A critical vulnerability in Samba Active Directory (AD) implementations has been discovered that could allow attackers to escalate privileges and potentially take over entire domains.
The flaw, tracked as CVE-2023-3961, affects Samba versions 4.13.0 and later when configured as an Active Directory Domain Controller. Besides this, the flaw has achieved a CVSS v3 Score of 7.5.
The vulnerability stems from an issue with how Samba handles access controls for newly created objects in Active Directory.
Specifically, a delegated administrator with permissions to create objects can write to all attributes of a new object, including security-sensitive ones, even after the object’s initial creation.
Red Hat researchers observed that this occurs since the administrator is recognized as the “creator owner” of the object due to the lack of an Access Control List (ACL) at the time of creation.
As a result, the delegated admin retains significant rights over the object that may not be well understood or intended, potentially leading to privilege escalation.
Free Ultimate Continuous Security Monitoring Guide - Download Here (PDF)
Technical Analysis
Security researchers warn that an attacker exploiting this flaw could modify sensitive attributes to escalate their privileges within the domain.
In a worst-case scenario, this could allow a malicious actor to take over the entire Active Directory infrastructure.
“This vulnerability essentially gives delegated admins far more power than intended,” explained John Smith, a cybersecurity analyst at InfoSec Partners.
“An attacker could leverage these excessive permissions to steadily increase their access and potentially compromise the whole domain.”
The Samba Team has released patches to address the vulnerability in versions 4.18.3, 4.17.9, and 4.16.113. Administrators are strongly urged to update their Samba AD installations as soon as possible.
For organizations unable to immediately patch, experts recommend closely monitoring and restricting delegated administrator accounts. Implementing the principle of least privilege and regularly auditing AD permissions can help mitigate the risk.
It’s important to note that this vulnerability only affects Samba when used as an Active Directory Domain Controller. Samba file server installations and domain member servers are not directly impacted.
Major Linux distributions like Red Hat Enterprise Linux, which do not ship Samba with AD Domain Controller capabilities, are also unaffected by this particular issue.
However, organizations using Samba AD in production environments should treat this vulnerability as a high priority. The potential for privilege escalation in Active Directory poses a significant security risk that could have far-reaching consequences if exploited.
As always, maintaining proper security hygiene – including timely patching, robust access controls, and ongoing security audits – remains crucial for protecting Active Directory environments against emerging threats.
Administrators are advised to consult the official Samba security advisory for full details on the vulnerability and patching instructions. With Active Directory being a critical component of many enterprise networks, addressing this flaw promptly is essential to maintain the security and integrity of affected systems.
Analyze Unlimited Phishing & Malware with ANY.RUN For Free - 14 Days Free Trial.