// For flags

CVE-2023-4154

Samba: ad dc password exposure to privileged users and rodcs

Severity Score

6.5
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence.

Se encontró una falla de diseño en la implementación del control DirSync de Samba, que expone contraseñas y secretos en Active Directory a usuarios privilegiados y Controladores de Dominio de Solo Lectura (RODC). Esta falla permite a los RODC y a los usuarios que poseen el derecho GET_CHANGES acceder a todos los atributos, incluidos secretos y contraseñas confidenciales. Incluso en una configuración predeterminada, las cuentas RODC DC, que solo deberían replicar algunas contraseñas, pueden obtener acceso a todos los secretos del dominio, incluido el vital krbtgt, eliminando efectivamente la distinción RODC/DC. Además, la vulnerabilidad no tiene en cuenta las condiciones de error (fallo de apertura), como situaciones de falta de memoria, lo que potencialmente otorga acceso a atributos secretos, incluso bajo la influencia de un atacante con pocos privilegios.

*Credits: N/A
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
Attack Vector
Network
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-08-04 CVE Reserved
  • 2023-10-11 CVE Published
  • 2024-08-02 CVE Updated
  • 2024-10-07 EPSS Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-787: Out-of-bounds Write
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Samba
Search vendor "Samba"
Samba
Search vendor "Samba" for product "Samba"
>= 4.0.0 < 4.17.12
Search vendor "Samba" for product "Samba" and version " >= 4.0.0 < 4.17.12"
-
Affected
Samba
Search vendor "Samba"
Samba
Search vendor "Samba" for product "Samba"
>= 4.18.0 < 4.18.8
Search vendor "Samba" for product "Samba" and version " >= 4.18.0 < 4.18.8"
-
Affected
Samba
Search vendor "Samba"
Samba
Search vendor "Samba" for product "Samba"
>= 4.19.0 < 4.19.1
Search vendor "Samba" for product "Samba" and version " >= 4.19.0 < 4.19.1"
-
Affected