CVE-2019-14870
Last modified
CVE-2019-14870 is a medium-severity vulnerability rated 5.4/10 on the CVSS scale. All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. EPSS estimates a 2.78% chance of exploitation in the next 30 days.
Description
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Samba | Samba | >= 4.0.0, < 4.9.17 |
| Samba | Samba | >= 4.10.0, < 4.10.11 |
| Samba | Samba | >= 4.11.0, < 4.11.3 |
| Fedoraproject | Fedora | 30 |
| Fedoraproject | Fedora | 31 |
| Canonical | Ubuntu Linux | 14.04 |
| Canonical | Ubuntu Linux | 16.04 |
| Canonical | Ubuntu Linux | 18.04 |
| Canonical | Ubuntu Linux | 19.04 |
| Canonical | Ubuntu Linux | 19.10 |
| Debian | Debian Linux | 9.0 |
| Debian | Debian Linux | 10.0 |
| Opensuse | Leap | 15.1 |
References
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00038.htmlMailing List, Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14870Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/05/msg00023.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00034.htmlMailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202003-52Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191210-0002/Third Party Advisory
- https://usn.ubuntu.com/4217-1/Third Party Advisory
- https://usn.ubuntu.com/4217-2/Third Party Advisory
- https://www.samba.org/samba/security/CVE-2019-14870.htmlVendor Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_40Third Party Advisory
- http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00038.htmlMailing List, Third Party Advisory
- https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14870Issue Tracking, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2021/05/msg00023.htmlMailing List, Third Party Advisory
- https://lists.debian.org/debian-lts-announce/2022/11/msg00034.htmlMailing List, Third Party Advisory
- https://security.gentoo.org/glsa/202003-52Third Party Advisory
- https://security.netapp.com/advisory/ntap-20191210-0002/Third Party Advisory
- https://usn.ubuntu.com/4217-1/Third Party Advisory
- https://usn.ubuntu.com/4217-2/Third Party Advisory
- https://www.samba.org/samba/security/CVE-2019-14870.htmlVendor Advisory
- https://www.synology.com/security/advisory/Synology_SA_19_40Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Modified
Frequently Asked Questions
What is CVE-2019-14870?
How severe is CVE-2019-14870?
How do I fix CVE-2019-14870?
Are you affected by CVE-2019-14870?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST