OpenCVE

A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Key SSVC decision points have not yet been added.

Vendors	Products
Redhat	Enterprise Linux Storage
Samba	Samba

Configuration 1 [-]

OR	cpe:2.3:a:samba:samba::::::::
	cpe:2.3:a:samba:samba::::::::
	cpe:2.3:a:samba:samba::::::::

No data.

References

Link	Providers
https://access.redhat.com/security/cve/CVE-2023-4154
https://bugzilla.redhat.com/show_bug.cgi?id=2241883
https://bugzilla.samba.org/show_bug.cgi?id=15424
https://nvd.nist.gov/vuln/detail/CVE-2023-4154
https://security.netapp.com/advisory/ntap-20231124-0002/
https://www.cve.org/CVERecord?id=CVE-2023-4154
https://www.samba.org/samba/security/CVE-2023-4154.html

History

No history.

MITRE

Status: PUBLISHED

Assigner: redhat

Published: 2023-11-07T19:14:28.305Z

Updated: 2024-08-02T07:17:12.144Z

Reserved: 2023-08-04T13:22:07.200Z

Link: CVE-2023-4154

Vulnrichment

No data.

NVD

Status : Modified

Published: 2023-11-07T20:15:08.683

Modified: 2024-11-21T08:34:29.827

Link: CVE-2023-4154

Redhat

Severity : Moderate

Publid Date: 2023-10-10T00:00:00Z

Links: CVE-2023-4154 - Bugzilla

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-4154", "assignerOrgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "state": "PUBLISHED", "assignerShortName": "redhat", "dateReserved": "2023-08-04T13:22:07.200Z", "datePublished": "2023-11-07T19:14:28.305Z", "dateUpdated": "2024-08-02T07:17:12.144Z"}, "containers": {"cna": {"title": "Samba: ad dc password exposure to privileged users and rodcs", "metrics": [{"other": {"content": {"value": "Moderate", "namespace": "https://access.redhat.com/security/updates/classification/"}, "type": "Red Hat severity rating"}}, {"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "format": "CVSS"}], "descriptions": [{"lang": "en", "value": "A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence."}], "affected": [{"product": "samba", "vendor": "n/a", "versions": [{"version": "4.19.1", "status": "unaffected"}, {"version": "4.18.8", "status": "unaffected"}, {"version": "4.17.12", "status": "unaffected"}]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "samba", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 6", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "samba4", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:6"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 7", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "samba", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:7"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 8", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "samba", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:8"]}, {"vendor": "Red Hat", "product": "Red Hat Enterprise Linux 9", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "samba", "defaultStatus": "unaffected", "cpes": ["cpe:/o:redhat:enterprise_linux:9"]}, {"vendor": "Red Hat", "product": "Red Hat Storage 3", "collectionURL": "https://access.redhat.com/downloads/content/package-browser/", "packageName": "samba", "defaultStatus": "unaffected", "cpes": ["cpe:/a:redhat:storage:3"]}, {"product": "Fedora", "vendor": "Fedora", "collectionURL": "https://packages.fedoraproject.org/", "packageName": "samba", "defaultStatus": "affected"}], "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-4154", "tags": ["vdb-entry", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241883", "name": "RHBZ#2241883", "tags": ["issue-tracking", "x_refsource_REDHAT"]}, {"url": "https://bugzilla.samba.org/show_bug.cgi?id=15424"}, {"url": "https://security.netapp.com/advisory/ntap-20231124-0002/"}, {"url": "https://www.samba.org/samba/security/CVE-2023-4154.html"}], "datePublic": "2023-10-10T00:00:00+00:00", "problemTypes": [{"descriptions": [{"cweId": "CWE-787", "description": "Out-of-bounds Write", "lang": "en", "type": "CWE"}]}], "x_redhatCweChain": "CWE-787: Out-of-bounds Write", "timeline": [{"lang": "en", "time": "2023-10-03T00:00:00+00:00", "value": "Reported to Red Hat."}, {"lang": "en", "time": "2023-10-10T00:00:00+00:00", "value": "Made public."}], "providerMetadata": {"orgId": "53f830b8-0a3f-465b-8143-3b8a9948e749", "shortName": "redhat", "dateUpdated": "2024-01-23T01:33:49.736Z"}}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T07:17:12.144Z"}, "title": "CVE Program Container", "references": [{"url": "https://access.redhat.com/security/cve/CVE-2023-4154", "tags": ["vdb-entry", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241883", "name": "RHBZ#2241883", "tags": ["issue-tracking", "x_refsource_REDHAT", "x_transferred"]}, {"url": "https://bugzilla.samba.org/show_bug.cgi?id=15424", "tags": ["x_transferred"]}, {"url": "https://security.netapp.com/advisory/ntap-20231124-0002/", "tags": ["x_transferred"]}, {"url": "https://www.samba.org/samba/security/CVE-2023-4154.html", "tags": ["x_transferred"]}]}]}}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "F1CC08E7-E96D-4475-ACB6-22CDF280913E", "versionEndExcluding": "4.17.12", "versionStartIncluding": "4.0.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "8A33312F-1523-4647-83DA-6DD6231906F9", "versionEndExcluding": "4.18.8", "versionStartIncluding": "4.18.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*", "matchCriteriaId": "DE496104-DDB5-4709-8026-C83E99B0C865", "versionEndExcluding": "4.19.1", "versionStartIncluding": "4.19.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence."}, {"lang": "es", "value": "Se encontr\u00f3 una falla de dise\u00f1o en la implementaci\u00f3n del control DirSync de Samba, que expone contrase\u00f1as y secretos en Active Directory a usuarios privilegiados y Controladores de Dominio de Solo Lectura (RODC). Esta falla permite a los RODC y a los usuarios que poseen el derecho GET_CHANGES acceder a todos los atributos, incluidos secretos y contrase\u00f1as confidenciales. Incluso en una configuraci\u00f3n predeterminada, las cuentas RODC DC, que solo deber\u00edan replicar algunas contrase\u00f1as, pueden obtener acceso a todos los secretos del dominio, incluido el vital krbtgt, eliminando efectivamente la distinci\u00f3n RODC/DC. Adem\u00e1s, la vulnerabilidad no tiene en cuenta las condiciones de error (fallo de apertura), como situaciones de falta de memoria, lo que potencialmente otorga acceso a atributos secretos, incluso bajo la influencia de un atacante con pocos privilegios."}], "id": "CVE-2023-4154", "lastModified": "2024-11-21T08:34:29.827", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.6, "impactScore": 5.9, "source": "secalert@redhat.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-11-07T20:15:08.683", "references": [{"source": "secalert@redhat.com", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4154"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241883"}, {"source": "secalert@redhat.com", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.samba.org/show_bug.cgi?id=15424"}, {"source": "secalert@redhat.com", "url": "https://security.netapp.com/advisory/ntap-20231124-0002/"}, {"source": "secalert@redhat.com", "tags": ["Vendor Advisory"], "url": "https://www.samba.org/samba/security/CVE-2023-4154.html"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory"], "url": "https://access.redhat.com/security/cve/CVE-2023-4154"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking"], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241883"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Issue Tracking", "Patch"], "url": "https://bugzilla.samba.org/show_bug.cgi?id=15424"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://security.netapp.com/advisory/ntap-20231124-0002/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Vendor Advisory"], "url": "https://www.samba.org/samba/security/CVE-2023-4154.html"}], "sourceIdentifier": "secalert@redhat.com", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-787"}], "source": "secalert@redhat.com", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-787"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"bugzilla": {"description": "samba: AD DC password exposure to privileged users and RODCs", "id": "2241883", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2241883"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", "status": "draft"}, "cwe": "CWE-787", "details": ["A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence.", "A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence."], "name": "CVE-2023-4154", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Not affected", "package_name": "samba4", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/a:redhat:storage:3", "fix_state": "Not affected", "package_name": "samba", "product_name": "Red Hat Storage 3"}], "public_date": "2023-10-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-4154\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-4154\nhttps://bugzilla.samba.org/show_bug.cgi?id=15424\nhttps://www.samba.org/samba/security/CVE-2023-4154.html"], "statement": "The Samba package as shipped with Red Hat Enterprise Linux 6, 7, 8 and 9 and Red Hat Gluster Storage is not affected by this issue as Red Hat doesn't provide the AD Domain Controller capability with it.", "threat_severity": "Moderate", "upstream_fix": "samba 4.19.1, samba 4.18.8, samba 4.17.12"}