issues have been posted to:
>
>    https://www.samba.org/samba/security/
>
>Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
>as security releases to correct the defect.  Samba administrators are
>advised to upgrade to these releases or apply the patch as soon
>as possible.
>
>==================
>CVSSv3 calculation
>==================
>
>CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)
>
>==========================================
>Workaround and required steps post-upgrade
>==========================================
>
>Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause
>all ACLs to be syncronised from DC2 to DC1, for the given NC (naming
>context), eg:
>
>samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync 
>samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync 
>
>samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync 
>samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync
>
>Internally both in patched and un-patched versions, for every object
>replicated with a --full-sync, the inheritance will be correctly
>calculated.  This only needs to be done TO each DC, not for each
>pair-wise pair.
>
>=======
>Credits
>=======
>
>Reported by a number of Samba users and sites since 2017, but now
>recognised as a security issue after triage.  We apologise for the
>delay in dealing with this issue.
>
>Patches provided by Andrew Bartlett of the Samba Team and Catalyst.
>
>Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
>
>==========================================================
>== Our Code, Our Bugs, Our Responsibility.
>== The Samba Team
>==========================================================
>

Actions: View

Attachments on bug 12497: 15633 | 15670 | 15678 | 15679 | 15680 | 15681 | 15685 | 15686 | 15687 | 15688 | 15689 | 15706 | 15708 | 15738