The Samba-Bugzilla – Attachment 18167 Details for
Bug 13595
CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in AD LDAP to normal users
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
CVE-2018-14628-metze-v2.txt
CVE-2018-14628-metze-v2.txt (text/plain), 3.79 KB, created by
Stefan Metzmacher
on 2023-10-18 09:15:15 UTC
(
hide
)
Description:
CVE-2018-14628-metze-v2.txt
Filename:
MIME Type:
Creator:
Stefan Metzmacher
Created:
2023-10-18 09:15:15 UTC
Size:
3.79 KB
patch
obsolete
>==================================================================== >== Subject: Unprivileged read of deleted object tombstones >== in AD LDAP server >== >== CVE ID#: CVE-2018-14628 >== >== Versions: All versions of Samba from 4.0.0 onwards. >== >== Summary: Wrong ntSecurityDescriptor values for "CN=Deleted Objects" >== allow read of object tombstones over LDAP >== (Administrator action required!) >== >==================================================================== > >=========== >Description >=========== > >All versions of Samba from 4.0.0 onwards are vulnerable to an >information leak (compared with the established behaviour of >Microsoft's Active Directory) when Samba is an Active Directory Domain >Controller. > >When a domain was provisioned with an unpatched Samba version, >the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object >instead of being very strict (as on a Windows provisioned domain). > >This means also non privileged users can use the >LDAP_SERVER_SHOW_DELETED_OID control in order to view, >the names and preserved attributes of deleted objects. > >No information that was hidden before the deletion is visible, but in >with the correct ntSecurityDescriptor value in place the whole object >is also not visible without administrative rights. > >There is no further vulnerability associated with this error, merely an >information disclosure. > >=================================================== >Action required in order to resolve CVE-2018-14628! >=================================================== > >The patched Samba does NOT protect existing domains! > >The administrator needs to run the following command >(on only one domain controller) >in order to apply the protection to an existing domain: > > samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix > >The above requires manual interaction in order to review the >changes before they are applied. Typicall question look like this: > > Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? > Owner mismatch: SY (in ref) DA(in current) > Group mismatch: SY (in ref) DA(in current) > Part dacl is different between reference and current here is the detail: > (A;;LCRPLORC;;;AU) ACE is not present in the reference > (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference > (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference > (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current > (A;;LCRP;;;BA) ACE is not present in the current > [y/N/all/none] y > Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' > >The change should be confirmed with 'y' for all objects starting with >'CN=Deleted Objects'. > >================== >Patch Availability >================== > >The Samba Team decided not to issue a dedicated security release, >see https://wiki.samba.org/index.php/Samba_Security_Process. > >See https://bugzilla.samba.org/show_bug.cgi?id=13595 > >========== >Workaround >========== > >The administrator can manually change the ntSecurityDescriptor >attribute for the "CN=Deleted Objects" containers to the >following SDDL: > > O:SYG:SYD:PAI(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)(A;;RPLC;;;BA) > >It basically means System has FullAccess, while Builtin\Administrators >has ReadProperty and ListChildren rights. > >There's a separate "CN=Deleted Objects" container in the root >of each naming context/partition (expect the schema partition). >The fix should be applied to all (typically 4) partitions, >while the domain partition is the most important one. > >======= >Credits >======= > >The initial bugs were found by the Andrew Bartlett of Catalyst. >Andrew Bartlett of Catalyst and the Samba Team did the investigation >and Stefan Metzmacher of SerNet provided the final fix. >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=18167">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Flags:
metze
:
review?
(
abartlet
)
slow
:
review+
Actions:
View
Attachments on
bug 13595
:
14456
|
14477
|
16855
|
18160
|
18161
|
18166
| 18167 |
18168