Bug 1791201 (CVE-2019-14902) - CVE-2019-14902 samba: Replication of ACLs set to inherit down a subtree on AD Directory not automatic
Summary: CVE-2019-14902 samba: Replication of ACLs set to inherit down a subtree on AD...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2019-14902
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1793405
Blocks: 1790872
TreeView+ depends on / blocked
 
Reported: 2020-01-15 08:35 UTC by Huzaifa S. Sidhpurwala
Modified: 2020-01-21 09:56 UTC (History)
26 users (show)

Fixed In Version: samba 4.11.5, samba 4.10.12, samba 4.9.18
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-01-21 09:56:35 UTC


Attachments (Terms of Use)

Description Huzaifa S. Sidhpurwala 2020-01-15 08:35:07 UTC
As per upstream advisory:

A newly delegated right, but more importantly the removal of a delegated right, would not be inherited on any DC other than the one where the change was made.

For example:
 - if a user or group was previously delegated the right to create or modify a subtree (say to allow desktop support to reset passwords and create users)
 - and subsequently this right was taken away

The removal would not automatically be taken away on all domain controllers.

Because this patch only fixes new replication into the future, it is vital that a full-sync be done TO each Domain controller to ensure each ACL (ntSecurityDescriptor) is re-calculated on the whole set of DCs.  See the instructions in "workaround and required steps post-upgrade" below.

Comment 1 Huzaifa S. Sidhpurwala 2020-01-15 08:35:10 UTC
Acknowledgments:

Name: the Samba project

Comment 2 Huzaifa S. Sidhpurwala 2020-01-15 08:35:12 UTC
Statement:

This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.

Comment 3 Huzaifa S. Sidhpurwala 2020-01-15 08:35:14 UTC
Mitigation:

Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause all ACLs to be syncronised from DC2 to DC1, for the given NC (naming
context), eg:

samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync 
samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync 

samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync 
samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync

Internally both in patched and un-patched versions, for every object replicated with a --full-sync, the inheritance will be correctly calculated.  This only needs to be done TO each DC, not for each pair-wise pair.

Comment 4 Huzaifa S. Sidhpurwala 2020-01-21 09:54:50 UTC
External References:

https://www.samba.org/samba/security/CVE-2019-14902.html

Comment 5 Huzaifa S. Sidhpurwala 2020-01-21 09:55:46 UTC
Created samba tracking bugs for this issue:

Affects: fedora-all [bug 1793405]


Note You need to log in before you can comment on or make changes to this bug.