Bug 1791201 (CVE-2019-14902)

Summary: CVE-2019-14902 samba: Replication of ACLs set to inherit down a subtree on AD Directory not automatic
Product: [Other] Security Response Reporter: Huzaifa S. Sidhpurwala <huzaifas>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: abokovoy, anoopcs, asn, dblechte, dfediuck, eedri, gdeschner, hvyas, iboukris, iboukris, jarrpa, jstephen, lmohanty, madam, mgoldboi, michal.skrivanek, puebele, rhs-smb, sbonazzo, sbose, security-response-team, sherold, sisharma, ssorce, vbellur, yturgema
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: samba 4.11.5, samba 4.10.12, samba 4.9.18 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in samba. A newly delegated right, but more importantly the removal of a delegated right, would not be inherited on any DC other than the one where the change was made; the removal would not automatically be taken away on all domain controllers. The highest threat from this vulnerability is to data confidentiality and integrity.
 Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-21 09:56:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1793405    
Bug Blocks: 1790872    

Description Huzaifa S. Sidhpurwala 2020-01-15 08:35:07 UTC 
As per upstream advisory:

A newly delegated right, but more importantly the removal of a delegated right, would not be inherited on any DC other than the one where the change was made.

For example:
 - if a user or group was previously delegated the right to create or modify a subtree (say to allow desktop support to reset passwords and create users)
 - and subsequently this right was taken away

The removal would not automatically be taken away on all domain controllers.

Because this patch only fixes new replication into the future, it is vital that a full-sync be done TO each Domain controller to ensure each ACL (ntSecurityDescriptor) is re-calculated on the whole set of DCs.  See the instructions in "workaround and required steps post-upgrade" below.
Comment 1 Huzaifa S. Sidhpurwala 2020-01-15 08:35:10 UTC 
Acknowledgments:

Name: the Samba project
Comment 2 Huzaifa S. Sidhpurwala 2020-01-15 08:35:12 UTC 
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.
Comment 3 Huzaifa S. Sidhpurwala 2020-01-15 08:35:14 UTC 
Mitigation:

Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause all ACLs to be syncronised from DC2 to DC1, for the given NC (naming
context), eg:

samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync 
samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync 

samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync 
samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync

Internally both in patched and un-patched versions, for every object replicated with a --full-sync, the inheritance will be correctly calculated.  This only needs to be done TO each DC, not for each pair-wise pair.
Comment 4 Huzaifa S. Sidhpurwala 2020-01-21 09:54:50 UTC 
External References:

https://www.samba.org/samba/security/CVE-2019-14902.html
Comment 5 Huzaifa S. Sidhpurwala 2020-01-21 09:55:46 UTC 
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1793405]