The Samba-Bugzilla – Attachment 18088 Details for
Bug 15424
CVE-2023-4154 [SECURITY] dirsync allows SYSTEM access with only "GUID_DRS_GET_CHANGES" right, not "GUID_DRS_GET_ALL_CHANGES"
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
Advisory v4
CVE-2023-4154-dirsync-advisory-v4.txt (text/plain), 3.35 KB, created by
Andrew Bartlett
on 2023-09-08 03:30:13 UTC
(
hide
)
Description:
Advisory v4
Filename:
MIME Type:
Creator:
Andrew Bartlett
Created:
2023-09-08 03:30:13 UTC
Size:
3.35 KB
patch
obsolete
>=========================================================== >== Subject: Samba AD DC password exposure to privileged >== users and RODCs >== >== CVE ID#: CVE-2023-4154 >== >== Versions: All versions since Samba 4.0.0 >== >== Summary: An RODC and a user with the GET_CHANGES >== right can view all attributes, including >== secrets and passwords. >== >== Additionally, the access check fails open >== on error conditions. >=========================================================== > >=========== >Description >=========== > >In normal operation, passwords and (most) secrets are never disclosed >over LDAP in Active Directory. > >However, due to a design flaw in Samba's implementation of the DirSync >control, Active Directory accounts authorized to do some replication, >but not to replicate sensitive attributes, can instead replicate >critical domain passwords and secrets. > >In a default installation, this means that Administrator accounts - >who can always reset any password - and more concernedly RODC DC >accounts (which should only be permitted to replicate some passwords) >can instead obtain all domain secrets, including the krbtgt. > >RODCs are given this permission as part of their installation for DRS >replication. This vulnerability removes the RODC / DC distinction. > >Secondly, and just as problematically, the access check for this >functionality will fail open on error conditions, some of which (eg >out of memory) may be influenced by a low-privileged attacker. > >================== >Patch Availability >================== > >Patches addressing both these issues have been posted to: > > https://www.samba.org/samba/security/ > >Additionally, Samba $VERSIONS have been issued >as security releases to correct the defect. Samba administrators are >advised to upgrade to these releases or apply the patch as soon >as possible. > >================== >CVSSv3 calculation >================== > >password disclosure to privileged but not full admin account: >CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2) > >fail open access check: >CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5) > >================================= >Workaround and mitigating factors >================================= > >If no RODC accounts are in use in the domain, and DirSync users set >LDAP_DIRSYNC_OBJECT_SECURITY then there is no need to give this right >to any users. If only privileged accounts have this right, only the >error path vulnerability exists. > >Since Windows 2003 and in all versions of Samba, it has not been >required to assign accounts this "Get Changes" / GUID_DRS_GET_CHANGES >right to use LDAP DirSync, provided that the >LDAP_DIRSYNC_OBJECT_SECURITY it set in the control. > >If any unprivileged accounts do have this right, this could be >removed. > >GUID_DRS_GET_CHANGES / 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 is an >extended right set in the ntSecurityDescriptor on the NC root (the DN >at the top of each partition). These are for example the domain DN, >configuration DN etc. The domain DN is the most important. > >======= >Credits >======= > >Originally reported by Andrew Bartlett of Catalyst and the Samba Team >during routine code review. > >Patches provided by Andrew Bartlett of Catalyst and the Samba team. > >========================================================== >== Our Code, Our Bugs, Our Responsibility. >== The Samba Team >========================================================== >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Raw
Flags:
metze
:
review-
Actions:
View
Attachments on
bug 15424
:
18025
|
18026
|
18027
|
18040
|
18075
|
18076
|
18084
|
18085
|
18086
|
18087
|
18088
|
18089
|
18090
|
18091
|
18092
|
18098