1 <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
2 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
3 <html xmlns="http://www.w3.org/1999/xhtml">
6 <title>Samba - Security Announcement Archive</title>
11 <H2>CVE-2019-14902.html:</H2>
15 ===========================================================
16 == Subject: Replication of ACLs set to inherit down a
17 == subtree on AD Directory not automatic
19 == CVE ID#: CVE-2019-14902
21 == Versions: Samba 4.0 and later
23 == Summary: The implementation of ACL inheritance in the
24 == Samba AD DC was not complete, and so absent a
25 == 'full-sync' replication, ACLs could get out of
26 == sync between domain controllers.
27 ===========================================================
33 A newly delegated right, but more importantly the removal of a
34 delegated right, would not be inherited on any DC other than the one
35 where the change was made.
38 - if a user or group was previously delegated the right to
39 create or modify a subtree (say to allow desktop support to reset
40 passwords and create users)
41 - and subsequently this right was taken away
43 The removal would not automatically be taken away on all domain
46 Because this patch only fixes new replication into the future, it is
47 vital that a full-sync be done TO each Domain Controller to ensure
48 each ACL (ntSecurityDescriptor) is re-calculated on the whole set of
49 DCs. See the instructions in "workaround and required steps
56 Patches addressing both these issues have been posted to:
58 https://www.samba.org/samba/security/
60 Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
61 as security releases to correct the defect. Samba administrators are
62 advised to upgrade to these releases or apply the patch as soon
69 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)
71 ==========================================
72 Workaround and required steps post-upgrade
73 ==========================================
75 Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause
76 all ACLs to be syncronised from DC2 to DC1, for the given NC (naming
79 samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync
80 samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync
82 samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync
83 samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync
85 Internally both in patched and un-patched versions, for every object
86 replicated with a --full-sync, the inheritance will be correctly
87 calculated. This only needs to be done TO each DC, not for each
94 Reported by a number of Samba users and sites since 2017, but now
95 recognised as a security issue after triage. We apologise for the
96 delay in dealing with this issue.
98 Patches provided by Andrew Bartlett of the Samba Team and Catalyst.
100 Advisory written by Andrew Bartlett of the Samba Team and Catalyst.
102 ==========================================================
103 == Our Code, Our Bugs, Our Responsibility.
105 ==========================================================