In this long-read, we will dive into the details of a recently discovered vulnerability in the Samba AD DC administration tool. Classified as CVE-2023-0922, this vulnerability could potentially expose new or reset passwords sent over a signed-only connection to a remote LDAP server. We will examine the details of this exploit, the risks it poses, and how to mitigate them.
Understanding CVE-2023-0922
CVE-2023-0922 is a security vulnerability that affects the Samba Active Directory Domain Controller (AD DC) administration tool. When this tool is used against a remote Lightweight Directory Access Protocol (LDAP) server, it sends new or reset passwords over a signed-only connection by default. This can lead to the exposure of sensitive password information to an attacker who may be listening on the network.
To better understand this vulnerability, let's take a look at the Samba AD DC code snippet where the issue arises:
# ...snip...
if ldap_con.protocol_version == 3:
# "signed" or "sealed" connection requested
if opts.ldap_connect_mode != 'none':
ldap_con.set_option(ldap.OPT_REFERRALS, )
ldap_con.set_option(ldap.OPT_SERVER_CONTROLS, [server_ctrl])
# ...snip...
if opts.ldap_connect_mode == 'signed':
ldap_con.start_tls_s()
# ...snip…
# ...snip…
Original references
This vulnerability was first discovered and documented by the Samba team in their bug tracking system:
- Samba Bugzilla entry: https://bugzilla.samba.org/show_bug.cgi?id=CVE-2023-0922
- Samba security announcement: https://www.samba.org/samba/security/CVE-2023-0922.html
Exploit details
An attacker who is able to intercept the network traffic between the Samba AD DC administration tool and the remote LDAP server could potentially gain access to the new or reset passwords sent over a signed-only connection. This can happen when the administrator resets a user's password, for example. The attacker could then use these captured passwords for further exploitation, such as gaining unauthorized access to resources within the affected environment.
Based on the code snippet provided earlier, it can be observed that new or reset passwords are sent over a signed-only connection by default. This is demonstrated by the use of the start_tls_s() method call when the ldap_connect_mode is set to 'signed'. To mitigate this vulnerability, the connection should be encrypted using a proper secure connection (e.g., through the use of SSL/TLS encryption).
Mitigating the vulnerability
To mitigate this vulnerability and enhance the security of the communication between the Samba AD DC administration tool and the remote LDAP server, it is recommended to change the default ldap_connect_mode value from 'signed' to 'sealed'. By doing so, all future connections will be fully encrypted. This can be done by editing the Samba configuration file (usually /etc/samba/smb.conf), which should be updated to include the following settings:
[global]
ldap server require strong auth = sealed
After updating the configuration file, restart the Samba services to apply the changes
sudo systemctl restart samba-ad-dc.service # For systemd-based systems
sudo service samba-ad-dc restart # For SysVinit-based systems
Conclusion
CVE-2023-0922 is a vulnerability that affects the Samba AD DC administration tool when operating against a remote LDAP server. The issue stems from the default behavior of sending new or reset passwords over a signed-only connection, which could expose sensitive password information to an attacker. To mitigate this risk, it is crucial to update the Samba configuration file to enforce the usage of a fully encrypted, sealed connection for sending passwords. By staying informed about the latest vulnerabilities and implementing the necessary security measures, administrators can minimize the risks associated with such exploits.
Timeline
Published on: 04/03/2023 23:15:00 UTC
Last modified on: 04/16/2023 04:15:00 UTC