Bug 1625445 (CVE-2018-14628) - CVE-2018-14628 samba: Unprivileged read of deleted object tombstones in AD LDAP server
Summary: CVE-2018-14628 samba: Unprivileged read of deleted object tombstones in AD LD...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2018-14628
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2160799
Blocks: 1945370 1625448
TreeView+ depends on / blocked
 
Reported: 2018-09-05 00:38 UTC by Sam Fowler
Modified: 2023-01-13 18:21 UTC (History)
26 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
An information leak vulnerability was discovered in Samba's LDAP server. Due to missing access control checks, an authenticated but unprivileged attacker could discover the names and preserved attributes of deleted objects in the LDAP store.
Clone Of:
Environment:
Last Closed: 2021-10-25 22:16:01 UTC


Attachments (Terms of Use)

Description Sam Fowler 2018-09-05 00:38:28 UTC
All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller.

Missing access control checks on the LDAP_SERVER_SHOW_DELETED_OID control in the DSDB database layer cause the LDAP server to disclose, to authenticated but not privileged users, the names and preserved attributes of deleted objects.  (Microsoft AD simply does not return these objects on a search).

No information that was hidden before the deletion is visible, but in Microsoft Active Directory the whole object is also not visible without administrative rights, whereas Samba allows read of limited set of attributes that are preserved after delete.

Comment 1 Sam Fowler 2018-09-05 00:38:42 UTC
Acknowledgments:

Name: Andrew Bartlett (Catalyst and Samba Team)

Comment 2 Doran Moppert 2018-09-05 04:17:07 UTC
Upstream bug:

https://bugzilla.samba.org/show_bug.cgi?id=13595

Comment 3 Doran Moppert 2018-09-05 04:17:16 UTC
Statement:

Samba 4 packages distributed with Red Hat Enterprise Linux are built without the AD DC functionality, where this flaw is present.  These packages are not affected by this vulnerability.

Comment 7 Pedro Sampaio 2023-01-13 18:21:25 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 2160799]


Note You need to log in before you can comment on or make changes to this bug.