=========================================================== == Subject: Access controlled LDAP attributes can be discovered == == CVE ID#: CVE-2023-0614 == == Versions: All Samba releases since Samba 4.7.9, 4.8.4, 4.9.7 and 4.6.16 == == Summary: The fix in the above versions for CVE-2018-10919 Confidential attribute disclosure via substring search was incomplete and a viable timing attack has been demonstrated to obtain confidential BitLocker recovery keys from a Samba AD DC. =========================================================== =========== Description =========== In Active Directory, there are essentially four different classes of attributes. - Secret attributes that are never disclosed and are not available to search against over LDAP. This is a hard-coded list, and in Samba these are additionally encrypted in the DB with a per-DB key. - Confidential attributes (marked as such in the schema) that have a default access restriction allowing access only to the owner of the object. - Access controlled attributes (for reads or writes), Samba will honour the access control specified in the ntSecurityDescriptor. - Public attributes for read. Most attributes in Active Directory are available to read by all authenticated users. Because the access control rules for a given attribute are not consistent between objects, Samba implements access control restrictions after the object match, except that it will prevent (by encryption of the attribute and redaction of the LDAP filter (query) searches on secret attributes. However this approach allows a timing attack using a prefix match on confidential or otherwise access controlled attributes. With this security patch, for attributes mentioned in the search filter, Samba will perform a per-object access control evaluation before matching on the attribute, preventing disclosure of the value of (for example) BitLocker recovery keys. NOTE WELL: It is not expected that all timing other attacks have been prevented, and it is likely still possible to determine if an object or attribute on an object is present, but not the contents. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (6.5) ========== Workaround ========== Do not store confidential information in Active Directory, other than passwords or keys required for AD operation (as these are in the hard-coded secret attribute list). ======= Credits ======= Originally reported by Demi Marie Obenour of Invisible Things Lab. Patches provided by Joseph Sutton of Catalyst and the Samba team, reviewed by Andrew Bartlett of Catalyst and the Samba Team. Advisory by Andrew Bartlett of Catalyst and the Samba Team ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================