Bug 1158109 - (CVE-2019-14870) VUL-0: CVE-2019-14870: samba: DelegationNotAllowed not being enforced
(CVE-2019-14870)
VUL-0: CVE-2019-14870: samba: DelegationNotAllowed not being enforced
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: The 'Opening Windows to a Wider World' guys
Security Team bot
https://smash.suse.de/issue/248162/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2019-11-29 16:33 UTC by Marcus Meissner
Modified: 2020-09-17 19:14 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 2 Marcus Meissner 2019-12-10 16:43:10 UTC
is public

https://www.samba.org/samba/security/CVE-2019-14870.html


CVE-2019-14870.html

===========================================================
== Subject:     DelegationNotAllowed not being enforced
==              in protocol transition on Samba AD DC.
==
== CVE ID#:     CVE-2019-14870
==
== Versions:    All Samba versions since Samba 4.0
==
== Summary:     The DelegationNotAllowed Kerberos feature restriction
==              was not being applied when processing protocol
==              transition requests (S4U2Self), in the AD DC KDC.
===========================================================

===========
Description
===========

The S4U (MS-SFU) Kerberos delegation model includes a feature allowing
for a subset of clients to be opted out of constrained delegation in
any way, either S4U2Self or regular Kerberos authentication, by
forcing all tickets for these clients to be non-forwardable.  In AD
this is implemented by a user attribute delegation_not_allowed (aka
not-delegated), which translates to disallow-forwardable.

However the Samba AD DC does not do that for S4U2Self and does set the
forwardable flag even if the impersonated client has the not-delegated
flag set.

Note: while the experimental MIT AD-DC build does not support S4U, it
should still be patched due to a related bug in regular authentication.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

=========================
Workaround and mitigation
=========================

Only clients configured directly in LDAP or via a Windows tools
could have been marked as sensitive and so have been expected to have
this protection.  Therefore most Samba sites will not have been using
this feature and so are not impacted either way.

=======
Credits
=======

Originally reported by Isaac Boukris of Red Hat and the Samba Team.

Patches provided by Isaac Boukris of Red Hat and the Samba Team.

Advisory written by Andrew Bartlett of Catalyst and Isaac Boukris of
Red Hat and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================
Comment 5 Swamp Workflow Management 2019-12-17 17:11:46 UTC
SUSE-SU-2019:3319-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1158108,1158109
CVE References: CVE-2019-14861,CVE-2019-14870
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP1 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1
SUSE Linux Enterprise Module for Basesystem 15-SP1 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.224.86a8e66adea-3.18.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 6 Swamp Workflow Management 2019-12-17 17:44:08 UTC
SUSE-SU-2019:3318-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1158108,1158109
CVE References: CVE-2019-14861,CVE-2019-14870
Sources used:
SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src):    samba-4.7.11+git.202.6edee83fb34-4.34.1
SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src):    samba-4.7.11+git.202.6edee83fb34-4.34.1
SUSE Linux Enterprise Module for Basesystem 15 (src):    samba-4.7.11+git.202.6edee83fb34-4.34.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.202.6edee83fb34-4.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2019-12-22 20:16:16 UTC
openSUSE-SU-2019:2700-1: An update that fixes two vulnerabilities is now available.

Category: security (important)
Bug References: 1158108,1158109
CVE References: CVE-2019-14861,CVE-2019-14870
Sources used:
openSUSE Leap 15.1 (src):    samba-4.9.5+git.224.86a8e66adea-lp151.2.12.1
Comment 8 Marcus Meissner 2020-02-05 07:58:55 UTC
same here, I assume SLE12 is not affected as we do not include the Samba AD?
Comment 9 Noel Power 2020-02-05 09:31:31 UTC
(In reply to Marcus Meissner from comment #8)
> same here, I assume SLE12 is not affected as we do not include the Samba AD?

yes, that is the case here too, sle12 doesn't include support for ad-dc
Comment 10 Marcus Meissner 2020-02-05 09:36:48 UTC
done
Comment 12 Swamp Workflow Management 2020-09-17 19:14:55 UTC
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available.

Category: security (important)
Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120
CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise Server 12-SP5 (src):    ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.17+git.203.862547088ca-3.14.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.