The LDAP client and server don't enforce integrity protection

Description

Samba uses various LDAP client libraries, a builtin one and/or the system
ldap libraries (typically openldap).

As active directory domain controller Samba also provides an LDAP server.

Samba takes care of doing SASL (GSS-SPNEGO) authentication with Kerberos or NTLMSSP
for LDAP connections, including possible integrity (sign) and privacy (seal)
protection.

Samba has support for an option called “client ldap sasl wrapping” since version
3.2.0. Its default value has changed from “plain” to “sign” with version 4.2.0.

Tools using the builtin LDAP client library do not obey the
“client ldap sasl wrapping” option. This applies to tools like:
“samba-tool”, “ldbsearch”, “ldbedit” and more. Some of them have command line
options like “–sign” and “–encrypt”. With the security update they will
also obey the “client ldap sasl wrapping” option as default.

In all cases, even if explicitly request via “client ldap sasl wrapping”,
“–sign” or “–encrypt”, the protection can be downgraded by a man in the
middle.

The LDAP server doesn’t have an option to enforce strong authentication
yet. The security patches will introduce a new option called
“ldap server require strong auth”, possible values are “no”,
“allow_sasl_over_tls” and “yes”.

As the default behavior was as “no” before, you may
have to explicitly change this option until all clients have
been adjusted to handle LDAP_STRONG_AUTH_REQUIRED errors.
Windows clients and Samba member servers already use
integrity protection.

New smb.conf option

ldap server require strong auth (G)

The ldap server require strong auth defines whether the
ldap server requires ldap traffic to be signed or
signed and encrypted (sealed). Possible values are no,
allow_sasl_over_tls and yes.

A value of no allows simple and sasl binds over all transports.

A value of allow_sasl_over_tls allows simple and sasl binds (without sign or seal)
over TLS encrypted connections. Unencrypted connections only
allow sasl binds with sign or seal.

A value of yes allows only simple binds over TLS encrypted connections.
Unencrypted connections only allow sasl binds with sign or seal.

Default: ldap server require strong auth = yes

Behavior changes

Tools like “samba-tool”, “ldbsearch”, “ldbedit” and more obey the
default of “client ldap sasl wrapping = sign”. Even with
“client ldap sasl wrapping = plain” they will automatically upgrade
to “sign” when getting LDAP_STRONG_AUTH_REQUIRED from the LDAP
server.

Patch Availability

A patch addressing this defect has been posted to

https://www.samba.org/samba/security/

Additionally, Samba 4.4.2, 4.3.8 and 4.2.11 have been issued as
security releases to correct the defect. Samba vendors and administrators
running affected versions are advised to upgrade or apply the patch as
soon as possible.

Note that Samba 4.4.1, 4.3.7 and 4.2.10 were privately released to vendors,
but had a regression, which is fixed in 4.4.2, 4.3.8 and 4.2.11.

Workaround

None.

Credits

This vulnerability was discovered and researched by Stefan Metzmacher of
SerNet (https://samba.plus) and the Samba Team (https://www.samba.org).
He provides the fixes in collaboration with the Samba Team.