Headline
CVE-2019-14870: Samba - Security Announcement Archive
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.
CVE-2019-14870.html:
=========================================================== == Subject: DelegationNotAllowed not being enforced == in protocol transition on Samba AD DC. == == CVE ID#: CVE-2019-14870 == == Versions: All Samba versions since Samba 4.0 == == Summary: The DelegationNotAllowed Kerberos feature restriction == was not being applied when processing protocol == transition requests (S4U2Self), in the AD DC KDC. ===========================================================
=========== Description ===========
The S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable.
However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.
Note: while the experimental MIT AD-DC build does not support S4U, it should still be patched due to a related bug in regular authentication.
================== Patch Availability ==================
Patches addressing both these issues have been posted to:
https://www.samba.org/samba/security/
Additionally, Samba 4.11.3, 4.10.11 and 4.9.17 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible.
================== CVSSv3 calculation ==================
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
========================= Workaround and mitigation =========================
Only clients configured directly in LDAP or via a Windows tools could have been marked as sensitive and so have been expected to have this protection. Therefore most Samba sites will not have been using this feature and so are not impacted either way.
======= Credits =======
Originally reported by Isaac Boukris of Red Hat and the Samba Team.
Patches provided by Isaac Boukris of Red Hat and the Samba Team.
Advisory written by Andrew Bartlett of Catalyst and Isaac Boukris of Red Hat and the Samba Team.
========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================
Related news
Gentoo Linux Security Advisory 202310-6 - Multiple vulnerabilities have been discovered in Heimdal, the worst of which could lead to remote code execution on a KDC. Versions greater than or equal to 7.8.0-r1 are affected.
Dell Streaming Data Platform prior to 1.4 contains Open Redirect vulnerability. An attacker with privileges same as a legitimate user can phish the legitimate the user to redirect to malicious website leading to information disclosure and launch of phishing attacks.
Hello everyone! Great news for my open source Scanvus project! You can now perform vulnerability checks on Linux hosts and docker images not only using the Vulners.com API, but also with the Vulns.io VM API. It’s especially nice that all the code to support the new API was written and contributed by colleagues from Vulns.io. […]