Samba - Security Announcement Archive

CVE-2026-3012.html:

===========================================================
== Subject:     auto-enrolment GPO installing CA certificate over http
==              without verification
==
== CVE ID#:     CVE-2026-3012
==
== Versions:    all versions since 4.16
==
==
== Summary:      To bootstrap a certificate chain a domain member must
==               fetch a certificate without TLS. It was trusting HTTP
==               for this when a more secure encrypted LDAP channel
==               was also available.
===========================================================

===========
Description
===========

If the certificate auto-enrollment GPO is enabled on domain members
(both in Samba's smb.conf and using Windows GPME tool), a CA
certificate may be fetched using a plain HTTP connection and installed
in the member computer's trust store. This may give an attacker a
chance to intercept the response, installing their chosen certificate
instead.

The URL from which the certificate is fetched follows a pattern used
by Microsoft's Network Device Enrollment Service (NDES) to provide
certificates to computers on the network that are not full domain
members. Domain members should already have access to these
certificates via better protected LDAP connections, so do not need the
NDES link (Samba uses no other part of NDES).

Pure Samba domains will not have auto-enrolment available, either
through LDAP or HTTP, as Samba does not currently implement Active
Directory Certificate Services. However, members of these domains are
still vulnerable if the GPO is enabled.

The patch removes the attempt to download the certificate and relies
on the LDAP values.

==================
Patch Availability
==================

Patches addressing this issue have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.22.10, 4.23.8 and 4.24.3 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS3.1/AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N (8.0)

==========
Workaround
==========

If you do not enable certificate auto-enrolment using the Windows GPME
tool, the vulnerable code will not run.

If your smb.conf does not contain a line like 'apply group policies =
yes', group policy will not be enabled, and the vulnerable code will
not run (regardless of Windows GPME configuration).

Intercepting the HTTP request requires some control over the local
network or other devices to intercept or redirect traffic. Some
network administrators might assess this as a low risk on their
networks.

=======
Credits
=======

Originally reported by:
- Arad Inbar of the DREAM Security Research Team
- Nir Somech of the DREAM Security Research Team
- Ben Grinberg of the DREAM Security Research Team
- Michalis Vasileiadis

Patches and this advisory provided by Douglas Bagnall of Catalyst and
the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================