← Back to CVEs
CVE-2019-14870
MEDIUM5.4
Description
All Samba versions 4.x.x before 4.9.17, 4.10.x before 4.10.11 and 4.11.x before 4.11.3 have an issue, where the S4U (MS-SFU) Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is implemented by a user attribute delegation_not_allowed (aka not-delegated), which translates to disallow-forwardable. However the Samba AD DC does not do that for S4U2Self and does set the forwardable flag even if the impersonated client has the not-delegated flag set.
CVE Details
CVSS v3.1 Score5.4
SeverityMEDIUM
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredLOW
User InteractionNONE
Published12/10/2019
Last Modified11/21/2024
Sourcenvd
Honeypot Sightings0
Affected Products
canonical:ubuntu_linuxdebian:debian_linuxfedoraproject:fedoraopensuse:leapsamba:samba
Weaknesses (CWE)
CWE-285CWE-287
References
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00038.html(secalert@redhat.com)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14870(secalert@redhat.com)
https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html(secalert@redhat.com)
https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html(secalert@redhat.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PJH3ROOFYMOATD2UEPC47P5RPBDTY77E/(secalert@redhat.com)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNKA4YIPV7AZR7KK3GW6L3HKGHSGJZFE/(secalert@redhat.com)
https://security.gentoo.org/glsa/202003-52(secalert@redhat.com)
https://security.gentoo.org/glsa/202310-06(secalert@redhat.com)
https://security.netapp.com/advisory/ntap-20191210-0002/(secalert@redhat.com)
https://security.netapp.com/advisory/ntap-20230216-0008/(secalert@redhat.com)
https://usn.ubuntu.com/4217-1/(secalert@redhat.com)
https://usn.ubuntu.com/4217-2/(secalert@redhat.com)
https://www.samba.org/samba/security/CVE-2019-14870.html(secalert@redhat.com)
https://www.synology.com/security/advisory/Synology_SA_19_40(secalert@redhat.com)
http://lists.opensuse.org/opensuse-security-announce/2019-12/msg00038.html(af854a3a-2127-422b-91ae-364da2661108)
https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-14870(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2021/05/msg00023.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.debian.org/debian-lts-announce/2022/11/msg00034.html(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PJH3ROOFYMOATD2UEPC47P5RPBDTY77E/(af854a3a-2127-422b-91ae-364da2661108)
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WNKA4YIPV7AZR7KK3GW6L3HKGHSGJZFE/(af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202003-52(af854a3a-2127-422b-91ae-364da2661108)
https://security.gentoo.org/glsa/202310-06(af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20191210-0002/(af854a3a-2127-422b-91ae-364da2661108)
https://security.netapp.com/advisory/ntap-20230216-0008/(af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4217-1/(af854a3a-2127-422b-91ae-364da2661108)
https://usn.ubuntu.com/4217-2/(af854a3a-2127-422b-91ae-364da2661108)
https://www.samba.org/samba/security/CVE-2019-14870.html(af854a3a-2127-422b-91ae-364da2661108)
https://www.synology.com/security/advisory/Synology_SA_19_40(af854a3a-2127-422b-91ae-364da2661108)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.