7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
46.2%
Samba as an Active Directory Domain Controller is based on Kerberos,
which provides name-based authentication. These names are often then
used for authorization.
However Microsoft Windows and Active Direcory is SID-based. SIDs in
Windows, similar to UIDs in Linux/Unix (if managed well) are globally
unique and survive name changes. At the meeting of these two
authorization schemes it is possible to confuse a server into acting
as one user when holding a ticket for another.
A Kerberos ticket, once issued, may be valid for some time, often 10
hours but potentially longer. In Active Directory, it may or may not
carry a PAC, holding the user’s SIDs.
A simple example of the problem is on Samba’s LDAP server, which
would, unless “gensec:require_pac = true” was set, permit a fall back
to using the name in the Kerberos ticket alone. (All Samba AD
services fall to the same issue in one way or another, LDAP is just a
good example).
Delegated administrators with the right to create other user or
machine accounts can abuse the race between the time of ticket issue
and the time of presentation (back to the AD DC) to impersonate a
different account, including a highly privileged account.
This could allow total domain compromise.
Samba as an AD DC will now always issue a Kerberos PAC in the AD-REQ
and require that tickets presented back to the DC have a PAC, both in
the KDC and elsewhere.
Tickets issued by an unpatched DC that do not have a Kerberos PAC (eg
with the --no-request-pac option to MIT kerberos kinit) will be denied
after the upgrade, even if they are otherwise still valid.
This also means that the Kerberos TCP transport is likely to be
required to connect to the Samba AD DC, as a PAC is unlikely to fit in
a UDP packet. PAC-free tickets are still supported for target
services (eg NFS), via an flag within the PAC preventing it being
put into the final ticket.
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.15.2, 4.14.10 and 4.13.14 have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
This CVSSv3 calculation is assuming the other Samba issues are
addressed, and user/computer creation is an at least partially
privileged action.
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (7.2)
Originally reported by Andrew Bartlett.
Patches provided by:
Advisory written by Andrew Bartlett of Catalyst
Catalyst would like to particularly thank Red Hat and SerNet for their
contribution to fixing this issue.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
7.2 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
HIGH
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
9 High
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:L/Au:S/C:C/I:C/A:C
0.001 Low
EPSS
Percentile
46.2%