15315 – (CVE-2023-0922) CVE-2023-0922 [SECURITY] Samba AD DC admin tool samba-tool sends passwords in cleartext

Bug 15315 (CVE-2023-0922) - CVE-2023-0922 [SECURITY] Samba AD DC admin tool samba-tool sends passwords in cleartext

Summary: CVE-2023-0922 [SECURITY] Samba AD DC admin tool samba-tool sends passwords in...

Status:	RESOLVED FIXED

Alias:	CVE-2023-0922

Product:	Samba 4.1 and newer
Classification:	Unclassified
Component:	Tools (show other bugs)
Version:	4.18.0rc3
Hardware:	All All

Importance:	P5 normal (vote)
Target Milestone:	---
Assignee:	Andrew Bartlett
QA Contact:	Samba QA Contact

URL:
Keywords:

Depends on:
Blocks:	15337
	Show dependency tree / graph

Reported:	2023-02-20 00:55 UTC by Andrew Bartlett
Modified:	2023-04-05 03:15 UTC (History)
CC List:	5 users (show)

See Also:

Attachments
Initial advisory without versions (2.35 KB, text/plain) 2023-02-23 04:05 UTC, Andrew Bartlett	jsutton: review+	Details
Advisory v2 (2.98 KB, text/plain) 2023-02-26 21:58 UTC, Andrew Bartlett	jsutton: review+	Details
Initial patch for master (3.51 KB, patch) 2023-02-27 08:10 UTC, Andrew Bartlett	jsutton: ci-passed-	Details
Patch for master v2 (4.29 KB, patch) 2023-02-28 01:35 UTC, Andrew Bartlett	no flags	Details
Patch for master v3 (4.45 KB, patch) 2023-02-28 01:41 UTC, Andrew Bartlett	jsutton: review+	Details
Advisory v3 (3.03 KB, text/plain) 2023-02-28 01:51 UTC, Andrew Bartlett	jsutton: review+	Details
Patch for master v4 (4.34 KB, patch) 2023-03-13 22:00 UTC, Andrew Bartlett	abartlet: ci-passed+	Details
Patch v4 backported to Samba 4.18 (4.34 KB, patch) 2023-03-13 22:11 UTC, Andrew Bartlett	abartlet: ci-passed+	Details
Patch v4 backported to Samba 4.17 (4.34 KB, patch) 2023-03-13 22:12 UTC, Andrew Bartlett	abartlet: ci-passed+	Details
Patch v4 backported to Samba 4.16 (4.29 KB, patch) 2023-03-13 22:22 UTC, Andrew Bartlett	abartlet: ci-passed+	Details
Patch for master v5 (4.51 KB, patch) 2023-03-15 19:58 UTC, Andrew Bartlett	jsutton: review+ abartlet: ci-passed+	Details
Patch v5 for master backported to Samba 4.18 (4.51 KB, patch) 2023-03-15 19:59 UTC, Andrew Bartlett	jsutton: review+ abartlet: ci-passed+	Details
Patch v5 for master backported to Samba 4.17 (4.51 KB, patch) 2023-03-15 20:00 UTC, Andrew Bartlett	jsutton: review+ abartlet: ci-passed+	Details
Patch v5 for master backported to Samba 4.16 (4.51 KB, patch) 2023-03-15 20:02 UTC, Andrew Bartlett	jsutton: review+ abartlet: ci-passed+	Details
Show Obsolete (9) View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andrew Bartlett 2023-02-20 00:55:04 UTC

In current Samba versions, the windows restriction from setting unicodePwd over an unencrypted (eg plaintext or signed-for-integrity only) connection is not enforced.

Rob van der Linde added such a restriction to Samba, and noticed that some unrelated tests started to fail.  Andrew Bartlett noted that this implied that Samba's AD administration tool samba-tool has been sending new or reset passwords over unencrypted connections. 

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (5.9)

Comment 1 Andrew Bartlett 2023-02-23 04:05:30 UTC

Created attachment 17772 [details]
Initial advisory without versions

Comment 2 Jo Sutton 2023-02-24 02:06:35 UTC

Comment on attachment 17772 [details]
Initial advisory without versions

A couple of phrasing quibbles:
"An attacker with access to observe the network traffic [...] could observe new passwords if samba-tool is connecting [...]"
-> maybe:
"An attacker able to observe the network traffic [...] could obtain newly set passwords if samba-tool connected [...]"

"when, samba-tool is being used to resetting [...], or when adding a new user"
-> "when samba-tool was used to reset [...], or to add a new user"

Otherwise, looks good.

Comment 3 Andrew Bartlett 2023-02-26 21:58:01 UTC

Created attachment 17777 [details]
Advisory v2

Comment 4 Jo Sutton 2023-02-26 22:58:43 UTC

Comment on attachment 17777 [details]
Advisory v2

Would "an unencrypted, though signed, connection" be clearer word choice than "a signed-only connection"? Either way, LGTM.

Comment 5 Andrew Bartlett 2023-02-27 08:10:31 UTC

Created attachment 17779 [details]
Initial patch for master

I've put this simple fix for the issue under CI and will soon see if there are any unexpected impacts.

Comment 6 Jo Sutton 2023-02-27 20:46:18 UTC

Comment on attachment 17779 [details]
Initial patch for master

Looks good. test_ldap() in python/samba/tests/auth_log.py should be updated to expect "SEAL" rather than "SIGN".

Comment 7 Andrew Bartlett 2023-02-28 01:35:31 UTC

Created attachment 17781 [details]
Patch for master v2

I've updated the patch to fix the CI failure in test_ldap and re-submitted for CI.

Comment 8 Andrew Bartlett 2023-02-28 01:41:47 UTC

Created attachment 17782 [details]
Patch for master v3

This patch fixes the incorrect CVE in the tag and adds the BUG: tag.

Comment 9 Andrew Bartlett 2023-02-28 01:51:12 UTC

Created attachment 17783 [details]
Advisory v3

Just updating the credit now that I've taken over finishing the patch.

Comment 10 Andrew Bartlett 2023-03-13 22:00:05 UTC

Created attachment 17809 [details]
Patch for master v4

Comment 11 Andrew Bartlett 2023-03-13 22:00:55 UTC

Comment on attachment 17809 [details]
Patch for master v4

Updated patch just adds Reviewed-by: Joseph Sutton <josephsutton@catalyst.net.nz> to the actual patch for ease of submission to master from the previous review tag here.

Comment 12 Andrew Bartlett 2023-03-13 22:11:17 UTC

Created attachment 17810 [details]
Patch v4 backported to Samba 4.18

Comment 13 Andrew Bartlett 2023-03-13 22:12:31 UTC

Created attachment 17811 [details]
Patch v4 backported to Samba 4.17

Comment 14 Andrew Bartlett 2023-03-13 22:22:47 UTC

Created attachment 17815 [details]
Patch v4 backported to Samba 4.16

Comment 15 Andrew Bartlett 2023-03-15 19:58:40 UTC

Created attachment 17829 [details]
Patch for master v5

Comment 16 Andrew Bartlett 2023-03-15 19:59:21 UTC

Created attachment 17830 [details]
Patch v5 for master backported to Samba 4.18

Comment 17 Andrew Bartlett 2023-03-15 20:00:55 UTC

Created attachment 17831 [details]
Patch v5 for master backported to Samba 4.17

Comment 18 Andrew Bartlett 2023-03-15 20:02:32 UTC

Created attachment 17832 [details]
Patch v5 for master backported to Samba 4.16

This updated patch series fixes the incorrect CVE and missing commit text.

Comment 19 Andrew Bartlett 2023-03-16 00:23:37 UTC

Assigning to Jule for next security release.

Comment 20 Andrew Bartlett 2023-03-19 22:44:18 UTC

We will make a Samba security release for this issue on Wednesday 29 March

Comment 21 Jule Anger 2023-03-29 14:22:16 UTC

Removing vendor CC (so that any public comments don't need to be broadcast so widely) and opening these bugs to the public.
If you wish to continue to be informed about any changes here please CC individually.

Comment 22 Samba QA Contact 2023-03-29 14:27:50 UTC

This bug was referenced in samba v4-16-stable (Release samba-4.16.10):

6736fc0cff07162299ee68aabef81c3d0cda204d

Comment 23 Samba QA Contact 2023-03-29 14:30:06 UTC

This bug was referenced in samba v4-17-stable (Release samba-4.17.7):

04e5a7eb03a1e913f34d77b7b6c2353b41ef546a

Comment 24 Samba QA Contact 2023-03-29 14:31:19 UTC

This bug was referenced in samba v4-18-stable (Release samba-4.18.1):

bb5aecbd10265904156510d5dfc2f97bad442267

Comment 25 Samba QA Contact 2023-03-29 14:34:17 UTC

This bug was referenced in samba v4-16-test:

6736fc0cff07162299ee68aabef81c3d0cda204d

Comment 26 Samba QA Contact 2023-03-29 14:37:00 UTC

This bug was referenced in samba v4-17-test:

04e5a7eb03a1e913f34d77b7b6c2353b41ef546a

Comment 27 Samba QA Contact 2023-03-29 14:40:03 UTC

This bug was referenced in samba v4-18-test:

bb5aecbd10265904156510d5dfc2f97bad442267

Comment 28 Samba QA Contact 2023-04-05 03:09:06 UTC

This bug was referenced in samba master:

b74b9f4b06c24b16bf3daac96127e62b75f5b9ed