5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
61.6%
The S4U (MS-SFU) Kerberos delegation model includes a feature allowing
for a subset of clients to be opted out of constrained delegation in
any way, either S4U2Self or regular Kerberos authentication, by
forcing all tickets for these clients to be non-forwardable. In AD
this is implemented by a user attribute delegation_not_allowed (aka
not-delegated), which translates to disallow-forwardable.
However the Samba AD DC does not do that for S4U2Self and does set the
forwardable flag even if the impersonated client has the not-delegated
flag set.
Note: while the experimental MIT AD-DC build does not support S4U, it
should still be patched due to a related bug in regular authentication.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Only clients configured directly in LDAP or via a Windows tools
could have been marked as sensitive and so have been expected to have
this protection. Therefore most Samba sites will not have been using
this feature and so are not impacted either way.
Originally reported by Isaac Boukris of Red Hat and the Samba Team.
Patches provided by Isaac Boukris of Red Hat and the Samba Team.
Advisory written by Andrew Bartlett of Catalyst and Isaac Boukris of
Red Hat and the Samba Team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
6.4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:N/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
61.6%