Attachment 18088 Details for Bug 15424 – Advisory v4

Advisory v4

CVE-2023-4154-dirsync-advisory-v4.txt (text/plain), 3.35 KB, created by Andrew Bartlett on 2023-09-08 03:30:13 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Andrew Bartlett

Created: 2023-09-08 03:30:13 UTC

Size: 3.35 KB

patch

obsolete

>===========================================================
>== Subject:     Samba AD DC password exposure to privileged
>==              users and RODCs
>==
>== CVE ID#:     CVE-2023-4154
>==
>== Versions:    All versions since Samba 4.0.0
>==
>== Summary:     An RODC and a user with the GET_CHANGES
>==              right can view all attributes, including
>==              secrets and passwords.
>==
>==              Additionally, the access check fails open
>==              on error conditions.
>===========================================================
>
>===========
>Description
>===========
>
>In normal operation, passwords and (most) secrets are never disclosed
>over LDAP in Active Directory.
>
>However, due to a design flaw in Samba's implementation of the DirSync
>control, Active Directory accounts authorized to do some replication,
>but not to replicate sensitive attributes, can instead replicate
>critical domain passwords and secrets.
>
>In a default installation, this means that Administrator accounts -
>who can always reset any password - and more concernedly RODC DC
>accounts (which should only be permitted to replicate some passwords)
>can instead obtain all domain secrets, including the krbtgt.
>
>RODCs are given this permission as part of their installation for DRS
>replication.  This vulnerability removes the RODC / DC distinction.
>
>Secondly, and just as problematically, the access check for this
>functionality will fail open on error conditions, some of which (eg
>out of memory) may be influenced by a low-privileged attacker.
>
>==================
>Patch Availability
>==================
>
>Patches addressing both these issues have been posted to:
>
>    https://www.samba.org/samba/security/
>
>Additionally, Samba $VERSIONS have been issued
>as security releases to correct the defect.  Samba administrators are
>advised to upgrade to these releases or apply the patch as soon
>as possible.
>
>==================
>CVSSv3 calculation
>==================
>
>password disclosure to privileged but not full admin account:
>CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)
>
>fail open access check:
>CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
>
>=================================
>Workaround and mitigating factors
>=================================
>
>If no RODC accounts are in use in the domain, and DirSync users set
>LDAP_DIRSYNC_OBJECT_SECURITY then there is no need to give this right
>to any users.  If only privileged accounts have this right, only the
>error path vulnerability exists.
>
>Since Windows 2003 and in all versions of Samba, it has not been
>required to assign accounts this "Get Changes" / GUID_DRS_GET_CHANGES
>right to use LDAP DirSync, provided that the
>LDAP_DIRSYNC_OBJECT_SECURITY it set in the control.
>
>If any unprivileged accounts do have this right, this could be
>removed.
>
>GUID_DRS_GET_CHANGES / 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 is an
>extended right set in the ntSecurityDescriptor on the NC root (the DN
>at the top of each partition).  These are for example the domain DN,
>configuration DN etc.  The domain DN is the most important.
>
>=======
>Credits
>=======
>
>Originally reported by Andrew Bartlett of Catalyst and the Samba Team
>during routine code review.
>
>Patches provided by Andrew Bartlett of Catalyst and the Samba team.
>
>==========================================================
>== Our Code, Our Bugs, Our Responsibility.
>== The Samba Team
>==========================================================
>

Flags:

metze: review-

Actions: View

Attachments on bug 15424: 18025 | 18026 | 18027 | 18040 | 18075 | 18076 | 18084 | 18085 | 18086 | 18087 | 18088 | 18089 | 18090 | 18091 | 18092 | 18098