Samba Certificate Auto-Enrollment Vulnerability in Group Policy Handling Allows MITM Attacks

A vulnerability exists in Samba's handling of certificate auto-enrollment through Group Policy. When this feature is enabled, Samba can retrieve a Certificate Authority (CA) certificate over an unencrypted HTTP connection and install it into the local trust store without proper validation. This flaw could be exploited by an attacker who intercepts or redirects network traffic to introduce a malicious CA certificate, potentially compromising trusted communications. The issue affects Samba versions 4.16 and later, including the current release 4.24.0rc1.

Impact

Exploitation of this vulnerability allows for a man-in-the-middle attack, where an attacker can intercept and manipulate TLS communications by injecting a rogue CA certificate into the system's trust store. This compromise persists across reboots, as the malicious certificate is installed as a trusted authority.

Reproduction

To reproduce this vulnerability, enable certificate auto-enrollment via the Windows Group Policy Management Editor (GPME) on a domain with Network Device Enrollment Services (NDES) active. Once the policy is applied, Samba will fetch CA certificates over HTTP, creating a window for interception. The vulnerability can also be triggered by clearing the Samba Group Policy cache or forcing a policy application, which resets the certificate enrollment process.

Remediation

Users can upgrade to Samba versions 4.21.11, 4.22.10, 4.23.8, or 4.24.3, all of which include the necessary fix. Alternatively, administrators can disable certificate auto-enrollment in Group Policy or ensure that their Samba configuration does not apply group policies.