Samba SecuritySAMBA:CVE-2019-14902Replication of ACLs set to inherit down a
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
60.2%
Description
A newly delegated right, but more importantly the removal of a
delegated right, would not be inherited on any DC other than the one
where the change was made.
For example:
- if a user or group was previously delegated the right to
create or modify a subtree (say to allow desktop support to reset
passwords and create users) - and subsequently this right was taken away
The removal would not automatically be taken away on all domain
controllers.
Because this patch only fixes new replication into the future, it is
vital that a full-sync be done TO each Domain Controller to ensure
each ACL (ntSecurityDescriptor) is re-calculated on the whole set of
DCs. See the instructions in “workaround and required steps
post-upgrade” below.
Patch Availability
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSSv3 calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)
Workaround and required steps post-upgrade
Use of ‘samba-tool drs replicate $DC1 $DC2 $NC --full-sync’ will cause
all ACLs to be syncronised from DC2 to DC1, for the given NC (naming
context), eg:
samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync
samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync
samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync
samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync
Internally both in patched and un-patched versions, for every object
replicated with a --full-sync, the inheritance will be correctly
calculated. This only needs to be done TO each DC, not for each
pair-wise pair.
Credits
Reported by a number of Samba users and sites since 2017, but now
recognised as a security issue after triage. We apologise for the
delay in dealing with this issue.
Patches provided by Andrew Bartlett of the Samba Team and Catalyst.
Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
Related
5.4 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
LOW
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
5.5 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:P/A:N
0.002 Low
EPSS
Percentile
60.2%