Bug 1778589 (CVE-2019-14870) - CVE-2019-14870 samba: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC
Summary: CVE-2019-14870 samba: The DelegationNotAllowed Kerberos feature restriction w...
Alias: CVE-2019-14870
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1781545
Blocks: 1778587
TreeView+ depends on / blocked
Reported: 2019-12-02 05:36 UTC by Huzaifa S. Sidhpurwala
Modified: 2019-12-17 02:09 UTC (History)
18 users (show)

Fixed In Version: samba 4.11.3, samba 4.10.11, samba 4.9.17
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-12-17 02:09:26 UTC

Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2019-12-02 05:36:36 UTC
As per upstream advisory:

The S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable.  In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable.

However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.

Note: while the experimental MIT AD-DC build does not support S4U, it should still be patched due to a related bug in regular authentication.

Comment 1 Huzaifa S. Sidhpurwala 2019-12-02 05:38:15 UTC

Name: the Samba project
Upstream: Isaac Boukris (Red Hat and Samba Team)

Comment 2 Huzaifa S. Sidhpurwala 2019-12-02 05:38:18 UTC

Only clients configured directly in LDAP or via a Windows tools could have been marked as sensitive and so have been expected to have this protection.  Therefore most Samba sites will not have been using this feature and so are not impacted either way.

Comment 3 Huzaifa S. Sidhpurwala 2019-12-02 15:29:32 UTC

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.

Comment 4 Huzaifa S. Sidhpurwala 2019-12-10 09:06:31 UTC
External References:


Comment 5 Huzaifa S. Sidhpurwala 2019-12-10 09:09:48 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1781545]

Comment 6 Product Security DevOps Team 2019-12-17 02:09:26 UTC
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):


Note You need to log in before you can comment on or make changes to this bug.