CVE-2019-14870

Name of the Vulnerable Software and Affected Versions Samba versions 4.x.x before 4.9.17 Samba versions 4.10.x before 4.10.11 Samba versions 4.11.x before 4.11.3

Description The issue is related to the S4U (MS-SFU) Kerberos delegation model in Samba, which includes a feature allowing for a subset of clients to be opted out of constrained delegation. However, the Samba AD DC does not implement this feature correctly for S4U2Self and sets the forwardable flag even if the impersonated client has the not-delegated flag set. This can allow a remote attacker to access and compromise confidential data.

Recommendations For Samba versions 4.x.x before 4.9.17, update to version 4.9.17 or later. For Samba versions 4.10.x before 4.10.11, update to version 4.10.11 or later. For Samba versions 4.11.x before 4.11.3, update to version 4.11.3 or later. As a temporary workaround, consider disabling the S4U2Self feature until a patch is available. Restrict access to sensitive data and implement additional security measures to minimize the risk of exploitation.