== Subject:     Unprivileged read of deleted object tombstones
==              in AD LDAP server
== CVE ID#:     CVE-2018-14628
== Versions:    All versions of Samba from 4.0.0 onwards.
== Summary:     Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
==              allow read of object tombstones over LDAP
==              (Administrator action required!)


All versions of Samba from 4.0.0 onwards are vulnerable to an
information leak (compared with the established behaviour of
Microsoft's Active Directory) when Samba is an Active Directory Domain

When a domain was provisioned with an unpatched Samba version,
the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object
instead of being very strict (as on a Windows provisioned domain).

This means also non privileged users can use the
LDAP_SERVER_SHOW_DELETED_OID control in order to view,
the names and preserved attributes of deleted objects.

No information that was hidden before the deletion is visible, but in
with the correct ntSecurityDescriptor value in place the whole object
is also not visible without administrative rights.

There is no further vulnerability associated with this error, merely an
information disclosure.

Action required in order to resolve CVE-2018-14628!

The patched Samba does NOT protect existing domains!

The administrator needs to run the following command
(on only one domain controller)
in order to apply the protection to an existing domain:

  samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix

The above requires manual interaction in order to review the
changes before they are applied. Typicall question look like this:

  Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default?
        Owner mismatch: SY (in ref) DA(in current)
        Group mismatch: SY (in ref) DA(in current)
        Part dacl is different between reference and current here is the detail:
                (A;;LCRPLORC;;;AU) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference
                (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference
                (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current
                (A;;LCRP;;;BA) ACE is not present in the current
   [y/N/all/none] y
  Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org'

The change should be confirmed with 'y' for all objects starting with
'CN=Deleted Objects'.

Patch Availability

The Samba Team decided not to issue a dedicated security release,



The administrator can manually change the ntSecurityDescriptor
attribute for the "CN=Deleted Objects" containers to the
following SDDL:


It basically means System has FullAccess, while Builtin\Administrators
has ReadProperty and ListChildren rights.

There's a separate "CN=Deleted Objects" container in the root
of each naming context/partition (expect the schema partition).
The fix should be applied to all (typically 4) partitions,
while the domain partition is the most important one.


The initial bugs were found by the Andrew Bartlett of Catalyst.
Andrew Bartlett of Catalyst and the Samba Team did the investigation
and Stefan Metzmacher of SerNet provided the final fix.