The Samba-Bugzilla – Attachment 17783 Details for
Bug 15315
CVE-2023-0922 [SECURITY] Samba AD DC admin tool samba-tool sends passwords in cleartext
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v3
CVE-2023-0922-samba-tool-sends-cleartext-password-sec-only-advisory-v3.txt (text/plain), 3.03 KB, created by
Andrew Bartlett
on 2023-02-28 01:51:12 UTC
(
hide
)
Description:
Advisory v3
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-02-28 01:51:12 UTC
Size:
3.03 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD DC admin tool samba-tool sends passwords in cleartext >== >== CVE ID#: CVE-2023-0922 >== >== Versions: All versions of Samba since 4.0 >== >== Summary: The Samba AD DC administration tool, when operating > against a remote LDAP server, will by default send > new or reset passwords over a signed-only connection. >=========================================================== > >=========== >Description >=========== > >Active Directory allows passwords to be set and changed over LDAP. >Microsoft's implementation imposes a restriction that this may only >happen over an encrypted connection, however Samba does not have this >restriction currently. > >Samba's samba-tool client tool likewise has no restriction regarding >the security of the connection it will set a password over. > >An attacker able to observe the network traffic between samba-tool and >the Samba AD DC could obtain newly set passwords if samba-tool >connected using a Kerberos secured LDAP connection against a Samba AD >DC. > >This would happen when samba-tool was used to reset a user's >password, or to add a new user. > >This only impacts connections made using Kerberos as NTLM-protected >connections are upgraded to encryption regardless. > >This patch changes all Samba AD LDAP client connections to use >encryption, as well as integrity protection, by default, by changing >the default value of "client ldap sasl wrapping" to "seal" in Samba's >smb.conf. > >Administrators should confirm this value has not been overridden in >their local smb.conf to obtain the benefit of this change. > >NOTE WELL: Samba, for consistency, uses a common smb.conf option for >LDAP client behaviour. Therefore this will also encrypt the AD LDAP >connections between Samba's winbindd and any AD DC, so this patch will >also change behaviour for Samba Domain Member configurations. > >If this is a concern, the smb.conf value "client ldap sasl wrapping" >can be reset to "sign". > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (5.9) > >========== >Workaround >========== > >Set "client ldap sasl wrapping = seal" in the smb.conf or add the >--option=clientldapsaslwrapping=sign option to any samba-tool or >ldbmodify invocation that sets a password. > >======= >Credits >======= > >Originally reported by Andrew Bartlett of Catalyst and the Samba Team >working with Rob van der Linde of Catalyst. > >Patches provided by Rob van der Linde of Catalyst and Andrew Bartlett >of Catalyst and the Samba Team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
jsutton
:
review+
Actions:
View
Attachments on
bug 15315
:
17772
|
17777
|
17779
|
17781
|
17782
| 17783 |
17809
|
17810
|
17811
|
17815
|
17829
|
17830
|
17831
|
17832