Bugzilla – Bug 1160850
VUL-0: CVE-2019-14902: samba: Replication of ACLs set to inherit down a subtree on AD Directory not automatic
Last modified: 2020-09-17 19:15:01 UTC
is public https://www.samba.org/samba/security/CVE-2019-14902.html CVE-2019-14902.html =========================================================== == Subject: Replication of ACLs set to inherit down a == subtree on AD Directory not automatic == == CVE ID#: CVE-2019-14902 == == Versions: Samba 4.0 and later == == Summary: The implementation of ACL inheritance in the == Samba AD DC was not complete, and so absent a == 'full-sync' replication, ACLs could get out of == sync between domain controllers. =========================================================== =========== Description =========== A newly delegated right, but more importantly the removal of a delegated right, would not be inherited on any DC other than the one where the change was made. For example: - if a user or group was previously delegated the right to create or modify a subtree (say to allow desktop support to reset passwords and create users) - and subsequently this right was taken away The removal would not automatically be taken away on all domain controllers. Because this patch only fixes new replication into the future, it is vital that a full-sync be done TO each Domain Controller to ensure each ACL (ntSecurityDescriptor) is re-calculated on the whole set of DCs. See the instructions in "workaround and required steps post-upgrade" below. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) ========================================== Workaround and required steps post-upgrade ========================================== Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause all ACLs to be syncronised from DC2 to DC1, for the given NC (naming context), eg: samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync Internally both in patched and un-patched versions, for every object replicated with a --full-sync, the inheritance will be correctly calculated. This only needs to be done TO each DC, not for each pair-wise pair. ======= Credits ======= Reported by a number of Samba users and sites since 2017, but now recognised as a security issue after triage. We apologise for the delay in dealing with this issue. Patches provided by Andrew Bartlett of the Samba Team and Catalyst. Advisory written by Andrew Bartlett of the Samba Team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
SUSE-SU-2020:0223-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1141320,1160850,1160852,1160888 CVE References: CVE-2019-14902,CVE-2019-14907,CVE-2019-19344 Sources used: SUSE Linux Enterprise Module for Python2 15-SP1 (src): samba-4.9.5+git.243.e76c5cb3d97-3.21.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15-SP1 (src): samba-4.9.5+git.243.e76c5cb3d97-3.21.1 SUSE Linux Enterprise Module for Basesystem 15-SP1 (src): samba-4.9.5+git.243.e76c5cb3d97-3.21.1 SUSE Linux Enterprise High Availability 15-SP1 (src): samba-4.9.5+git.243.e76c5cb3d97-3.21.1 SUSE Enterprise Storage 6 (src): samba-4.9.5+git.243.e76c5cb3d97-3.21.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2020:0224-1: An update that fixes two vulnerabilities is now available. Category: security (moderate) Bug References: 1160850,1160888 CVE References: CVE-2019-14902,CVE-2019-14907 Sources used: SUSE Linux Enterprise Server for SAP 15 (src): samba-4.7.11+git.218.58b95cbfc0f-4.37.1 SUSE Linux Enterprise Server 15-LTSS (src): samba-4.7.11+git.218.58b95cbfc0f-4.37.1 SUSE Linux Enterprise Module for Packagehub Subpackages 15 (src): samba-4.7.11+git.218.58b95cbfc0f-4.37.1 SUSE Linux Enterprise Module for Open Buildservice Development Tools 15 (src): samba-4.7.11+git.218.58b95cbfc0f-4.37.1 SUSE Linux Enterprise Module for Basesystem 15 (src): samba-4.7.11+git.218.58b95cbfc0f-4.37.1 SUSE Linux Enterprise High Performance Computing 15-LTSS (src): samba-4.7.11+git.218.58b95cbfc0f-4.37.1 SUSE Linux Enterprise High Performance Computing 15-ESPOS (src): samba-4.7.11+git.218.58b95cbfc0f-4.37.1 SUSE Linux Enterprise High Availability 15 (src): samba-4.7.11+git.218.58b95cbfc0f-4.37.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
openSUSE-SU-2020:0122-1: An update that solves three vulnerabilities and has one errata is now available. Category: security (moderate) Bug References: 1141320,1160850,1160852,1160888 CVE References: CVE-2019-14902,CVE-2019-14907,CVE-2019-19344 Sources used: openSUSE Leap 15.1 (src): samba-4.9.5+git.243.e76c5cb3d97-lp151.2.15.1
done
SUSE-SU-2020:2673-1: An update that fixes 15 vulnerabilities is now available. Category: security (important) Bug References: 1141267,1144902,1154289,1154598,1158108,1158109,1160850,1160852,1160888,1169850,1169851,1173159,1173160,1173359,1174120 CVE References: CVE-2019-10197,CVE-2019-10218,CVE-2019-14833,CVE-2019-14847,CVE-2019-14861,CVE-2019-14870,CVE-2019-14902,CVE-2019-14907,CVE-2019-19344,CVE-2020-10700,CVE-2020-10704,CVE-2020-10730,CVE-2020-10745,CVE-2020-10760,CVE-2020-14303 JIRA References: Sources used: SUSE Linux Enterprise Software Development Kit 12-SP5 (src): ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1 SUSE Linux Enterprise Server 12-SP5 (src): ldb-1.5.8-3.5.1, samba-4.10.17+git.203.862547088ca-3.14.1 SUSE Linux Enterprise High Availability 12-SP5 (src): samba-4.10.17+git.203.862547088ca-3.14.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.