CVE-2014-8143: Elevation of privilege to Active Directory Domain Controller

Description

Samba’s AD DC allows the administrator to delegate
creation of user or computer accounts to specific users or groups.

However, all released versions of Samba’s AD DC did not implement the
additional required check on the UF_SERVER_TRUST_ACCOUNT bit in the
userAccountControl attributes.

As this was found during an internal audit of the Samba code there are
no currently known exploits for this problem (as of January 15th 2015).

Caveats

Most Samba deployments are not of the AD Domain Controller, but are of
the classic domain controller, the file server or print server. Only
the AD DC is affected by this issue.

Additionally, most sites running the AD Domain Controller do not
configure delegation for the creation of user or computer accounts,
and so are not vulnerable to this issue, as no writes are permitted to
the userAccountControl attribute, no matter what the value.

Patch Availability

Patches addressing all these issues have been posted to:

http://www.samba.org/samba/security/

Samba versions 4.0.24, 4.1.16, and 4.2rc4 have been released to
address this issue. Patches for 3.x are not required, as these
do not contain the AD Domain Controller code.

Workaround

Do not delegate permission to create users or computers beyond the
default of Domain Administrators.

Credits

This problem was found by an internal audit of the Samba code by
Andrew Bartlett of Catalyst IT. Special thanks also go to Zentyal.

Patches provided by Andrew Bartlett, Garming Sam of Catalyst IT and
the Samba team.

== Our Code, Our Bugs, Our Responsibility.
== The Samba Team