The Samba-Bugzilla – Attachment 17767 Details for
Bug 15270
CVE-2023-0614 [SECURITY] Not-secret but access controlled LDAP attributes can be discovered
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Updated v2 advisory
CVE-2023-0614-ldap-confidential-attrs-v2.txt (text/plain), 4.31 KB, created by
Andrew Bartlett
on 2023-02-22 23:42:48 UTC
(
hide
)
Description:
Updated v2 advisory
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-02-22 23:42:48 UTC
Size:
4.31 KB
patch
obsolete
>=========================================================== >== Subject: Access controlled LDAP attributes can be discovered >== >== CVE ID#: CVE-2023-0614 >== >== Versions: All Samba releases since Samba 4.7.9, 4.8.4, 4.9.7 and 4.6.16 > >== >== Summary: The fix in the above versions for CVE-2018-10919 > Confidential attribute disclosure via LDAP filters > was incomplete and a viable timing attack has been > demonstrated to obtain confidential BitLocker recovery > keys from a Samba AD DC. >=========================================================== > >=========== >Description >=========== > >In Active Directory, there are essentially four different classes of >attributes. > - Secret attributes that are never disclosed and are not available to > search against over LDAP. This is a hard-coded list, and in Samba > these are additionally encrypted in the DB with a per-DB key. > > - Confidential attributes (marked as such in the schema) that have a > default access restriction allowing access only to the owner of the > object. > > - Access controlled attributes (for reads or writes), Samba will > honour the access control specified in the ntSecurityDescriptor. > > - Public attributes for read. Most attributes in Active Directory > are available to read by all authenticated users. > >Because the access control rules for a given attribute are not >consistent between objects, Samba implemented access control >restrictions only after matching objects against the filter, except that it will prevent (by >encryption of the attribute and redaction of the LDAP filter (query) >searches on secret attributes. > >However this approach allows a timing attack using LDAP filters against >confidential or otherwise access controlled attributes, with this >approach disclosing an access controlled value in seconds. > >With this security patch, for attributes mentioned in the search >filter, Samba will perform a per-object access control evaluation >before LDAP filter matching on the attribute, preventing unauthorised >disclosure of the value of (for example) BitLocker recovery keys. > >=========== >Limitations >=========== > >It is not expected that all other timing attacks have been >prevented, and it is likely still possible to determine if an object >or attribute on an object is present, but not the contents. > >Additionally, due to the nature of our object indexes, Samba must >evaluate these prior to ACL checking, so read access controlled, >information should not be stored in indexed attributes. > >The list of indexed attributes can be seen (adapt for your local >environment) with: > >ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))' lDAPDisplayName > >This patch will however prevent attributes marked as 'confidential' in >the schema from any longer being regarded as indexed attributes (no >such attributes have this combination by default). Search results for >these will be safer, but slower. The impacted attributes on your >server can be seen with: > >ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=129))' lDAPDisplayName > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (6.5) > >========== >Workaround >========== > >Do not store confidential information in Active Directory, other than >passwords or keys required for AD operation (as these are in the >hard-coded secret attribute list). > >======= >Credits >======= > >Originally reported by Demi Marie Obenour of Invisible Things Lab. > >Patches provided by Joseph Sutton of Catalyst and the Samba team, >reviewed by Andrew Bartlett of Catalyst and the Samba Team. > >Advisory by Andrew Bartlett of Catalyst and the Samba Team > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jsutton
:
review+
Actions:
View
Attachments on
bug 15270
:
17760
|
17767
|
17768
|
17769
|
17770
|
17771
|
17773
|
17778
|
17789
|
17791
|
17792
|
17793
|
17799
|
17800
|
17804
|
17805
|
17806
|
17807
|
17808
|
17819
|
17820
|
17821
|
17822
|
17834
|
17845