Introduction
A flaw in Samba's Group Policy certificate auto-enrollment feature allowed domain members to fetch CA certificates over plaintext HTTP and install them into the local trust store without verification, giving adjacent network attackers a path to subvert the entire certificate trust chain. For any organization running Samba 4.16 or later with Group Policy auto-enrollment enabled, this means a single intercepted HTTP request could grant an attacker the ability to forge trusted certificates and silently intercept or spoof TLS protected communications across the affected system.
Technical Information
Root Cause: HTTP Where LDAP Was Already Available
CVE-2026-3012 resides in python/samba/gp/gp_cert_auto_enroll_ext.py, the Python module responsible for processing certificate auto-enrollment Group Policy Objects (GPOs) on Samba domain members. This feature was introduced in Samba 4.16.
When a domain member processes the auto-enrollment GPO, it needs to obtain a Certificate Authority (CA) certificate to bootstrap the certificate chain. The vulnerable code performed this retrieval over a plaintext HTTP connection, following the URL pattern used by Microsoft's Network Device Enrollment Service (NDES). No cryptographic validation was performed on the retrieved certificate before it was installed into the local trust store.
The core design error is that NDES exists to serve devices that are not full domain members and therefore lack access to the directory. Samba domain members, by contrast, already establish authenticated, encrypted LDAP sessions to the domain controller as part of GPO processing. The same CA certificates are available via the cACertificate LDAP attribute retrieved through fetch_certification_authorities(). The HTTP path was retained for compatibility with the Microsoft NDES URL pattern, but it was never necessary for domain members and introduced a trust subversion risk.
CVSS Breakdown
The CVSS v3.1 vector is AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N, yielding a base score of 8.0 (High).
| Parameter | Value |
|---|---|
| Attack Vector | Adjacent Network |
| Attack Complexity | High |
| Privileges Required | None |
| User Interaction | None |
| Scope | Changed |
| Confidentiality Impact | High |
| Integrity Impact | High |
| Availability Impact | None |
The "Changed Scope" metric is particularly important here. Once the malicious CA certificate is installed in the system trust store, it is trusted by all applications on that system, not just Samba. This means the impact extends to HTTPS connections, LDAP over TLS, and any other service relying on the system certificate store.
Attack Flow
An attacker would exploit this vulnerability through the following sequence:
-
Network positioning: The attacker establishes a presence on the same adjacent network segment (Layer 2 domain or routable subnet) as a Samba domain member. This is the primary barrier to exploitation and is reflected in the "Adjacent Network" attack vector.
-
Traffic interception capability: The attacker sets up the ability to intercept or redirect HTTP traffic from the target. Techniques such as ARP spoofing, DNS poisoning, or compromise of an intermediate network device would serve this purpose.
-
Trigger condition: The Samba domain member processes the certificate auto-enrollment GPO. This occurs when
apply group policies = yesis set insmb.confand the auto-enrollment GPO has been configured through the Windows Group Policy Management Editor. -
Certificate substitution: When the domain member issues the plaintext HTTP request to the NDES endpoint to retrieve the CA certificate, the attacker intercepts the request and responds with a malicious CA certificate under their control.
-
Trust store poisoning: Samba installs the attacker supplied CA certificate into the local trust store without any verification of its authenticity or chain of trust.
-
Post exploitation: With the malicious CA now trusted system wide, the attacker can forge certificates for arbitrary services. This enables man in the middle attacks against TLS protected communications, including LDAP, HTTPS, and other certificate validated services. The malicious CA persists in the trust store until manually removed, providing a durable persistence mechanism.
This attack pattern maps directly to MITRE ATT&CK T1553.004 (Subvert Trust Controls: Install Root Certificate) and enables subsequent use of T1649 (Steal or Forge Authentication Certificates).
Prerequisites for Exploitation
Two configuration conditions must both be true for the vulnerable code path to execute:
- The
smb.conffile on the domain member must containapply group policies = yes. - Certificate auto-enrollment must be configured through the Windows Group Policy Management Editor (GPME).
If either condition is absent, the vulnerable code is never reached. Pure Samba domains do not implement Active Directory Certificate Services, so auto-enrollment is unavailable through either LDAP or HTTP in those environments; however, domain members remain vulnerable if the GPO is enabled.
Discovery
The vulnerability was reported by Arad Inbar, Nir Somech, and Ben Grinberg of the DREAM Security Research Team, along with Michalis Vasileiadis. The Red Hat Bugzilla entry (bug 2447319) was filed on 2026-03-13, and the embargo was lifted on 2026-05-27.
Patch Information
The Samba team released an upstream fix on May 26, 2026, authored by Douglas Bagnall of Catalyst. The patch targets python/samba/gp/gp_cert_auto_enroll_ext.py and takes a clean, elimination based approach: it removes the HTTP download code path entirely and makes the getca() function rely exclusively on LDAP sourced certificate data.
In the patched code, the getca() function's docstring now reads "Fetch a certificate from LDAP.", reflecting its new behavior. The function only processes the cACertificate attribute already retrieved via LDAP through fetch_certification_authorities(), decodes the DER encoded certificate, converts it to PEM format, and writes it to disk.
Additionally, the __read_cep_data() method's endpoint URL handling was tightened. The patched code only recognizes two endpoint types: LDAP: endpoints (which query the directory directly) and HTTPS:// endpoints (which at least provide transport encryption). Any other URL scheme, including plain http://, now falls through to an error logging branch and is rejected:
else: edata = { 'endpoint': ca['URL'] } log.error('Unrecognized endpoint', edata)
The patch also adds validation that the cACertificate attribute is actually present in the LDAP response before attempting enrollment, logging a warning and skipping any CA entry that lacks it.
Fixed Upstream Releases
Upstream patch files are available at https://www.samba.org/samba/security/:
samba-4.24.2-security-2026-05-26.patchsamba-4.23.7-security-2026-05-26.patchsamba-4.22.9-security-2026-05-26.patch
The corresponding fixed releases are Samba 4.22.10, 4.23.8, and 4.24.3.
Distribution Patches
| Distribution | Advisory | Fixed Versions |
|---|---|---|
| Debian | DSA-6297-1 | bookworm-security (2:4.17.12+dfsg-0+deb12u4), trixie-security (2:4.22.8+dfsg-0+deb13u2), sid (2:4.24.3+dfsg-1). Bullseye remains listed as vulnerable. |
| Ubuntu | USN-8306-1 | 26.04 LTS (2:4.23.6+dfsg-1ubuntu2.1), 25.10 (2:4.22.3+dfsg-4ubuntu2.4), 24.04 LTS (2:4.19.5+dfsg-4ubuntu9.6), 22.04 LTS (2:4.15.13+dfsg-0ubuntu1.12) |
| SUSE | SUSE-SU-2026:2072-1, 2074-1, 2076-1 | SLE 15 SP5 through SP7, with backported packages across multiple product lines |
| Amazon Linux 2023 | Pending | Fix listed as pending; Amazon Linux 2 is not affected |
| Red Hat | Under investigation | Listed as affected for RHEL 7 through 10 and OpenShift Container Platform 4; no erratum released at time of writing |
Detection Methods
Detecting exposure to CVE-2026-3012 requires a layered approach combining configuration auditing, version checking, network traffic analysis, and trust store monitoring. No formal automated detection signatures (such as YARA, Sigma, or Snort/Suricata rules) have been published for this vulnerability as of the disclosure date.
Configuration Auditing
The most immediate detection step is verifying whether your environment enables the vulnerable code path. Two conditions must be true simultaneously: the Samba smb.conf must contain apply group policies = yes, and certificate auto-enrollment must be configured through the Windows GPME. Auditing all domain member smb.conf files for this directive is a fast way to triage which systems are at risk. As Red Hat notes, the vulnerable code is not exploitable in default RHEL configurations since group policy processing requires explicit administrative opt in.
Version Based Detection
All Samba versions from 4.16 onward are affected. Vulnerability scanners or asset inventories should flag any Samba installation in this range that has not been updated to 4.22.10, 4.23.8, or 4.24.3 (or the corresponding distribution specific package versions listed above).
Network Traffic Indicators
The core of this vulnerability is that Samba domain members were fetching CA certificates over plain HTTP (TCP port 80) from NDES endpoints. Any Samba domain member generating outbound HTTP traffic to NDES certificate enrollment URL paths should be flagged as suspicious. Domain members should never need to use the NDES HTTP path, as they already have access to certificates via LDAP. Monitoring firewall logs, proxy logs, or network flow data for HTTP requests from Samba domain joined Linux machines to Windows certificate enrollment infrastructure is a strong detection signal, particularly if you see requests over port 80 where LDAP (port 389/636) traffic would normally be expected.
Trust Store Integrity Monitoring
If an attacker successfully exploited this vulnerability, the result would be a rogue CA certificate installed in the domain member's local trust store. On Linux domain members, this means watching directories such as /etc/pki/tls/certs/, /usr/local/share/ca-certificates/, or distribution specific trust paths. File integrity monitoring (FIM) solutions or audit frameworks like auditd can be configured to track modifications to these paths. Any CA certificate that does not match your organization's known PKI chain should be treated as a high priority indicator of compromise.
Samba Log Review
Reviewing Samba's log output (controlled by the log level directive in smb.conf) for entries related to Group Policy processing and certificate enrollment operations can reveal whether the auto-enrollment code path was exercised. Look for log messages referencing GPO application, certificate retrieval, or HTTP connections to enrollment endpoints. Increasing log verbosity temporarily during investigation can help surface relevant activity.
Affected Systems and Versions
All Samba versions from 4.16 onward are vulnerable. The auto-enrollment code has trusted HTTP for CA certificate retrieval since that feature was introduced in 4.16.
Fixed upstream versions:
- Samba 4.22.10
- Samba 4.23.8
- Samba 4.24.3
Vulnerable configurations require both:
apply group policies = yespresent insmb.conf- Certificate auto-enrollment configured via the Windows Group Policy Management Editor
Systems that do not meet both conditions do not execute the vulnerable code path. Pure Samba domains (without Active Directory Certificate Services) have reduced but non-zero risk, as domain members remain vulnerable if the GPO is enabled.
Vendor Security History
Samba has a well documented history of security vulnerabilities spanning over two decades. Several past issues are worth noting for context:
| CVE | Year | CVSS | Description |
|---|---|---|---|
| CVE-2007-2447 | 2007 | 10.0 | Remote command injection via MS-RPC username mapping |
| CVE-2017-7494 | 2017 | 9.8 | Remote code execution ("SambaCry"), widely exploited in the wild |
| CVE-2021-44142 | 2022 | 9.9 | RCE as root via vfs_fruit module |
| CVE-2022-42898 | 2022 | 9.8 | Integer overflows in Kerberos/AD DC on 32 bit systems |
| CVE-2023-34966 | 2023 | 8.8 | Heap buffer overflow in Heimdal implementation |
The CVE-2017-7494 ("SambaCry") case is particularly relevant as a precedent. That vulnerability was actively exploited at scale by cryptocurrency mining botnets and ransomware operators, demonstrating that Samba vulnerabilities can and do reach the exploitation stage when network access requirements are achievable. CVE-2026-3012's adjacent network requirement provides a meaningful barrier in well segmented environments, but in flat networks the conditions for exploitation are considerably easier to meet.
The Samba project maintains a coordinated security release and disclosure process, with patches typically issued simultaneously across multiple supported branches.
References
- NVD: CVE-2026-3012
- Samba Security Announcement: CVE-2026-3012
- Samba Security Patch Archive
- Samba Source: gp_cert_auto_enroll_ext.py
- Red Hat CVE Page: CVE-2026-3012
- Red Hat Errata: RHSA-2026:3012
- Red Hat Bugzilla: Bug 2447319
- Samba Bugzilla: Bug 16003
- Ubuntu Security Notice: USN-8306-1
- Ubuntu CVE Tracker: CVE-2026-3012
- Debian Security Tracker: CVE-2026-3012
- SUSE CVE Page: CVE-2026-3012
- Amazon Linux CVE Page: CVE-2026-3012
- Samba Release Notes: 4.23.8
- Samba Security History
- SambaWiki: Certificate Auto Enrollment
- MITRE ATT&CK T1553.004: Install Root Certificate
- MITRE ATT&CK T1649: Steal or Forge Authentication Certificates
- VulnCheck: State of Exploitation 2026
- NVD: CVE-2017-7494 (SambaCry)
- Linux Compatible: Samba and Other Updates for Ubuntu



