=========================================================== == Subject: Samba AD DC admin tool samba-tool sends passwords in cleartext == == CVE ID#: CVE-2023-0922 == == Versions: All versions of Samba since 4.0 == == Summary: =========================================================== =========== Description =========== Active Directory allows passwords to be set and changed over LDAP. Microsoft's implementation imposes a restriction that this may only happen over an encrypted connection, however Samba does not have this restriction currently. Samba's samba-tool client tool likewise has no restriction regarding the security of the connection it will set a password over. An attacker with access to observe the network traffic between samba-tool and the Samba AD DC could observe new passwords if samba-tool is connecting using a Kerberos secured connection against a Samba AD DC. This would happen when, samba-tool is being used to resetting a user's password, or when adding a new user. This patch changes all Samba LDAP client connections to use encryption, as well as integrity protection, by default, by changing the default value of "client ldap sasl wrapping" to "seal" in Samba's smb.conf. Administrators should confirm this value has not been overridden in their local smb.conf to obtain the benefit of this change. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (5.9) ========== Workaround ========== Set "client ldap sasl wrapping = seal" in the smb.conf or add the --option=clientldapsaslwrapping=sign option to any samba-tool or ldbmodify invocation that sets a password. ======= Credits ======= Originally reported by Andrew Bartlett of Catalyst and the Samba Team working with Rob van der Linde of Catalyst. Patches provided by Rob van der Linde of Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================