Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2021.3868 Security update for samba and ldb 12 November 2021 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: samba ldb Publisher: SUSE Operating System: SUSE Impact/Access: Increased Privileges -- Existing Account Denial of Service -- Existing Account Provide Misleading Information -- Existing Account Reduced Security -- Remote/Unauthenticated Unauthorised Access -- Existing Account Resolution: Patch/Upgrade CVE Names: CVE-2021-23192 CVE-2021-3738 CVE-2020-25722 CVE-2020-25721 CVE-2020-25719 CVE-2020-25718 CVE-2020-25717 CVE-2020-17049 CVE-2016-2124 Reference: ESB-2021.3861 ESB-2021.3774 Original Bulletin: https://www.suse.com/support/update/announcement/2021/suse-su-20213647-1 - --------------------------BEGIN INCLUDED TEXT-------------------- SUSE Security Update: Security update for samba and ldb ______________________________________________________________________________ Announcement ID: SUSE-SU-2021:3647-1 Rating: important References: #1014440 #1192214 #1192215 #1192246 #1192247 #1192283 #1192284 #1192505 Cross-References: CVE-2016-2124 CVE-2020-25717 CVE-2020-25718 CVE-2020-25719 CVE-2020-25721 CVE-2020-25722 CVE-2021-23192 CVE-2021-3738 Affected Products: SUSE MicroOS 5.1 SUSE Linux Enterprise Module for Python2 15-SP3 SUSE Linux Enterprise Module for Basesystem 15-SP3 SUSE Linux Enterprise High Availability 15-SP3 ______________________________________________________________________________ An update that fixes 8 vulnerabilities is now available. Description: This update for samba and ldb fixes the following issues: o CVE-2020-25718: Fixed that an RODC can issue (forge) administrator tickets to other servers (bsc#1192246). o CVE-2021-3738: Fixed crash in dsdb stack (bsc#1192215). o CVE-2016-2124: Fixed not to fallback to non spnego authentication if we require kerberos (bsc#1014440). o CVE-2020-25717: Fixed privilege escalation inside an AD Domain where a user could become root on domain members (bsc#1192284). o CVE-2020-25719: Fixed AD DC Username based races when no PAC is given (bsc# 1192247). o CVE-2020-25722: Fixed AD DC UPN vs samAccountName not checked (top-level bug for AD DC validation issues) (bsc#1192283). o CVE-2021-23192: Fixed dcerpc requests to don't check all fragments against the first auth_state (bsc#1192214). o CVE-2020-25721: Fixed fill in the new HAS_SAM_NAME_AND_SID values (bsc# 1192505). Samba was updated to 4.13.13 o rodc_rwdc test flaps;(bso#14868). o Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). o Provide a fix for MS CVE-2020-17049 in Samba [SECURITY] 'Bronze bit' S4U2Proxy Constrained Delegation bypass in Samba with embedded Heimdal;(bso #14642). o Python ldb.msg_diff() memory handling failure;(bso#14836). o "in" operator on ldb.Message is case sensitive;(bso#14845). o Fix Samba support for UF_NO_AUTH_DATA_REQUIRED;(bso#14871). o Allow special chars like "@" in samAccountName when generating the salt; (bso#14874). o Fix transit path validation;(bso#12998). o Prepare to operate with MIT krb5 >= 1.20;(bso#14870). o rpcclient NetFileEnum and net rpc file both cause lock order violation: brlock.tdb, share_entries.tdb;(bso#14645). o Python ldb.msg_diff() memory handling failure;(bso#14836). o Release LDB 2.3.1 for Samba 4.14.9;(bso#14848). Samba was updated to 4.13.12: o Address a signifcant performance regression in database access in the AD DC since Samba 4.12;(bso#14806). o Fix performance regression in lsa_LookupSids3/LookupNames4 since Samba 4.9 by using an explicit database handle cache; (bso#14807). o An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). o Address flapping samba_tool_drs_showrepl test;(bso#14818). o Address flapping dsdb_schema_attributes test;(bso#14819). o An unuthenticated user can crash the AD DC KDC by omitting the server name in a TGS-REQ;(bso#14817). o Fix CTDB flag/status update race conditions(bso#14784). Samba was updated to 4.13.11: o smbd: panic on force-close share during offload write; (bso#14769). o Fix returned attributes on fake quota file handle and avoid hitting the VFS;(bso#14731). o smbd: "deadtime" parameter doesn't work anymore;(bso#14783). o net conf list crashes when run as normal user;(bso#14787). o Work around special SMB2 READ response behavior of NetApp Ontap 7.3.7;(bso# 14607). o Start the SMB encryption as soon as possible;(bso#14793). o Winbind should not start if the socket path for the privileged pipe is too long;(bso#14792). ldb was updated to 2.2.2: o CVE-2020-25718: samba: An RODC can issue (forge) administrator tickets to other servers; (bsc#1192246); (bso#14558) o CVE-2021-3738: samba: crash in dsdb stack; (bsc#1192215);(bso#14848) Release ldb 2.2.2 o Corrected python behaviour for 'in' for LDAP attributes contained as part of ldb.Message;(bso#14845). o Fix memory handling in ldb.msg_diff Corrected python docstrings;(bso#14836) o Backport bronze bit fixes, tests, and selftest improvements; (bso#14881). Patch Instructions: To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". Alternatively you can run the command listed for your product: o SUSE MicroOS 5.1: zypper in -t patch SUSE-SUSE-MicroOS-5.1-2021-3647=1 o SUSE Linux Enterprise Module for Python2 15-SP3: zypper in -t patch SUSE-SLE-Module-Python2-15-SP3-2021-3647=1 o SUSE Linux Enterprise Module for Basesystem 15-SP3: zypper in -t patch SUSE-SLE-Module-Basesystem-15-SP3-2021-3647=1 o SUSE Linux Enterprise High Availability 15-SP3: zypper in -t patch SUSE-SLE-Product-HA-15-SP3-2021-3647=1 Package List: o SUSE MicroOS 5.1 (aarch64 s390x x86_64): ldb-debugsource-2.2.2-3.3.1 libldb2-2.2.2-3.3.1 libldb2-debuginfo-2.2.2-3.3.1 o SUSE Linux Enterprise Module for Python2 15-SP3 (aarch64 ppc64le s390x x86_64): samba-ad-dc-4.13.13+git.528.140935f8d6a-3.12.1 samba-ad-dc-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-debugsource-4.13.13+git.528.140935f8d6a-3.12.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 ppc64le s390x x86_64): ldb-debugsource-2.2.2-3.3.1 ldb-tools-2.2.2-3.3.1 ldb-tools-debuginfo-2.2.2-3.3.1 libdcerpc-binding0-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc-binding0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc-devel-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc-samr-devel-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc-samr0-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc-samr0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc0-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libldb-devel-2.2.2-3.3.1 libldb2-2.2.2-3.3.1 libldb2-debuginfo-2.2.2-3.3.1 libndr-devel-4.13.13+git.528.140935f8d6a-3.12.1 libndr-krb5pac-devel-4.13.13+git.528.140935f8d6a-3.12.1 libndr-krb5pac0-4.13.13+git.528.140935f8d6a-3.12.1 libndr-krb5pac0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libndr-nbt-devel-4.13.13+git.528.140935f8d6a-3.12.1 libndr-nbt0-4.13.13+git.528.140935f8d6a-3.12.1 libndr-nbt0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libndr-standard-devel-4.13.13+git.528.140935f8d6a-3.12.1 libndr-standard0-4.13.13+git.528.140935f8d6a-3.12.1 libndr-standard0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libndr1-4.13.13+git.528.140935f8d6a-3.12.1 libndr1-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libnetapi-devel-4.13.13+git.528.140935f8d6a-3.12.1 libnetapi0-4.13.13+git.528.140935f8d6a-3.12.1 libnetapi0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-credentials-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-credentials0-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-credentials0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-errors-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-errors0-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-errors0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-hostconfig-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-hostconfig0-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-hostconfig0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-passdb-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-passdb0-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-passdb0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-policy-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-policy-python3-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-policy0-python3-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-policy0-python3-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-util-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-util0-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-util0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamdb-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsamdb0-4.13.13+git.528.140935f8d6a-3.12.1 libsamdb0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsmbclient-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsmbclient0-4.13.13+git.528.140935f8d6a-3.12.1 libsmbclient0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsmbconf-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsmbconf0-4.13.13+git.528.140935f8d6a-3.12.1 libsmbconf0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsmbldap-devel-4.13.13+git.528.140935f8d6a-3.12.1 libsmbldap2-4.13.13+git.528.140935f8d6a-3.12.1 libsmbldap2-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libtevent-util-devel-4.13.13+git.528.140935f8d6a-3.12.1 libtevent-util0-4.13.13+git.528.140935f8d6a-3.12.1 libtevent-util0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libwbclient-devel-4.13.13+git.528.140935f8d6a-3.12.1 libwbclient0-4.13.13+git.528.140935f8d6a-3.12.1 libwbclient0-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 python3-ldb-2.2.2-3.3.1 python3-ldb-debuginfo-2.2.2-3.3.1 python3-ldb-devel-2.2.2-3.3.1 samba-4.13.13+git.528.140935f8d6a-3.12.1 samba-client-4.13.13+git.528.140935f8d6a-3.12.1 samba-client-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-core-devel-4.13.13+git.528.140935f8d6a-3.12.1 samba-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-debugsource-4.13.13+git.528.140935f8d6a-3.12.1 samba-dsdb-modules-4.13.13+git.528.140935f8d6a-3.12.1 samba-dsdb-modules-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-gpupdate-4.13.13+git.528.140935f8d6a-3.12.1 samba-ldb-ldap-4.13.13+git.528.140935f8d6a-3.12.1 samba-ldb-ldap-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-libs-4.13.13+git.528.140935f8d6a-3.12.1 samba-libs-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-libs-python3-4.13.13+git.528.140935f8d6a-3.12.1 samba-libs-python3-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-python3-4.13.13+git.528.140935f8d6a-3.12.1 samba-python3-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-winbind-4.13.13+git.528.140935f8d6a-3.12.1 samba-winbind-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (aarch64 x86_64): samba-ceph-4.13.13+git.528.140935f8d6a-3.12.1 samba-ceph-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 o SUSE Linux Enterprise Module for Basesystem 15-SP3 (x86_64): libdcerpc-binding0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc-binding0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libdcerpc0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libldb2-32bit-2.2.2-3.3.1 libldb2-32bit-debuginfo-2.2.2-3.3.1 libndr-krb5pac0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libndr-krb5pac0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libndr-nbt0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libndr-nbt0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libndr-standard0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libndr-standard0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libndr1-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libndr1-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libnetapi0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libnetapi0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-credentials0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-credentials0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-errors0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-errors0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-hostconfig0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-hostconfig0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-passdb0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-passdb0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-util0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libsamba-util0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsamdb0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libsamdb0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsmbconf0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libsmbconf0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libsmbldap2-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libsmbldap2-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libtevent-util0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libtevent-util0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 libwbclient0-32bit-4.13.13+git.528.140935f8d6a-3.12.1 libwbclient0-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-libs-32bit-4.13.13+git.528.140935f8d6a-3.12.1 samba-libs-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-winbind-32bit-4.13.13+git.528.140935f8d6a-3.12.1 samba-winbind-32bit-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 o SUSE Linux Enterprise High Availability 15-SP3 (aarch64 ppc64le s390x x86_64): ctdb-4.13.13+git.528.140935f8d6a-3.12.1 ctdb-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-debuginfo-4.13.13+git.528.140935f8d6a-3.12.1 samba-debugsource-4.13.13+git.528.140935f8d6a-3.12.1 References: o https://www.suse.com/security/cve/CVE-2016-2124.html o https://www.suse.com/security/cve/CVE-2020-25717.html o https://www.suse.com/security/cve/CVE-2020-25718.html o https://www.suse.com/security/cve/CVE-2020-25719.html o https://www.suse.com/security/cve/CVE-2020-25721.html o https://www.suse.com/security/cve/CVE-2020-25722.html o https://www.suse.com/security/cve/CVE-2021-23192.html o https://www.suse.com/security/cve/CVE-2021-3738.html o https://bugzilla.suse.com/1014440 o https://bugzilla.suse.com/1192214 o https://bugzilla.suse.com/1192215 o https://bugzilla.suse.com/1192246 o https://bugzilla.suse.com/1192247 o https://bugzilla.suse.com/1192283 o https://bugzilla.suse.com/1192284 o https://bugzilla.suse.com/1192505 - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. NOTE: Third Party Rights This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the author's website to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: https://www.auscert.org.au/bulletins/ =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBYY3O7+NLKJtyKPYoAQjbVw//XD6Np4o8F3XfS7KTcHYcDvDgVb6PArgH hr5CJpoxBIq+jPzucHxIfvfa48/LDBJSdc3V6iXSgSQgx9Uw7MU9a40xLWLiO0Vc hf57TljAlw6T9KVl8W1s41KXRVQua1Clw8Q4+15ltcxZD+lFz6ZQSCDEqHyXILKm gQB0x7lgmDLIyXbib9e3dA4HMHG5N8KDaFq4ZNVzp5ds2xyl8Qiog5j3cDLiB8pF jRlT91/0dhWStMk+QTmdkj0IlLm7WhCiSZWaj7XM/7yWdGVjlmbxsSKlmo8D+c+R OXdW5A5fGbAxmn4yuBIHaZ4MjGbq1MahQ8zOq0B+MVt0xtORCKiv/VLB9up4JNae agArtUFlmNMLZXO1N3oO0uZGWKfVSuKibA9/wazi6CA+FUCyAOe9MxY3zk+nmNBQ H/2EQ1O9vJ85L/mI7GqIu6unUYZHqCVYPK6erj3NgMnUIinzVVlbz8HuYXNMVYNG iaB68xwD2fU5+iLyNuGEZyrQOTsYHpr7OmiKYrYEf9hBBJSa35sK7BL3+FvTetA7 T8CTOdH71hmECe4Mhu9WO7NGi9v0RrzLhjQJqLrJixRp18VY6eHUK5D8PmPLKfxI tiRrZAGrtYbgofvyBQ8wMJWn9+XZR2xqMaOS6a6C3oryDcvvn9iQMoS9sYjX8fEA 70YSPBnYRpE= =uayC -----END PGP SIGNATURE-----