{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2019-14870", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "assignerShortName": "redhat", "dateUpdated": "2024-08-05T00:26:39.129Z", "dateReserved": "2019-08-10T00:00:00", "datePublished": "2019-12-10T00:00:00"}, "containers": {"cna": {"providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2023-10-08T08:06:43.843846"}, "descriptions": [{"lang": "en", "value": "All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set."}], "affected": [{"vendor": "Red Hat", "product": "samba", "versions": [{"version": "all versions 4.11.x before 4.11.3", "status": "affected"}, {"version": "all versions 4.10.x before 4.10.11", "status": "affected"}, {"version": "all versions 4.x.x before 4.9.17", "status": "affected"}]}], "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14870"}, {"name": "USN-4217-1", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4217-1/"}, {"url": "https://security.netapp.com/advisory/ntap-20191210-0002/"}, {"url": "https://www.samba.org/samba/security/CVE-2019-14870.html"}, {"name": "USN-4217-2", "tags": ["vendor-advisory"], "url": "https://usn.ubuntu.com/4217-2/"}, {"name": "FEDORA-2019-be98a08835", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PJH3ROOFYMOATD2UEPC47P5RPBDTY77E/"}, {"url": "https://www.synology.com/security/advisory/Synology_SA_19_40"}, {"name": "openSUSE-SU-2019:2700", "tags": ["vendor-advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00038.html"}, {"name": "FEDORA-2019-11dddb785b", "tags": ["vendor-advisory"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNKA4YIPV7AZR7KK3GW6L3HKGHSGJZFE/"}, {"name": "GLSA-202003-52", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202003-52"}, {"name": "[debian-lts-announce] 20210529 [SECURITY] [DLA 2668-1] samba security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html"}, {"name": "[debian-lts-announce] 20221126 [SECURITY] [DLA 3206-1] heimdal security update", "tags": ["mailing-list"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230216-0008/"}, {"name": "GLSA-202310-06", "tags": ["vendor-advisory"], "url": "https://security.gentoo.org/glsa/202310-06"}], "metrics": [{"cvssV3_0": {"version": "3.0", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM"}}], "problemTypes": [{"descriptions": [{"type": "CWE", "lang": "en", "description": "CWE-285", "cweId": "CWE-285"}]}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-05T00:26:39.129Z"}, "title": "CVE Program Container", "references": [{"url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14870", "tags": ["x_transferred"]}, {"name": "USN-4217-1", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/4217-1/"}, {"url": "https://security.netapp.com/advisory/ntap-20191210-0002/", "tags": ["x_transferred"]}, {"url": "https://www.samba.org/samba/security/CVE-2019-14870.html", "tags": ["x_transferred"]}, {"name": "USN-4217-2", "tags": ["vendor-advisory", "x_transferred"], "url": "https://usn.ubuntu.com/4217-2/"}, {"name": "FEDORA-2019-be98a08835", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PJH3ROOFYMOATD2UEPC47P5RPBDTY77E/"}, {"url": "https://www.synology.com/security/advisory/Synology_SA_19_40", "tags": ["x_transferred"]}, {"name": "openSUSE-SU-2019:2700", "tags": ["vendor-advisory", "x_transferred"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00038.html"}, {"name": "FEDORA-2019-11dddb785b", "tags": ["vendor-advisory", "x_transferred"], "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNKA4YIPV7AZR7KK3GW6L3HKGHSGJZFE/"}, {"name": "GLSA-202003-52", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202003-52"}, {"name": "[debian-lts-announce] 20210529 [SECURITY] [DLA 2668-1] samba security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html"}, {"name": "[debian-lts-announce] 20221126 [SECURITY] [DLA 3206-1] heimdal security update", "tags": ["mailing-list", "x_transferred"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html"}, {"url": "https://security.netapp.com/advisory/ntap-20230216-0008/", "tags": ["x_transferred"]}, {"name": "GLSA-202310-06", "tags": ["vendor-advisory", "x_transferred"], "url": "https://security.gentoo.org/glsa/202310-06"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "26C10D91-8EB3-4869-9C66-B73EF3A4F270", "versionEndExcluding": "4.9.17", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "BA37AE3F-78AA-4807-8C66-7C197045D0F8", "versionEndExcluding": "4.10.11", "versionStartIncluding": "4.10.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "776B9CDE-BF44-4A36-9C07-F0F71E66533D", "versionEndExcluding": "4.11.3", "versionStartIncluding": "4.11.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:fedoraproject:fedora:30:*:*:*:*:*:*:*", "matchCriteriaId": "97A4B8DF-58DA-4AB6-A1F9-331B36409BA3", "vulnerable": true}, {"criteria": "cpe:2.3:o:fedoraproject:fedora:31:*:*:*:*:*:*:*", "matchCriteriaId": "80F0FA5D-8D3B-4C0E-81E2-87998286AF33", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:canonical:ubuntu_linux:14.04:*:*:*:esm:*:*:*", "matchCriteriaId": "815D70A8-47D3-459C-A32C-9FEACA0659D1", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:16.04:*:*:*:esm:*:*:*", "matchCriteriaId": "7A5301BF-1402-4BE0-A0F8-69FBE79BC6D6", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:18.04:*:*:*:lts:*:*:*", "matchCriteriaId": "23A7C53F-B80F-4E6A-AFA9-58EEA84BE11D", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.04:*:*:*:*:*:*:*", "matchCriteriaId": "CD783B0C-9246-47D9-A937-6144FE8BFF0F", "vulnerable": true}, {"criteria": "cpe:2.3:o:canonical:ubuntu_linux:19.10:*:*:*:*:*:*:*", "matchCriteriaId": "A31C8344-3E02-4EB8-8BD8-4C84B7959624", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:debian:debian_linux:9.0:*:*:*:*:*:*:*", "matchCriteriaId": "DEECE5FC-CACF-4496-A3E7-164736409252", "vulnerable": true}, {"criteria": "cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*", "matchCriteriaId": "07B237A9-69A3-4A9C-9DA0-4E06BD37AE73", "vulnerable": true}], "negate": false, "operator": "OR"}]}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:opensuse:leap:15.1:*:*:*:*:*:*:*", "matchCriteriaId": "B620311B-34A3-48A6-82DF-6F078D7A4493", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set."}, {"lang": "es", "value": "Todas las versiones de Samba 4.xx anteriores a 4.9.17, versiones 4.10.x anteriores a 4.10.11 y versiones 4.11.x anteriores a 4.11.3, presentan un problema, donde el modelo de delegaci\u00f3n de Kerberos S4U (MS-SFU) incluye una funcionalidad que permite a un subconjunto de clientes ser excluidos de la delegaci\u00f3n restringida de cualquier manera, ya sea S4U2Self o autenticaci\u00f3n Kerberos regular, al forzar que todos los tickets para estos clientes no sean reenviables. En AD, esto es implementado mediante un atributo de usuario delegation_not_allowed (tambi\u00e9n se conoce como no delegado), que se traduce como no permitido-reenviable. Sin embargo, el AD DC Samba no hace eso para S4U2Self y establece el flag reenviable inclusive si el cliente suplantado tiene el conjunto de flags no delegados."}], "id": "CVE-2019-14870", "lastModified": "2023-11-07T03:05:21.010", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "NONE", "availabilityImpact": "NONE", "baseScore": 6.4, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:N", "version": "2.0"}, "exploitabilityScore": 10.0, "impactScore": 4.9, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "secalert@redhat.com", "type": "Secondary"}], "cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2019-12-10T23:15:10.457", "references": [{"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00038.html"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Third Party Advisory"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14870"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html"}, {"source": "secalert@redhat.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PJH3ROOFYMOATD2UEPC47P5RPBDTY77E/"}, {"source": "secalert@redhat.com", "url": "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNKA4YIPV7AZR7KK3GW6L3HKGHSGJZFE/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.gentoo.org/glsa/202003-52"}, {"source": "secalert@redhat.com", "url": "https://security.gentoo.org/glsa/202310-06"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://security.netapp.com/advisory/ntap-20191210-0002/"}, {"source": "secalert@redhat.com", "url": "https://security.netapp.com/advisory/ntap-20230216-0008/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4217-1/"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://usn.ubuntu.com/4217-2/"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://www.samba.org/samba/security/CVE-2019-14870.html"}, {"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://www.synology.com/security/advisory/Synology_SA_19_40"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-285"}], "source": "secalert@redhat.com", "type": "Secondary"}]}

{"acknowledgement": "Red Hat would like to thank the Samba project for reporting this issue. Upstream acknowledges Isaac Boukris (Red Hat and Samba Team) as the original reporter.", "bugzilla": {"description": "samba: The DelegationNotAllowed Kerberos feature restriction was not being applied when processing protocol transition requests (S4U2Self), in the AD DC KDC", "id": "1778589", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1778589"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.4", "cvss3_scoring_vector": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "status": "draft"}, "cwe": "CWE-285", "details": ["All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set."], "mitigation": {"lang": "en:us", "value": "Only clients configured directly in LDAP or via a Windows tools could have been marked as sensitive and so have been expected to have this protection. Therefore most Samba sites will not have been using this feature and so are not impacted either way."}, "name": "CVE-2019-14870", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba4", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Storage 3"}], "public_date": "2019-12-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2019-14870\nhttps://nvd.nist.gov/vuln/detail/CVE-2019-14870\nhttps://www.samba.org/samba/security/CVE-2019-14870.html"], "statement": "This flaw does not affect the version of samba shipped with Red Hat Enterprise Linux because there is no support for samba as Active Directory Domain Controller.", "threat_severity": "Moderate", "upstream_fix": "samba 4.11.3, samba 4.10.11, samba 4.9.17"}