ESB-2018.0731 - ALERT [Win][UNIX/Linux] samba: Multiple vulnerabilities 2018-03-14

Printable version
PGP/GPG verifiable version

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

===========================================================================
             AUSCERT External Security Bulletin Redistribution

                               ESB-2018.0731
           Samba patches critical password-change vulnerability
                               14 March 2018

===========================================================================

        AusCERT Security Bulletin Summary
        ---------------------------------

Product:           samba
Publisher:         Samba
Operating System:  Windows
                   UNIX variants (UNIX, Linux, OSX)
Impact/Access:     Administrator Compromise -- Existing Account      
                   Denial of Service        -- Remote/Unauthenticated
Resolution:        Patch/Upgrade
CVE Names:         CVE-2018-1057 CVE-2018-1050 

Original Bulletin: 
   https://www.samba.org/samba/security/CVE-2018-1057.html
   https://www.samba.org/samba/security/CVE-2018-1050.html

Comment: This bulletin contains two (2) Samba security advisories.
         
         This update is only critical if you use Samba as an Active Directory
         Domain Controller, otherwise CVE-2018-1057 is not applicable.

- --------------------------BEGIN INCLUDED TEXT--------------------

====================================================================
== Subject:     Authenticated users can change other users' password
==
== CVE ID#:     CVE-2018-1057
==
== Versions:    All versions of Samba from 4.0.0 onwards.
==
== Summary:     On a Samba 4 AD DC any authenticated user can change
==              other users' passwords over LDAP, including the
==              passwords of administrative users and service
==		accounts.
==
====================================================================

===========
Description
===========

On a Samba 4 AD DC the LDAP server in all versions of Samba from
4.0.0 onwards incorrectly validates permissions to modify passwords
over LDAP allowing authenticated users to change any other users'
passwords, including administrative users and privileged service
accounts (eg Domain Controllers).

The LDAP server incorrectly validates certain LDAP password
modifications against the "Change Password" privilege, but then
performs a password reset operation.

The change password right in AD is an extended object access right
with the GUID ab721a53-1e2f-11d0-9819-00aa0040529b.

By default user objects grant the change password right to the
authenticated user's own user object (self) and to everyone
(world). Computer objects grant the change password right to
everyone.

The corresponding ACEs expressed in SDDL are

self:  (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS)
world: (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD)

The components of these ACEs are

OA: object access allowed
CR: extended rights
PS: trustee: self
WD: trustee: world/everyone

The problematic ACE is the one for world/everyone.

The Windows GUI shows this as "Change password" right granted to
"Everyone".

==========
Workaround
==========

Possible workarounds are described at a dedicated page in the Samba wiki:

https://wiki.samba.org/index.php/CVE-2018-1057

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.7.6, 4.6.14 and 4.5.16 have been issued as
security releases to correct the defect. Patches against older Samba
versions may be available at https://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

=======
Credits
=======

This problem was found by Björn Baumbach from SerNet. Ralph Böhme and
Stefan Metzmacher from SerNet and the Samba Team provided the fix.

- --------------------------------------------------------------------------------

====================================================================
== Subject:     Denial of Service Attack on external print server.
==
== CVE ID#:     CVE-2018-1050
==
== Versions:    All versions of Samba from 4.0.0 onwards.
==
== Summary:     Missing null pointer checks may crash the external
==		print server process.
==
====================================================================

===========
Description
===========

All versions of Samba from 4.0.0 onwards are vulnerable to a denial of
service attack when the RPC spoolss service is configured to be run as
an external daemon. Missing input sanitization checks on some of the
input parameters to spoolss RPC calls could cause the print spooler
service to crash.

There is no known vulnerability associated with this error, merely a
denial of service. If the RPC spoolss service is left by default as an
internal service, all a client can do is crash its own authenticated
connection.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.7.6, 4.6.14 and 4.5.16 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Ensure the parameter:

rpc_server:spoolss = external

is not set in the [global] section of your smb.conf.

=======
Credits
=======

This problem was found by the Synopsys Defensics intelligent fuzz
testing tool.  Jeremy Allison of Google and the Samba Team provided
the fix.

- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:

        https://www.auscert.org.au/bulletins/

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQIVAwUBWqhUEox+lLeg9Ub1AQh/iA//aAO0GkODmILMeB4XYylnmt5DfaAU1NuU
qEr4qDnf+uBLAXYRqgsKMCmbDVC34ecJ+WNxP/K/eXVjajteroVt6sNoiahXwqIv
h4lhbvAB2gUPXOJtA657tJnGx68x4K6vGyT8/ro9tWB34UbGclMuAxlCY5K4uqPO
SI515GDjPjxgQ9NR6kPPxDuxoThmhYEkmTpdhwgXzeNCtx4KYzur/79DSp/Stdv4
tlmk8J04VXdjHblz3TkXbmxTAt3ZlOGtw2pGJPxORTLaZY51iew0baVfQumN4+S2
c5nn2MbNLxxKfdYrVZeNFlmsnCTfgh5R8sGMwD7hdvrBhCHv+0z5MsZre41WgO9+
vUYHuICLXf7teyIJ+q4QS2VrTdQc1Fr+IjiuyHv3e7HZO2TD9V6wAauLoMiwp7uA
WeFufgrOobxquNW3eeQWeGr88mU4x57C9K/b2xpLwlgnLPbOvYzvgSmVBZBMFffM
MYcZeej+pqs5dfVxWlrAyBY4iswO0/i3EChPbUv7BAixHKTbiGj4keuL+gyh0LiI
3n9X0AI+nukzwlD03uRev3ElTI5dO5Wuc05VMOw862K+aMPijtsMFfYMQWetAO7e
aFDrm3++98wHDoyd5PmUmYxMVSv49OqroMkP/YEQvYZ2SSX1Wj3xyAcOwsf9NDTf
rYy527bMB88=
=e9OW
-----END PGP SIGNATURE-----

« Back to bulletins