=========================================================== == Subject: Samba AD DC "dnsHostname" attribute can be deleted by unprivileged authenticated users. == == CVE ID#: CVE-2023-0225 == == Versions: Samba 4.17.0 and later versions == == Summary: An incomplete access check on dnsHostName allows authenticated but otherwise unprivileged users to delete this attribute from any object in the directory. =========================================================== =========== Description =========== In implementing the Validated dnsHostName permission check in Samba's Active Directory DC, and therefore applying correctly constraints on the values of a dnsHostName value for a computer in a Samba domain (CVE-2022-32743), the case where the dnsHostName is deleted, rather than modified or added, was incorrectly handled. Therefore, in Samba 4.17.0 and later an LDAP attribute value deletion of the dnsHostName attribute became possible for authenticated but otherwise unprivileged users, for any object. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS3.1:AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L (5.4) ========== Workaround ========== The AD DC LDAP server is a critical component of the AD DC, and it should not be disabled. However it can be disabled by setting server services = -ldap in the smb.conf and restarting Samba ======= Credits ======= Originally reported by Lukas Mitter. Patches provided by Joseph Sutton of Catalyst and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================