Skip to content

CVE-2018-14628: Unprivileged read of deleted object tombstones in AD LDAP server

Douglas Bagnallrequested to merge
samba-team/devel/samba:douglas-4-17-CVE-2018-14628 into v4-17-test

This is https://bugzilla.samba.org/show_bug.cgi?id=13595

It was not released as part of an embargoed security release, as it fell just short of the line for that extra work. There was however a CVE allocated and an announcement made.

From the announcement text:

All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller.

When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain).

This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects.

No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights.

There is no further vulnerability associated with this error, merely an information disclosure.

Action required in order to resolve CVE-2018-14628!

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain:

samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the changes before they are applied. Typical question look like this:

 Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
       Owner mismatch: SY (in ref) DA(in current)
       Group mismatch: SY (in ref) DA(in current)
       Part dacl is different between reference and current here is the detail:
               (A;;LCRPLORC;;;AU) ACE is not present in the reference
               (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
               (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
               (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
               (A;;LCRP;;;BA) ACE is not present in the current
  [y/N/all/none] y
 Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'

The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'.

CVSSv3: 4.3

In the bug report we guessed:

CVSSv3: https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (4.3)

Merge request reports