Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2018.0731 Samba patches critical password-change vulnerability 14 March 2018 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: samba Publisher: Samba Operating System: Windows UNIX variants (UNIX, Linux, OSX) Impact/Access: Administrator Compromise -- Existing Account Denial of Service -- Remote/Unauthenticated Resolution: Patch/Upgrade CVE Names: CVE-2018-1057 CVE-2018-1050 Original Bulletin: https://www.samba.org/samba/security/CVE-2018-1057.html https://www.samba.org/samba/security/CVE-2018-1050.html Comment: This bulletin contains two (2) Samba security advisories. This update is only critical if you use Samba as an Active Directory Domain Controller, otherwise CVE-2018-1057 is not applicable. - --------------------------BEGIN INCLUDED TEXT-------------------- ==================================================================== == Subject: Authenticated users can change other users' password == == CVE ID#: CVE-2018-1057 == == Versions: All versions of Samba from 4.0.0 onwards. == == Summary: On a Samba 4 AD DC any authenticated user can change == other users' passwords over LDAP, including the == passwords of administrative users and service == accounts. == ==================================================================== =========== Description =========== On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts (eg Domain Controllers). The LDAP server incorrectly validates certain LDAP password modifications against the "Change Password" privilege, but then performs a password reset operation. The change password right in AD is an extended object access right with the GUID ab721a53-1e2f-11d0-9819-00aa0040529b. By default user objects grant the change password right to the authenticated user's own user object (self) and to everyone (world). Computer objects grant the change password right to everyone. The corresponding ACEs expressed in SDDL are self: (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;PS) world: (OA;;CR;ab721a53-1e2f-11d0-9819-00aa0040529b;;WD) The components of these ACEs are OA: object access allowed CR: extended rights PS: trustee: self WD: trustee: world/everyone The problematic ACE is the one for world/everyone. The Windows GUI shows this as "Change password" right granted to "Everyone". ========== Workaround ========== Possible workarounds are described at a dedicated page in the Samba wiki: https://wiki.samba.org/index.php/CVE-2018-1057 ================== Patch Availability ================== A patch addressing this defect has been posted to https://www.samba.org/samba/security/ Additionally, Samba 4.7.6, 4.6.14 and 4.5.16 have been issued as security releases to correct the defect. Patches against older Samba versions may be available at https://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ======= Credits ======= This problem was found by Björn Baumbach from SerNet. Ralph Böhme and Stefan Metzmacher from SerNet and the Samba Team provided the fix. - -------------------------------------------------------------------------------- ==================================================================== == Subject: Denial of Service Attack on external print server. == == CVE ID#: CVE-2018-1050 == == Versions: All versions of Samba from 4.0.0 onwards. == == Summary: Missing null pointer checks may crash the external == print server process. == ==================================================================== =========== Description =========== All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash. There is no known vulnerability associated with this error, merely a denial of service. If the RPC spoolss service is left by default as an internal service, all a client can do is crash its own authenticated connection. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.7.6, 4.6.14 and 4.5.16 have been issued as security releases to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== Ensure the parameter: rpc_server:spoolss = external is not set in the [global] section of your smb.conf. ======= Credits ======= This problem was found by the Synopsys Defensics intelligent fuzz testing tool. Jeremy Allison of Google and the Samba Team provided the fix. - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBWqhUEox+lLeg9Ub1AQh/iA//aAO0GkODmILMeB4XYylnmt5DfaAU1NuU qEr4qDnf+uBLAXYRqgsKMCmbDVC34ecJ+WNxP/K/eXVjajteroVt6sNoiahXwqIv h4lhbvAB2gUPXOJtA657tJnGx68x4K6vGyT8/ro9tWB34UbGclMuAxlCY5K4uqPO SI515GDjPjxgQ9NR6kPPxDuxoThmhYEkmTpdhwgXzeNCtx4KYzur/79DSp/Stdv4 tlmk8J04VXdjHblz3TkXbmxTAt3ZlOGtw2pGJPxORTLaZY51iew0baVfQumN4+S2 c5nn2MbNLxxKfdYrVZeNFlmsnCTfgh5R8sGMwD7hdvrBhCHv+0z5MsZre41WgO9+ vUYHuICLXf7teyIJ+q4QS2VrTdQc1Fr+IjiuyHv3e7HZO2TD9V6wAauLoMiwp7uA WeFufgrOobxquNW3eeQWeGr88mU4x57C9K/b2xpLwlgnLPbOvYzvgSmVBZBMFffM MYcZeej+pqs5dfVxWlrAyBY4iswO0/i3EChPbUv7BAixHKTbiGj4keuL+gyh0LiI 3n9X0AI+nukzwlD03uRev3ElTI5dO5Wuc05VMOw862K+aMPijtsMFfYMQWetAO7e aFDrm3++98wHDoyd5PmUmYxMVSv49OqroMkP/YEQvYZ2SSX1Wj3xyAcOwsf9NDTf rYy527bMB88= =e9OW -----END PGP SIGNATURE-----