Bug 1095057 (CVE-2018-10919)

Summary: VUL-0: CVE-2018-10919: samba: Confidential attribute disclosure via substring search
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: James McDonough <jmcdonough>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: aaptel, david.mulder, nopower, samba, scabrero
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 10 Aurelien Aptel 2018-08-08 15:46:11 UTC
Send hopefully final request. I've only changed the changelog entry since the last revoked request. Thanks for handling this.

https://build.suse.de/request/show/169540
Comment 13 Marcus Meissner 2018-08-14 09:02:37 UTC
is public

https://www.samba.org/samba/security/CVE-2018-10919.html


CVE-2018-10919.html

====================================================================
== Subject:     Confidential attribute disclosure from the AD LDAP
==              server
==
== CVE ID#:     CVE-2018-10919
==
== Versions:    All versions of Samba from 4.0.0 onwards.
==
== Summary:     Missing access control checks allow discovery of
==              confidential attribute values via authenticated
==              LDAP search expressions
==
====================================================================

===========
Description
===========

All versions of the Samba Active Directory LDAP server from 4.0.0
onwards are vulnerable to the disclosure of confidential attribute
values, both of attributes where the schema SEARCH_FLAG_CONFIDENTIAL
(0x80) searchFlags bit and where an explicit Access Control Entry has
been specified on the ntSecurityDescriptor.

The confidential attribute disclosure is via the search expression and
can be seen by the return (or failure to return) matching LDAP
objects.

This issue does NOT apply to secret attributes such as unicodePwd.
These values have always been prohibited in LDAP search expressions.
(Additionally since Samba 4.8 they remain encrypted at search
expression processing time).

The following attributes in the 2008R2 AD schema have
SEARCH_FLAG_CONFIDENTIAL set in the searchFlags by default:

unixUserPassword, msFVE-KeyPackage, msFVE-RecoveryPassword,
msPKIAccountCredentials, msPKIAccountCredentials,
msPKI-CredentialRoamingTokens, msPKIDPAPIMasterKeys,
msPKIRoamingTimeStamp, msTPM-OwnerInformation

For clarity: unixUserPassword is NOT populated by Samba.

================
Remaining issues
================

Samba makes no attempt to address possible timing attacks against the
LDAP server.  Data (aside from secret attributes, already subject to
special processing) of such a sensitivity such that a timing attack
would be worthwhile should not be stored in Active Directory.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.8.4, Samba 4.7.9 and 4.6.16 have been issued as
a security release to correct the defect.  Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========================
Workarounds and Mitigation
==========================

The only workaround is not to use the SEARCH_FLAG_CONFIDENTIAL
searchFlags bit, not to expect confidentiality of the attribute list
above nor to set access control entries of a similar nature on LDAP
objects.

=======
Credits
=======

The issue was reported by Phillip Kuhrt.  Tim Beale of Catalyst
provided the test and patches.
Comment 14 Swamp Workflow Management 2018-08-14 13:08:23 UTC
SUSE-SU-2018:2318-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1095048,1095056,1095057,1103411,1103414
CVE References: CVE-2018-10858,CVE-2018-10918,CVE-2018-10919,CVE-2018-1139,CVE-2018-1140
Sources used:
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.8+git.86.94b6d10f7dd-4.15.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.8+git.86.94b6d10f7dd-4.15.1
Comment 15 Swamp Workflow Management 2018-08-17 10:13:10 UTC
openSUSE-SU-2018:2400-1: An update that fixes 5 vulnerabilities is now available.

Category: security (important)
Bug References: 1095048,1095056,1095057,1103411,1103414
CVE References: CVE-2018-10858,CVE-2018-10918,CVE-2018-10919,CVE-2018-1139,CVE-2018-1140
Sources used:
openSUSE Leap 15.0 (src):    samba-4.7.8+git.86.94b6d10f7dd-lp150.3.6.1
Comment 16 James McDonough 2018-10-01 10:04:29 UTC
shipped
Comment 17 Swamp Workflow Management 2018-10-16 13:29:30 UTC
SUSE-SU-2018:3161-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1068059,1087931,1095057,1102230,1110943
CVE References: CVE-2018-10919
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    samba-4.6.16+git.124.aee309c5c18-3.32.1
SUSE Linux Enterprise Server 12-SP3 (src):    samba-4.6.16+git.124.aee309c5c18-3.32.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.16+git.124.aee309c5c18-3.32.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    samba-4.6.16+git.124.aee309c5c18-3.32.1
SUSE Enterprise Storage 5 (src):    samba-4.6.16+git.124.aee309c5c18-3.32.1
Comment 18 Swamp Workflow Management 2018-10-17 22:09:52 UTC
openSUSE-SU-2018:3211-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1068059,1087931,1095057,1102230,1110943
CVE References: CVE-2018-10919
Sources used:
openSUSE Leap 42.3 (src):    samba-4.6.16+git.124.aee309c5c18-21.1