The Samba-Bugzilla – Attachment 17768 Details for
Bug 15270
CVE-2023-0614 [SECURITY] Not-secret but access controlled LDAP attributes can be discovered
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v3
CVE-2023-0614-ldap-confidential-attrs-v3.txt (text/plain), 4.80 KB, created by
Andrew Bartlett
on 2023-02-23 00:45:34 UTC
(
hide
)
Description:
Advisory v3
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-02-23 00:45:34 UTC
Size:
4.80 KB
patch
obsolete
>=========================================================== >== Subject: Access controlled LDAP attributes can be discovered >== >== CVE ID#: CVE-2023-0614 >== >== Versions: All Samba releases since Samba 4.7.9, 4.8.4, 4.9.7 and 4.6.16 > >== >== Summary: The fix in the above versions for CVE-2018-10919 > Confidential attribute disclosure via LDAP filters > was incomplete and a viable timing attack has been > demonstrated to obtain confidential BitLocker recovery > keys from a Samba AD DC. >=========================================================== > >=========== >Description >=========== > >In Active Directory, there are essentially four different classes of >attributes. > > - Secret attributes (such as a user, computer or domain trust > password) that are never disclosed and are not available to search > against over LDAP. This is a hard-coded list, and in Samba these > are additionally encrypted in the DB with a per-DB key. > > - Confidential attributes (marked as such in the schema) that have a > default access restriction allowing access only to the owner of the > object. > > - Access controlled attributes (for reads or writes), Samba will > honour the access control specified in the ntSecurityDescriptor. > > - Public attributes for read. Most attributes in Active Directory > are available to read by all authenticated users. > >Because the access control rules for a given attribute are not >consistent between objects, Samba implemented access control >restrictions only after matching objects against the filter. > >Taking each of the above classes in turn: > > - Secret attributes are prevented from disclosure firstly by > redaction of the LDAP filter, and secondly by the fact that they > are still encrypted during filter processing (by default). > > - Confidential and access controlled attributes were subject to a > timing attack using LDAP filters, with this approach disclosing an > access controlled value in seconds. > >With this security patch, for attributes mentioned in the search >filter, Samba will perform a per-object access control evaluation >before LDAP filter matching on the attribute, preventing unauthorised >disclosure of the value of (for example) BitLocker recovery keys. > >It is not expected that all other timing attacks have been >prevented, and it is likely still possible to determine if an object >or attribute on an object is present, but not the contents. > >================================== >Limitations for indexed attributes >================================== > >Additionally, due to the nature of our object indexes, Samba must >evaluate these prior to ACL checking, so read access controlled, >information should not be stored in indexed attributes. > >Again, taking each of the above classes in turn: > > - Secret attributes cannot be indexed or searched for, so have always > been protected > > - Confidential attributes are further protected, as this patch will > prevent attributes marked as 'confidential' from being indexed. > Search results for these will be safer, but slower. The impacted > attributes on your server can be seen with: > > ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=129))' lDAPDisplayName > > (This will normally return no results and no such attributes have > this combination by default) > > - Access controlled attributes that are also indexed may be subject > to timing attacks. > > The list of indexed attributes can be seen (adapt for your local > environment) with: > > ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))' lDAPDisplayName > > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (6.5) > >========== >Workaround >========== > >Do not store confidential information in Active Directory, other than >passwords or keys required for AD operation (as these are in the >hard-coded secret attribute list). > >======= >Credits >======= > >Originally reported by Demi Marie Obenour of Invisible Things Lab. > >Patches provided by Joseph Sutton of Catalyst and the Samba team, >reviewed by Andrew Bartlett of Catalyst and the Samba Team. > >Advisory by Andrew Bartlett of Catalyst and the Samba Team > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Actions:
View
Attachments on
bug 15270
:
17760
|
17767
|
17768
|
17769
|
17770
|
17771
|
17773
|
17778
|
17789
|
17791
|
17792
|
17793
|
17799
|
17800
|
17804
|
17805
|
17806
|
17807
|
17808
|
17819
|
17820
|
17821
|
17822
|
17834
|
17845