The Samba-Bugzilla – Attachment 15738 Details for
Bug 12497
[SECURITY] CVE-2019-14902 Replication of ACLs down subtree on AD Directory not automatic
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Updated advisory with version numbers
CVE-2019-14902-sd-repl-advisory-04.txt (text/plain), 3.09 KB, created by
Karolin Seeger
on 2020-01-17 08:51:46 UTC
(
hide
)
Description:
Updated advisory with version numbers
Filename:
MIME Type:
Creator:
Karolin Seeger
Created:
2020-01-17 08:51:46 UTC
Size:
3.09 KB
patch
obsolete
>=========================================================== >== Subject: Replication of ACLs set to inherit down a >== subtree on AD Directory not automatic >== >== CVE ID#: CVE-2019-14902 >== >== Versions: Samba 4.0 and later >== >== Summary: The implementation of ACL inheritance in the >== Samba AD DC was not complete, and so absent a >== 'full-sync' replication, ACLs could get out of >== sync between domain controllers. >=========================================================== > >=========== >Description >=========== > >A newly delegated right, but more importantly the removal of a >delegated right, would not be inherited on any DC other than the one >where the change was made. > >For example: > - if a user or group was previously delegated the right to >create or modify a subtree (say to allow desktop support to reset >passwords and create users) > - and subsequently this right was taken away > >The removal would not automatically be taken away on all domain >controllers. > >Because this patch only fixes new replication into the future, it is >vital that a full-sync be done TO each Domain Controller to ensure >each ACL (ntSecurityDescriptor) is re-calculated on the whole set of >DCs. See the instructions in "workaround and required steps >post-upgrade" below. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) > >========================================== >Workaround and required steps post-upgrade >========================================== > >Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause >all ACLs to be syncronised from DC2 to DC1, for the given NC (naming >context), eg: > >samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync >samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync > >samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync >samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync > >Internally both in patched and un-patched versions, for every object >replicated with a --full-sync, the inheritance will be correctly >calculated. This only needs to be done TO each DC, not for each >pair-wise pair. > >======= >Credits >======= > >Reported by a number of Samba users and sites since 2017, but now >recognised as a security issue after triage. We apologise for the >delay in dealing with this issue. > >Patches provided by Andrew Bartlett of the Samba Team and Catalyst. > >Advisory written by Andrew Bartlett of the Samba Team and Catalyst. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 12497
:
15633
|
15670
|
15678
|
15679
|
15680
|
15681
|
15685
|
15686
|
15687
|
15688
|
15689
|
15706
|
15708
| 15738