Bugzilla – Bug 1209481
VUL-0: CVE-2023-0922: samba: AD DC admin tool samba-tool sends passwords in cleartext
Last modified: 2024-05-06 08:35:21 UTC
=========================================================== == Subject: Samba AD DC admin tool samba-tool sends passwords in cleartext == == CVE ID#: CVE-2023-0922 == == Versions: All versions of Samba since 4.0 == == Summary: The Samba AD DC administration tool, when operating against a remote LDAP server, will by default send new or reset passwords over a signed-only connection. =========================================================== =========== Description =========== Active Directory allows passwords to be set and changed over LDAP. Microsoft's implementation imposes a restriction that this may only happen over an encrypted connection, however Samba does not have this restriction currently. Samba's samba-tool client tool likewise has no restriction regarding the security of the connection it will set a password over. An attacker able to observe the network traffic between samba-tool and the Samba AD DC could obtain newly set passwords if samba-tool connected using a Kerberos secured LDAP connection against a Samba AD DC. This would happen when samba-tool was used to reset a user's password, or to add a new user. This only impacts connections made using Kerberos as NTLM-protected connections are upgraded to encryption regardless. This patch changes all Samba AD LDAP client connections to use encryption, as well as integrity protection, by default, by changing the default value of "client ldap sasl wrapping" to "seal" in Samba's smb.conf. Administrators should confirm this value has not been overridden in their local smb.conf to obtain the benefit of this change. NOTE WELL: Samba, for consistency, uses a common smb.conf option for LDAP client behaviour. Therefore this will also encrypt the AD LDAP connections between Samba's winbindd and any AD DC, so this patch will also change behaviour for Samba Domain Member configurations. If this is a concern, the smb.conf value "client ldap sasl wrapping" can be reset to "sign". ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba $VERSIONS have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N (5.9) ========== Workaround ========== Set "client ldap sasl wrapping = seal" in the smb.conf or add the --option=clientldapsaslwrapping=sign option to any samba-tool or ldbmodify invocation that sets a password. ======= Credits ======= Originally reported by Andrew Bartlett of Catalyst and the Samba Team working with Rob van der Linde of Catalyst. Patches provided by Rob van der Linde of Catalyst and Andrew Bartlett of Catalyst and the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== from https://bugzilla.samba.org/show_bug.cgi?id=15315
SUSE-SU-2023:1687-1: An update that solves four vulnerabilities and has one fix can now be installed. Category: security (important) Bug References: 1201490, 1207416, 1209481, 1209483, 1209485 CVE References: CVE-2022-32746, CVE-2023-0225, CVE-2023-0614, CVE-2023-0922 Sources used: SUSE Linux Enterprise High Availability Extension 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1 SUSE Linux Enterprise High Performance Computing ESPOS 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise High Performance Computing LTSS 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Real Time 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Server 15 SP3 LTSS 15-SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Server for SAP Applications 15 SP3 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Manager Proxy 4.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Manager Retail Branch Server 4.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Manager Server 4.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Enterprise Storage 7.1 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Micro 5.1 (src): ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Micro 5.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 SUSE Linux Enterprise Micro for Rancher 5.2 (src): samba-4.15.13+git.636.53d93c5b9d6-150300.3.52.1, ldb-2.4.4-150300.3.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1684-1: An update that solves one vulnerability and has one fix can now be installed. Category: security (important) Bug References: 1207416, 1209481 CVE References: CVE-2023-0922 Sources used: SUSE Linux Enterprise Server for SAP Applications 12 SP5 (src): samba-4.15.13+git.594.449ec4a79a1-3.80.1 SUSE Linux Enterprise High Availability Extension 12 SP5 (src): samba-4.15.13+git.594.449ec4a79a1-3.80.1 SUSE Linux Enterprise Software Development Kit 12 SP5 (src): samba-4.15.13+git.594.449ec4a79a1-3.80.1 SUSE Linux Enterprise High Performance Computing 12 SP5 (src): samba-4.15.13+git.594.449ec4a79a1-3.80.1 SUSE Linux Enterprise Server 12 SP5 (src): samba-4.15.13+git.594.449ec4a79a1-3.80.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1683-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1209481 CVE References: CVE-2023-0922 Sources used: openSUSE Leap 15.4 (src): samba-4.9.5+git.554.abee30cf06-150100.3.77.1 SUSE Linux Enterprise High Availability Extension 15 SP1 (src): samba-4.9.5+git.554.abee30cf06-150100.3.77.1 SUSE Linux Enterprise High Performance Computing 15 SP1 LTSS 15-SP1 (src): samba-4.9.5+git.554.abee30cf06-150100.3.77.1 SUSE Linux Enterprise Server 15 SP1 LTSS 15-SP1 (src): samba-4.9.5+git.554.abee30cf06-150100.3.77.1 SUSE Linux Enterprise Server for SAP Applications 15 SP1 (src): samba-4.9.5+git.554.abee30cf06-150100.3.77.1 SUSE CaaS Platform 4.0 (src): samba-4.9.5+git.554.abee30cf06-150100.3.77.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1682-1: An update that solves one vulnerability can now be installed. Category: security (important) Bug References: 1209481 CVE References: CVE-2023-0922 Sources used: openSUSE Leap 15.4 (src): samba-4.11.14+git.386.cc81f3dca2-150200.4.47.1 SUSE Linux Enterprise High Availability Extension 15 SP2 (src): samba-4.11.14+git.386.cc81f3dca2-150200.4.47.1 SUSE Linux Enterprise High Performance Computing 15 SP2 LTSS 15-SP2 (src): samba-4.11.14+git.386.cc81f3dca2-150200.4.47.1 SUSE Linux Enterprise Server 15 SP2 LTSS 15-SP2 (src): samba-4.11.14+git.386.cc81f3dca2-150200.4.47.1 SUSE Linux Enterprise Server for SAP Applications 15 SP2 (src): samba-4.11.14+git.386.cc81f3dca2-150200.4.47.1 SUSE Enterprise Storage 7 (src): samba-4.11.14+git.386.cc81f3dca2-150200.4.47.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
SUSE-SU-2023:1689-1: An update that solves four vulnerabilities and has three fixes can now be installed. Category: security (important) Bug References: 1201490, 1207416, 1207723, 1207996, 1209481, 1209483, 1209485 CVE References: CVE-2022-32746, CVE-2023-0225, CVE-2023-0614, CVE-2023-0922 Sources used: openSUSE Leap Micro 5.3 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 openSUSE Leap 15.4 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise Micro for Rancher 5.3 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise Micro 5.3 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise Micro for Rancher 5.4 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise Micro 5.4 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 Basesystem Module 15-SP4 (src): ldb-2.4.4-150400.4.11.1, samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 SUSE Linux Enterprise High Availability Extension 15 SP4 (src): samba-4.15.13+git.636.53d93c5b9d6-150400.3.23.1 NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
reassigning to security team now that it has shipped
done, closing