CVSS2
Attack Vector
NETWORK
Attack Complexity
MEDIUM
Authentication
SINGLE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:S/C:C/I:C/A:C
EPSS
Percentile
73.8%
Samba’s AD DC allows the administrator to delegate
creation of user or computer accounts to specific users or groups.
However, all released versions of Samba’s AD DC did not implement the
additional required check on the UF_SERVER_TRUST_ACCOUNT bit in the
userAccountControl attributes.
As this was found during an internal audit of the Samba code there are
no currently known exploits for this problem (as of January 15th 2015).
Most Samba deployments are not of the AD Domain Controller, but are of
the classic domain controller, the file server or print server. Only
the AD DC is affected by this issue.
Additionally, most sites running the AD Domain Controller do not
configure delegation for the creation of user or computer accounts,
and so are not vulnerable to this issue, as no writes are permitted to
the userAccountControl attribute, no matter what the value.
Patches addressing all these issues have been posted to:
http://www.samba.org/samba/security/
Samba versions 4.0.24, 4.1.16, and 4.2rc4 have been released to
address this issue. Patches for 3.x are not required, as these
do not contain the AD Domain Controller code.
Do not delegate permission to create users or computers beyond the
default of Domain Administrators.
This problem was found by an internal audit of the Samba code by
Andrew Bartlett of Catalyst IT. Special thanks also go to Zentyal.
Patches provided by Andrew Bartlett, Garming Sam of Catalyst IT and
the Samba team.
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team