5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
65.8%
Samba uses various LDAP client libraries, a builtin one and/or the system
ldap libraries (typically openldap).
As active directory domain controller Samba also provides an LDAP server.
Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
for LDAP connections, including possible integrity (sign) and privacy (seal)
protection.
Samba has support for an option called โclient ldap sasl wrappingโ since version
3.2.0. Its default value has changed from โplainโ to โsignโ with version 4.2.0.
Tools using the builtin LDAP client library do not obey the
โclient ldap sasl wrappingโ option. This applies to tools like:
โsamba-toolโ, โldbsearchโ, โldbeditโ and more. Some of them have command line
options like โโsignโ and โโencryptโ. With the security update they will
also obey the โclient ldap sasl wrappingโ option as default.
In all cases, even if explicitly request via โclient ldap sasl wrappingโ,
โโsignโ or โโencryptโ, the protection can be downgraded by a man in the
middle.
The LDAP server doesnโt have an option to enforce strong authentication
yet. The security patches will introduce a new option called
โldap server require strong authโ, possible values are โnoโ,
โallow_sasl_over_tlsโ and โyesโ.
As the default behavior was as โnoโ before, you may
have to explicitly change this option until all clients have
been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
Windows clients and Samba member servers already use
integrity protection.
ldap server require strong auth (G)
The ldap server require strong auth defines whether the
ldap server requires ldap traffic to be signed or
signed and encrypted (sealed). Possible values are no,
allow_sasl_over_tls and yes.
A value of no allows simple and sasl binds over all transports.
A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
over TLS encrypted connections. Unencrypted connections only
allow sasl binds with sign or seal.
A value of yes allows only simple binds over TLS encrypted connections.
Unencrypted connections only allow sasl binds with sign or seal.
Default: ldap server require strong auth = yes
Tools like โsamba-toolโ, โldbsearchโ, โldbeditโ and more obey the
default of โclient ldap sasl wrapping = signโ. Even with
โclient ldap sasl wrapping = plainโ they will automatically upgrade
to โsignโ when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
server.
A patch addressing this defect has been posted to
https://www.samba.org/samba/security/
Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.
Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.
None.
This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
HIGH
Availability Impact
NONE
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N
4.3 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
NONE
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:M/Au:N/C:N/I:P/A:N
0.003 Low
EPSS
Percentile
65.8%