=========================================================== == Subject: Access controlled LDAP attributes can be discovered == == CVE ID#: CVE-2023-0614 == == Versions: All Samba releases since Samba 4.7.9, 4.8.4, 4.9.7 and 4.6.16 == == Summary: The fix in the above versions for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was incomplete and a viable timing attack has been demonstrated to obtain confidential BitLocker recovery keys from a Samba AD DC. =========================================================== =========== Description =========== In Active Directory, there are essentially four different classes of attributes. - Secret attributes that are never disclosed and are not available to search against over LDAP. This is a hard-coded list, and in Samba these are additionally encrypted in the DB with a per-DB key. - Confidential attributes (marked as such in the schema) that have a default access restriction allowing access only to the owner of the object. - Access controlled attributes (for reads or writes), Samba will honour the access control specified in the ntSecurityDescriptor. - Public attributes for read. Most attributes in Active Directory are available to read by all authenticated users. Because the access control rules for a given attribute are not consistent between objects, Samba implemented access control restrictions only after matching objects against the filter, except that it will prevent (by encryption of the attribute and redaction of the LDAP filter (query) searches on secret attributes. However this approach allows a timing attack using LDAP filters against confidential or otherwise access controlled attributes, with this approach disclosing an access controlled value in seconds. With this security patch, for attributes mentioned in the search filter, Samba will perform a per-object access control evaluation before LDAP filter matching on the attribute, preventing unauthorised disclosure of the value of (for example) BitLocker recovery keys. =========== Limitations =========== It is not expected that all other timing attacks have been prevented, and it is likely still possible to determine if an object or attribute on an object is present, but not the contents. Additionally, due to the nature of our object indexes, Samba must evaluate these prior to ACL checking, so read access controlled, information should not be stored in indexed attributes. The list of indexed attributes can be seen (adapt for your local environment) with: ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=1))' lDAPDisplayName This patch will however prevent attributes marked as 'confidential' in the schema from any longer being regarded as indexed attributes (no such attributes have this combination by default). Search results for these will be safer, but slower. The impacted attributes on your server can be seen with: ldbsearch -U$USERNAME -H ldap://$SERVER -b CN=Schema,CN=Configuration,$BASE_DN '(&(objectClass=attributeSchema)(searchFlags:1.2.840.113556.1.4.803:=129))' lDAPDisplayName ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N (6.5) ========== Workaround ========== Do not store confidential information in Active Directory, other than passwords or keys required for AD operation (as these are in the hard-coded secret attribute list). ======= Credits ======= Originally reported by Demi Marie Obenour of Invisible Things Lab. Patches provided by Joseph Sutton of Catalyst and the Samba team, reviewed by Andrew Bartlett of Catalyst and the Samba Team. Advisory by Andrew Bartlett of Catalyst and the Samba Team ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ==========================================================