CVE-2023-4154 Overview
A design flaw was discovered in Samba's DirSync control implementation that exposes passwords and secrets in Active Directory to privileged users and Read-Only Domain Controllers (RODCs). This vulnerability allows RODCs and users possessing the GET_CHANGES right to access all attributes, including sensitive secrets and passwords. Even in a default setup, RODC DC accounts, which should only replicate some passwords, can gain access to all domain secrets, including the vital krbtgt, effectively eliminating the RODC / DC distinction.
Furthermore, the vulnerability fails to account for error conditions (fail open), like out-of-memory situations, potentially granting access to secret attributes, even under low-privileged attacker influence.
Critical Impact
Attackers with RODC access or GET_CHANGES rights can extract all domain secrets including the krbtgt key, enabling complete domain compromise through Golden Ticket attacks.
Affected Products
- Samba (all versions with DirSync control implementation)
- Systems running Samba as Active Directory Domain Controller
- Environments utilizing Read-Only Domain Controllers (RODCs)
Discovery Timeline
- November 7, 2023 - CVE-2023-4154 published to NVD
- November 21, 2024 - Last updated in NVD database
Technical Details for CVE-2023-4154
Vulnerability Analysis
This vulnerability represents a design flaw in Samba's implementation of the DirSync control mechanism, which is used for directory synchronization in Active Directory environments. The core issue lies in how Samba handles attribute filtering during replication requests, specifically failing to properly restrict access to sensitive attributes when processing DirSync operations.
In properly configured Active Directory environments, RODCs should only be able to replicate a subset of passwords and secrets based on the Password Replication Policy (PRP). However, due to this design flaw, the DirSync control implementation does not properly enforce these restrictions, allowing RODCs to access all attributes regardless of policy settings.
The vulnerability is compounded by improper error handling that causes the system to "fail open" during error conditions such as memory exhaustion. When the system encounters an out-of-memory situation during attribute filtering, rather than denying access to protected attributes, it grants access by default.
Root Cause
The root cause of this vulnerability is a fundamental design flaw in the DirSync control implementation within Samba. The implementation fails to properly enforce the attribute filtering mechanism that should distinguish between what a full Domain Controller and a Read-Only Domain Controller can access. Additionally, the error handling logic defaults to permissive behavior rather than restrictive when encountering resource constraints or exceptional conditions.
Attack Vector
An attacker can exploit this vulnerability through network access to a Samba Active Directory Domain Controller. The attack requires the attacker to either:
- Compromise an RODC or its machine account credentials
- Obtain an account with GET_CHANGES extended rights (typically delegated for directory synchronization purposes)
Once these preconditions are met, the attacker can issue DirSync replication requests to extract sensitive attributes including:
- User password hashes (NTLM and Kerberos keys)
- The krbtgt account secrets used for Kerberos ticket signing
- Service account passwords
- Trust relationships secrets
The extraction of the krbtgt key is particularly severe as it enables the creation of Golden Tickets, granting persistent, nearly undetectable access to all resources in the domain. The fail-open error condition can potentially be triggered by an attacker inducing memory pressure on the target system, lowering the privilege requirements for exploitation.
Detection Methods for CVE-2023-4154
Indicators of Compromise
- Unusual DirSync replication requests originating from RODC accounts
- Replication traffic from systems not designated as Domain Controllers
- Requests for sensitive attributes (such as unicodePwd, supplementalCredentials, currentValue) from non-DC systems
- Memory exhaustion events on Domain Controllers coinciding with replication activities
Detection Strategies
- Monitor directory replication traffic for anomalous patterns, particularly requests from RODC accounts for attributes outside their Password Replication Policy
- Implement logging of DirSync control operations and alert on requests for sensitive attribute classes
- Configure audit policies to track DS-Replication-Get-Changes and DS-Replication-Get-Changes-All extended right usage
- Deploy network monitoring to detect unusual LDAP traffic patterns targeting Domain Controllers
Monitoring Recommendations
- Enable detailed Active Directory replication auditing on all Domain Controllers
- Implement real-time alerting for replication requests containing sensitive attributes from unexpected sources
- Monitor resource utilization on Domain Controllers to detect potential memory exhaustion attacks
- Review RODC Password Replication Policy configurations and verify actual replication behavior matches expected policy
How to Mitigate CVE-2023-4154
Immediate Actions Required
- Apply the latest Samba security patches from the official Samba releases
- Review and audit all accounts with GET_CHANGES and GET_CHANGES_ALL extended rights
- Audit RODC deployments and consider temporary decommissioning until patches are applied
- Rotate the krbtgt password twice to invalidate any potentially compromised Kerberos tickets
- Monitor for signs of Golden Ticket or Silver Ticket attacks
Patch Information
Samba has released security patches to address this vulnerability. Administrators should consult the Samba CVE-2023-4154 Security Page for specific version information and download links. The Samba Bug Report #15424 contains additional technical details about the fix.
Additional vendor advisories are available from:
Workarounds
- Restrict network access to Domain Controllers using firewall rules to limit replication traffic to known, trusted systems
- Remove GET_CHANGES extended rights from all accounts except those absolutely required for directory synchronization
- Implement strict Password Replication Policies on RODCs and regularly audit compliance
- Consider deploying additional monitoring for Active Directory replication activities until patches can be applied
- Segment RODC networks from sensitive resources to limit impact of potential compromise
# Audit accounts with replication rights
# Run on Domain Controller to identify principals with GET_CHANGES rights
samba-tool delegation show "Domain Controllers"
# Review RODC Password Replication Policy
samba-tool rodc preload --help
# Rotate krbtgt password (perform twice with 10+ hour gap)
samba-tool user setpassword krbtgt --newpassword="<new-secure-password>"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
