ESB-2017.1756 - [UNIX/Linux] samba: Multiple vulnerabilities 2017-07-17

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2017.1756
           Orpheus' Lyre mutual authentication validation bypass
                               17 July 2017

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           samba
Publisher:         The Samba Team
Operating System:  UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Access Privileged Data         -- Remote/Unauthenticated
                   Provide Misleading Information -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2017-11103  

Reference:         ESB-2017.1741

Original Bulletin: 
   https://www.samba.org/samba/security/CVE-2017-11103.html

- --------------------------BEGIN INCLUDED TEXT--------------------

====================================================================
== Subject:     Orpheus' Lyre mutual authentication validation bypass
==
== CVE ID#:     CVE-2017-11103 (Heimdal)
==
== Versions:    All versions of Samba from 4.0.0 onwards using
==              embedded Heimdal Kerberos.
==
==              Samba binaries built against MIT Kerberos are not
==              vulnerable.
==
== Summary:     A MITM attacker may impersonate a trusted server
==              and thus gain elevated access to the domain by
==              returning malicious replication or authorization data.
==
====================================================================

===========
Description
===========

All versions of Samba from 4.0.0 include an embedded copy of Heimdal
Kerberos.  Heimdal has made a security release, which disclosed:

Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation

   This is a critical vulnerability.

   In _krb5_extract_ticket() the KDC-REP service name must be obtained from
   encrypted version stored in 'enc_part' instead of the unencrypted version
   stored in 'ticket'.  Use of the unecrypted version provides an
   opportunity for successful server impersonation and other attacks.

   Identified by Jeffrey Altman, Viktor Duchovni and Nico Williams.

   See https://www.orpheus-lyre.info/ for more details.

The impact for Samba is particularly strong for cases where the Samba
DRS replication service contacts another DC requesting replication
of user passwords, as these could then be controlled by the attacker.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.6.6, 4.5.12 and 4.4.15 have been issued as security
releases to correct the defect.  Samba vendors and administrators running
affected versions linked against the embedded Heimdal Kerberos are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Samba versions built against MIT Kerberos are not impacted.  Unless
you are running Samba as an AD DC, then rebuild samba using:

 ./configure --with-system-mitkrb5.

=======
Credits
=======

This problem was identified in Heimdal by Jeffrey Altman, Viktor
Duchovni and Nico Williams.

Andrew Bartlett, Garming Sam and Bob Campbell of Catalyst and the
Samba Team ported the fix to Samba and wrote this advisory.
[code 0]

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        http://www.auscert.org.au/render.html?cid=1980

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWWv4Aox+lLeg9Ub1AQi6zxAAnpuo/Q+JfXtA0DBjJ/3A28LRGkN3S+ku
bXck8FG80fCIX+zk0Qx1OwlUf+GZ26t4gJpwzmeedc9P9Ip0gbxirvbsMVPDQEts
kx7ckJXRwtyifq7LEdZNxCozuR5YeSC6udf2HjsBI/drv37UZN0Sk6uIAcah/W/W
vLiWts33dLUI1S2/Pgcg7kh+FVt8n/9VpwirJapgHLXG4B945YaEXPJvkrBtpneP
YVfD9a3CtXejEeuYoaLDjWyRbZ7xGm4HUmCcbyaSuRr+cYoCUg4OvoEfMBJgoFYp
iLLOCJcyUaYuyJiYjchJt4KWO+tB7FuJ8y04ZwUTXtMW86dpzRiVC1Lu3S9mAYwg
RspKTZn0jmLRdCNfBcnSH/FPLkrLKpP9QDI6kMpLCt+9AEyJdNy0mIlcyg9mRUSc
IpNKdH4LpyWgzKJeA8bC8Nxy/StGQzuPeEKujZpMsNRxpvS2xWb65Fy/CUrVmPMp
++rD82o4oCH54vjY/4lwYAmi+5SOujsoy2Oyu3ANghnpMFXlETyK6YC1X0v8J9Yq
Y+Q/10CIuwTEj1Wrh4fK561PKRaxuVnj44M5aIOpSnfebeX/pua/CtzJmOFRNk/3
GCplV3M3c33L7oUo47Aq6Hn3VA91cFqg7saedAgaNa+ikg9ODmIT8SlyjgXESW5V
lk4qAaJIebE=
=i1kK
-----END PGP SIGNATURE-----

« Back to bulletins