Unrated severityNVD Advisory· Published Nov 7, 2023· Updated Aug 2, 2024

Samba: ad dc password exposure to privileged users and rodcs

CVE-2023-4154

Description

A design flaw was found in Samba's DirSync control implementation, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This flaw allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction. Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence.

Affected products

Red Hat/Red Hat Storage 3v5
cpe:/a:redhat:storage:3
Red Hat/Red Hat Enterprise Linux 6v5
cpe:/o:redhat:enterprise_linux:6
Red Hat/Red Hat Enterprise Linux 7v5
cpe:/o:redhat:enterprise_linux:7
Red Hat/Red Hat Enterprise Linux 8v5
cpe:/o:redhat:enterprise_linux:8
Red Hat/Red Hat Enterprise Linux 9v5
cpe:/o:redhat:enterprise_linux:9
osv-coords20 versions
pkg:deb/ubuntu/samba@2:4.18.6+dfsg-1ubuntu2.1?arch=source&distro=mantic pkg:rpm/opensuse/samba&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/samba&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/samba&distro=openSUSE%20Tumbleweed pkg:rpm/suse/samba&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20Micro%205.2 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20Micro%205.3 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20Micro%205.4 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20Micro%205.5 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/samba&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/samba&distro=SUSE%20Manager%20Proxy%204.2 pkg:rpm/suse/samba&distro=SUSE%20Manager%20Server%204.2
< 2:4.18.6+dfsg-1ubuntu2.1+ 19 more
- (no CPE)range: < 2:4.18.6+dfsg-1ubuntu2.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150400.3.31.1
- (no CPE)range: < 4.17.9+git.421.abde31ca5c2-150500.3.11.1
- (no CPE)range: < 4.19.1+git.312.c912b3d2ef6-1.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150300.3.63.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150300.3.63.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150400.3.31.1
- (no CPE)range: < 4.17.9+git.421.abde31ca5c2-150500.3.11.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150300.3.63.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150300.3.63.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150300.3.63.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150400.3.31.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150400.3.31.1
- (no CPE)range: < 4.17.9+git.421.abde31ca5c2-150500.3.11.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150400.3.31.1
- (no CPE)range: < 4.17.9+git.421.abde31ca5c2-150500.3.11.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150300.3.63.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150300.3.63.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150300.3.63.1
- (no CPE)range: < 4.15.13+git.691.3d3cea0641-150300.3.63.1
Fedora/Fedorav5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

access.redhat.com/security/cve/CVE-2023-4154mitrevdb-entryx_refsource_REDHAT
bugzilla.redhat.com/show_bug.cgimitreissue-trackingx_refsource_REDHAT
bugzilla.samba.org/show_bug.cgimitre
security.netapp.com/advisory/ntap-20231124-0002/mitre
www.samba.org/samba/security/CVE-2023-4154.htmlmitre

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000