CVE-2018-14628: 
Samba vulnerability analysis and mitigation

An information leak vulnerability (CVE-2018-14628) was discovered in Samba's LDAP server affecting all versions from 4.0.0 onwards when Samba is configured as an Active Directory Domain Controller. The vulnerability was discovered by Andrew Bartlett of Catalyst and the Samba Team, with Stefan Metzmacher of SerNet providing the final fix (Samba Security).

The vulnerability stems from incorrect ntSecurityDescriptor values for "CN=Deleted Objects" containers. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of having strict permissions as seen in Windows-provisioned domains. This misconfiguration allows non-privileged users to use the LDAPSERVERSHOWDELETEDOID control to view names and preserved attributes of deleted objects (Samba Security). The vulnerability has been assigned a CVSS v3.1 score of 4.3 (MEDIUM) with the vector CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NetApp Security).

The vulnerability leads to an information disclosure where authenticated but unprivileged users can view the names and preserved attributes of deleted objects in the LDAP store. While no information that was hidden before deletion becomes visible, the entire deleted object should not be visible without administrative rights, as is the case in Microsoft Active Directory (Samba Security).

After applying the patch, administrators must run 'samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix' on one domain controller to protect existing domains. Alternatively, administrators can manually change the ntSecurityDescriptor attribute for the "CN=Deleted Objects" containers to the following SDDL: O:SYG:SYD:PAI(A;;RPWPCCDCLCRCWOWDSDSW;;;SY)(A;;RPLC;;;BA). This gives System FullAccess while Builtin\Administrators has ReadProperty and ListChildren rights (Samba Security).