CVE-2023-4154: 
Samba vulnerability analysis and mitigation

A design flaw was discovered in Samba's DirSync control implementation, identified as CVE-2023-4154, which exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). The vulnerability was discovered by Andrew Bartlett and affects all versions of Samba since 4.0.0 up to versions 4.17.12, 4.18.8, and 4.19.1. This security issue was publicly disclosed on October 10, 2023 (Samba Security, NVD).

The vulnerability allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords, even though they should only have limited access. In normal operation, passwords and most secrets are never disclosed over LDAP in Active Directory. However, due to this design flaw, Active Directory accounts authorized to do some replication can replicate critical domain passwords and secrets. The vulnerability has a CVSS 3.1 base score of 7.5 HIGH (Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H) (Samba Security).

The vulnerability effectively eliminates the RODC/DC distinction, allowing RODC DC accounts, which should only be permitted to replicate some passwords, to obtain all domain secrets, including the critical krbtgt password. Additionally, the vulnerability fails to account for error conditions (fail open), such as out-of-memory situations, potentially granting access to secret attributes even under low-privileged attacker influence (NVD).

Patches addressing these issues have been released in Samba versions 4.19.1, 4.18.8, and 4.17.12. If no RODC accounts are in use in the domain, and DirSync users set LDAPDIRSYNCOBJECTSECURITY, there is no need to give this right to any users. Since Windows 2003 and in all versions of Samba, it has not been required to assign accounts the 'Get Changes' / GUIDDRSGETCHANGES right to use LDAP DirSync, provided that the LDAPDIRSYNCOBJECT_SECURITY is set in the control (Samba Security).