=========================================================== == Subject: Samba AD DC password exposure to privileged == users and RODCs == == CVE ID#: == == Versions: All versions since Samba 4.0.0 == == Summary: An RODC and a user with the GET_CHANGES == right can view all attributes, including == secrets and passwords. == == Additionally, the access check fails open == on error conditions. =========================================================== =========== Description =========== In normal operation, passwords and (most) secrets are never disclosed over LDAP in Active Directory. However, due to a design flaw in Samba's implementation of the DirSync control, Active Directory accounts authorized to do some replication, but not to replicate sensitive attributes, can instead replicate critical domain passwords and secrets. In a default installation, this means that Administrator accounts - who can always reset any password - and more concernedly RODC DC accounts (which should only be permitted to replicate some passwords) can instead obtain all domain secrets, including the krbtgt. RODCs are given this permission as part of their installation for DRS replication. This vulnerability removes the RODC / DC distinction. Secondly, and just as problematically, the access check for this functionality will fail open on error conditions, some of which (eg out of memory) may be influenced by a low-privileged attacker. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== password disclosure to privileged but not full admin account: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2) fail open access check: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5) ================================= Workaround and mitigating factors ================================= If no RODC accounts are in use in the domain, and DirSync users set LDAP_DIRSYNC_OBJECT_SECURITY then there is no need to give this right to any users. If only privileged accounts have this right, only the error path vulnerability exists. Since Windows 2003 and in all versions of Samba, it has not been required to assign accounts this "Get Changes" / GUID_DRS_GET_CHANGES right to use LDAP DirSync, provided that the LDAP_DIRSYNC_OBJECT_SECURITY it set in the control. If any unprivileged accounts do have this right, this could be removed. GUID_DRS_GET_CHANGES / 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 is an extended right set in the ntSecurityDescriptor on the NC root (the DN at the top of each partition). These are for example the domain DN, configuration DN etc. The domain DN is the most important. ======= Credits ======= Originally reported by Andrew Bartlett of Catalyst and the Samba Team during routine code review. Patches provided by Andrew Bartlett of Catalyst and the Samba team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================