Vulnerability CVE-2019-14870: Information
Description
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.
Severity: MEDIUM (5.4) Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Fixed packages
Package name | Branch | Fixed in version | Version from repository | Errata ID | Task # | State |
---|---|---|---|---|---|---|
samba | sisyphus | 4.10.11-alt1 | 4.20.1-alt2 | ALT-PU-2019-3315-1 | 242980 | Fixed |
samba | p10 | 4.10.11-alt1 | 4.19.6-alt2 | ALT-PU-2019-3315-1 | 242980 | Fixed |
samba | p9 | 4.10.11-alt1 | 4.14.10-alt2 | ALT-PU-2019-3404-1 | 242985 | Fixed |
samba | p8 | 4.9.17-alt1 | 4.9.18-alt1 | ALT-PU-2019-3323-1 | 242978 | Fixed |
samba | c10f1 | 4.10.11-alt1 | 4.16.11-alt2 | ALT-PU-2019-3315-1 | 242980 | Fixed |
samba | c9f2 | 4.10.11-alt1 | 4.14.14-alt0.c9.1 | ALT-PU-2019-3404-1 | 242985 | Fixed |
samba | p11 | 4.10.11-alt1 | 4.20.1-alt1 | ALT-PU-2019-3315-1 | 242980 | Fixed |
samba-DC | p8 | 4.9.17-alt1 | 4.9.18-alt1 | ALT-PU-2019-3324-1 | 242978 | Fixed |
References to Advisories, Solutions, and Tools
Hyperlink | Resource |
---|---|
https://www.samba.org/samba/security/CVE-2019-14870.html |
|
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14870 |
|
https://security.netapp.com/advisory/ntap-20191210-0002/ |
|
USN-4217-1 |
|
USN-4217-2 |
|
https://www.synology.com/security/advisory/Synology_SA_19_40 |
|
openSUSE-SU-2019:2700 |
|
GLSA-202003-52 |
|
[debian-lts-announce] 20210529 [SECURITY] [DLA 2668-1] samba security update |
|
[debian-lts-announce] 20221126 [SECURITY] [DLA 3206-1] heimdal security update |
|
https://security.netapp.com/advisory/ntap-20230216-0008/ | |
GLSA-202310-06 | |
FEDORA-2019-be98a08835 | |
FEDORA-2019-11dddb785b |