===========================================================
== Subject:     Access controlled LDAP attributes can be discovered
==
== CVE ID#:     CVE-2023-0614
==
== Versions:    All Samba releases since Samba 4.7.9, 4.8.4, 4.9.7 and 4.6.16

==
== Summary:     The fix in the above versions for CVE-2018-10919
                Confidential attribute disclosure via LDAP filters
                was incomplete and a viable timing attack has been
                demonstrated to obtain confidential BitLocker recovery
                keys from a Samba AD DC.
===========================================================

===========
Description
===========

In Active Directory, there are essentially four different classes of
attributes.

 - Secret attributes (such as a user, computer or domain trust
   password) that are never disclosed and are not available to search
   against over LDAP.  This is a hard-coded list, and in Samba these
   are additionally encrypted in the DB with a per-DB key.

 - Confidential attributes (marked as such in the schema) that have a
   default access restriction allowing access only to the owner of the
   object.

 - Access controlled attributes (for reads or writes), Samba will
   honour the access control specified in the ntSecurityDescriptor.

 - Public attributes for read.  Most attributes in Active Directory
   are available to read by all authenticated users.

Because the access control rules for a given attribute are not
consistent between objects, Samba implemented access control
restrictions only after matching objects against the filter.

Taking each of the above classes in turn:

 - Secret attributes are prevented from disclosure firstly by
   redaction of the LDAP filter, and secondly by the fact that they
   are still encrypted during filter processing (by default).

 - Confidential and access controlled attributes were subject to a
   timing attack using LDAP filters, with this approach disclosing an
   access controlled value in seconds.

With this security patch, for attributes mentioned in the search
filter, Samba will perform a per-object access control evaluation
before LDAP filter matching on the attribute, preventing unauthorised
disclosure of the value of (for example) BitLocker recovery keys.

It is not expected that all other timing attacks have been
prevented, and it is likely still possible to determine if an object
or attribute on an object is present, but not the contents.

==================================
Limitations for indexed attributes
==================================

Additionally, due to the nature of our object indexes, Samba must
evaluate these prior to ACL checking, so read access controlled,
information should not be stored in indexed attributes.

Again, taking each of the above classes in turn:

 - Secret attributes cannot be indexed or searched for, so have always
   been protected

 - Confidential attributes are further protected, as this patch will
   prevent attributes marked as 'confidential' from being indexed.
   Search results for these will be safer, but slower.  The impacted
   attributes on your server can be seen with:

   ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=129))' lDAPDisplayName

   (This will normally return no results and no such attributes have
   this combination by default)
   
 - Access controlled attributes that are also indexed may be subject
   to timing attacks.

   The list of indexed attributes can be seen (adapt for your local
   environment) with:

   ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))' lDAPDisplayName


==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (6.5)

==========
Workaround
==========

Do not store confidential information in Active Directory, other than
passwords or keys required for AD operation (as these are in the
hard-coded secret attribute list).

=======
Credits
=======

Originally reported by Demi Marie Obenour of Invisible Things Lab.

Patches provided by Joseph Sutton of Catalyst and the Samba team,
reviewed by Andrew Bartlett of Catalyst and the Samba Team.

Advisory by Andrew Bartlett of Catalyst and the Samba Team

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================