Samba SecuritySAMBA:CVE-2023-0922Samba AD DC admin tool samba-tool sends passwords in cleartext
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
56.8%
Description
Active Directory allows passwords to be set and changed over LDAP.
Microsoft’s implementation imposes a restriction that this may only
happen over an encrypted connection, however Samba does not have this
restriction currently.
Samba’s samba-tool client tool likewise has no restriction regarding
the security of the connection it will set a password over.
An attacker able to observe the network traffic between samba-tool and
the Samba AD DC could obtain newly set passwords if samba-tool
connected using a Kerberos secured LDAP connection against a Samba AD
DC.
This would happen when samba-tool was used to reset a user’s
password, or to add a new user.
This only impacts connections made using Kerberos as NTLM-protected
connections are upgraded to encryption regardless.
This patch changes all Samba AD LDAP client connections to use
encryption, as well as integrity protection, by default, by changing
the default value of “client ldap sasl wrapping” to “seal” in Samba’s
smb.conf.
Administrators should confirm this value has not been overridden in
their local smb.conf to obtain the benefit of this change.
NOTE WELL: Samba, for consistency, uses a common smb.conf option for
LDAP client behaviour. Therefore this will also encrypt the AD LDAP
connections between Samba’s winbindd and any AD DC, so this patch will
also change behaviour for Samba Domain Member configurations.
If this is a concern, the smb.conf value “client ldap sasl wrapping”
can be reset to “sign”.
Patch Availability
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba $VERSIONS have been issued
as security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.
CVSSv3 calculation
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (5.9)
Workaround
Set “client ldap sasl wrapping = seal” in the smb.conf or add the
–option=clientldapsaslwrapping=sign option to any samba-tool or
ldbmodify invocation that sets a password.
Credits
Originally reported by Andrew Bartlett of Catalyst and the Samba Team
working with Rob van der Linde of Catalyst.
Patches provided by Rob van der Linde of Catalyst and Andrew Bartlett
of Catalyst and the Samba Team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
Related
5.9 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
HIGH
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
2.6 Low
CVSS2
Access Vector
NETWORK
Access Complexity
HIGH
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:H/Au:N/C:P/I:N/A:N
0.002 Low
EPSS
Percentile
56.8%