Synology-SA-19:40 Samba AD DC

Publish Time: 2019-12-12 08:57:52 UTC+8

Last Updated: 2020-04-15 18:53:40 UTC+8

Severity
Moderate
Status
Resolved

Abstract

CVE-2019-14861 and CVE-2019-14870 allow remote authenticated users to conduct denial-of-service attacks or bypass security constraints via a susceptible version of Synology Directory Server.

Affected Products

Product Severity Fixed Release Availability
Synology Directory Server Moderate Upgrade DSM to 6.2.3-25423 or above.

Mitigation

None

Detail

  • CVE-2019-14861

    • Severity: Moderate
    • CVSS3 Base Score: 6.5
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
    • All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the (poorly named) dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used for example to allow machines to self-register in DNS. If a DNS record was created that case-insensitively matched the name of the zone, the ldb_qsort() and dns_name_compare() routines could be confused into reading memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() and so following invalid memory as a pointer.
  • CVE-2019-14870

    • Severity: Moderate
    • CVSS3 Base Score: 6.4
    • CVSS3 Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
    • All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.

Reference

Revision

Revision Date Description
1 2019-12-12 Initial public release.
2 2020-04-15 Update for Synology Directory Server is now available in Affected Products.