Bug 1215908 (CVE-2023-4154)

https://www.samba.org/samba/security/CVE-2023-4154.html


CVE-2023-4154.html:

===========================================================
== Subject:     Samba AD DC password exposure to privileged
==              users and RODCs
==
== CVE ID#:     CVE-2023-4154
==
== Versions:    All versions since Samba 4.0.0
==
== Summary:     An RODC and a user with the GET_CHANGES
==              right can view all attributes, including
==              secrets and passwords.
==
==              Additionally, the access check fails open
==              on error conditions.
===========================================================

===========
Description
===========

In normal operation, passwords and (most) secrets are never disclosed
over LDAP in Active Directory.

However, due to a design flaw in Samba's implementation of the DirSync
control, Active Directory accounts authorized to do some replication,
but not to replicate sensitive attributes, can instead replicate
critical domain passwords and secrets.

In a default installation, this means that RODC DC accounts (which
should only be permitted to replicate some passwords) can instead
obtain all domain secrets, including the core AD secret: the krbtgt
password.

RODCs are given this permission as part of their installation for DRS
replication.  This vulnerability removes the RODC / DC distinction.

Secondly, and just as problematically, the access check for this
functionality did not account for error conditions - errors like
out of memory were regarded as success.  This is sometimes described
as "fail open".  In these error conditions, some of which (eg out of
memory) may be influenced by a low-privileged attacker, access to the
secret attributes could be obtained!


==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.19.1, 4.18.8 and 4.17.12 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

For password disclosure to RODCs and other privileged accounts:
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)

For the fail open on the DirSync access check:
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)

=================================
Workaround and mitigating factors
=================================

If no RODC accounts are in use in the domain, and DirSync users set
LDAP_DIRSYNC_OBJECT_SECURITY then there is no need to give this right
to any users.  If only privileged accounts have this right, only the
error path vulnerability exists.

Since Windows 2003 and in all versions of Samba, it has not been
required to assign accounts this "Get Changes" / GUID_DRS_GET_CHANGES
right to use LDAP DirSync, provided that the
LDAP_DIRSYNC_OBJECT_SECURITY it set in the control.

If any unprivileged accounts do have this right, and either no longer
use DirSync or use LDAP_DIRSYNC_OBJECT_SECURITY, this should be
removed.

GUID_DRS_GET_CHANGES / 1131f6aa-9c07-11d1-f79f-00c04fc2dcd2 is an
extended right set in the ntSecurityDescriptor on the NC root (the DN
at the top of each partition).  These are for example the domain DN,
configuration DN etc.  The domain DN is the most important.

=======
Credits
=======

Originally reported by Andrew Bartlett of Catalyst and the Samba Team
during routine code review.

Patches provided by Andrew Bartlett of Catalyst and the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

SUSE-SU-2023:4046-1: An update that solves five vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215904, 1215905, 1215906, 1215907, 1215908
CVE References: CVE-2023-3961, CVE-2023-4091, CVE-2023-4154, CVE-2023-42669, CVE-2023-42670
Sources used:
openSUSE Leap 15.5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1
SUSE Linux Enterprise Micro 5.5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1
Basesystem Module 15-SP5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1
SUSE Linux Enterprise High Availability Extension 15 SP5 (src): samba-4.17.9+git.421.abde31ca5c2-150500.3.11.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

The AC-DC feature in samba was added since SLE-15 as technical preview, so not officially supported. All the SLE-15 before 15-SP5 products are affected, but we limited the mitigation only on the recent ones where backporting the patches was trivial.

(In reply to Gabriele Sonnu from comment #10)
> The AC-DC feature in samba was added since SLE-15 as technical preview, so
> not officially supported. All the SLE-15 before 15-SP5 products are
> affected, but we limited the mitigation only on the recent ones where
> backporting the patches was trivial.

Strictly speaking all the SLE-15 between SLE15-SP1 and SLE15-SP4 (inclusive) products are affected, ad-dc feature wasn't built/enabled in SLE15-SP0

SUSE-SU-2023:4059-1: An update that solves three vulnerabilities and has one security fix can now be installed.

Category: security (important)
Bug References: 1213940, 1215904, 1215905, 1215908
CVE References: CVE-2023-4091, CVE-2023-4154, CVE-2023-42669
Sources used:
openSUSE Leap 15.4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise Micro for Rancher 5.3 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise Micro 5.3 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise Micro for Rancher 5.4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise Micro 5.4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
Basesystem Module 15-SP4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1
SUSE Linux Enterprise High Availability Extension 15 SP4 (src): samba-4.15.13+git.691.3d3cea0641-150400.3.31.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.

SUSE-SU-2023:4096-1: An update that solves three vulnerabilities can now be installed.

Category: security (important)
Bug References: 1215904, 1215905, 1215908
CVE References: CVE-2023-4091, CVE-2023-4154, CVE-2023-42669
Sources used:
SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Manager Proxy 4.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Manager Retail Branch Server 4.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Manager Server 4.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Enterprise Storage 7.1 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise Micro 5.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise Micro for Rancher 5.2 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise High Availability Extension 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1
SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): samba-4.15.13+git.691.3d3cea0641-150300.3.63.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.