The Samba-Bugzilla – Attachment 17760 Details for
Bug 15270
CVE-2023-0614 [SECURITY] Not-secret but access controlled LDAP attributes can be discovered
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v1 without release versions
CVE-2023-0614-ldap-confidential-attrs-v1.txt (text/plain), 3.27 KB, created by
Andrew Bartlett
on 2023-02-19 21:22:50 UTC
(
hide
)
Description:
Advisory v1 without release versions
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-02-19 21:22:50 UTC
Size:
3.27 KB
patch
obsolete
>=========================================================== >== Subject: Access controlled LDAP attributes can be discovered >== >== CVE ID#: CVE-2023-0614 >== >== Versions: All Samba releases since Samba 4.7.9, 4.8.4, 4.9.7 and 4.6.16 > >== >== Summary: The fix in the above versions for CVE-2018-10919 > Confidential attribute disclosure via substring search > was incomplete and a viable timing attack has been > demonstrated to obtain confidential BitLocker recovery > keys from a Samba AD DC. >=========================================================== > >=========== >Description >=========== > >In Active Directory, there are essentially four different classes of >attributes. > - Secret attributes that are never disclosed and are not available to > search against over LDAP. This is a hard-coded list, and in Samba > these are additionally encrypted in the DB with a per-DB key. > > - Confidential attributes (marked as such in the schema) that have a > default access restriction allowing access only to the owner of the > object. > > - Access controlled attributes (for reads or writes), Samba will > honour the access control specified in the ntSecurityDescriptor. > > - Public attributes for read. Most attributes in Active Directory > are available to read by all authenticated users. > >Because the access control rules for a given attribute are not >consistent between objects, Samba implements access control >restrictions after the object match, except that it will prevent (by >encryption of the attribute and redaction of the LDAP filter (query) >searches on secret attributes. > >However this approach allows a timing attack using a prefix match on >confidential or otherwise access controlled attributes. > >With this security patch, for attributes mentioned in the search >filter, Samba will perform a per-object access control evaluation >before matching on the attribute, preventing disclosure of the value >of (for example) BitLocker recovery keys. > >NOTE WELL: It is not expected that all timing other attacks have been >prevented, and it is likely still possible to determine if an object >or attribute on an object is present, but not the contents. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (6.5) > >========== >Workaround >========== > >Do not store confidential information in Active Directory, other than >passwords or keys required for AD operation (as these are in the >hard-coded secret attribute list). > >======= >Credits >======= > >Originally reported by Demi Marie Obenour of Invisible Things Lab. > >Patches provided by Joseph Sutton of Catalyst and the Samba team, >reviewed by Andrew Bartlett of Catalyst and the Samba Team. > >Advisory by Andrew Bartlett of Catalyst and the Samba Team > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15270
:
17760
|
17767
|
17768
|
17769
|
17770
|
17771
|
17773
|
17778
|
17789
|
17791
|
17792
|
17793
|
17799
|
17800
|
17804
|
17805
|
17806
|
17807
|
17808
|
17819
|
17820
|
17821
|
17822
|
17834
|
17845