Arch Linux Security Advisory ASA-201803-10 ========================================== Severity: Critical Date : 2018-03-13 CVE-ID : CVE-2018-1050 CVE-2018-1057 Package : samba Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-651 Summary ======= The package samba before version 4.7.6-1 is vulnerable to multiple issues including access restriction bypass and denial of service. Resolution ========== Upgrade to 4.7.6-1. # pacman -Syu "samba>=4.7.6-1" The problems have been fixed upstream in version 4.7.6. Workaround ========== - CVE-2018-1050 Ensure the parameter: rpc_server:spoolss = external is not set in the [global] section of your smb.conf. - CVE-2018-1057 Revoke the change passwords right for 'the world' from all user objects (including computers) in the directory, leaving only the right to change a user's own password. Description =========== - CVE-2018-1050 (denial of service) All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash. - CVE-2018-1057 (access restriction bypass) On a Samba 4 AD DC any authenticated user can change other users' passwords over LDAP, including the passwords of administrative users and service accounts. Impact ====== A remote attacker is able to change other users passwords on a Samba 4 AD DC or perform a denial of service attack by sending a specially crafted request to the spoolss service. References ========== https://lists.samba.org/archive/samba-announce/2018/000435.html https://www.samba.org/samba/security/CVE-2018-1050.html https://github.com/samba-team/samba/commit/c41895be8222199ffe69749e32afc9946... https://www.samba.org/samba/security/CVE-2018-1057.html https://wiki.samba.org/index.php/CVE-2018-1057 https://github.com/samba-team/samba/commit/50e7788603b97104fe116a07ab14a1d11... https://github.com/samba-team/samba/commit/c80456855197f9fe9ef497a7fc94504c2... https://github.com/samba-team/samba/commit/ab7dc210e9aedc1222055822ff296e4a6... https://github.com/samba-team/samba/commit/407a34c73fcd666c22776bbc4aa56d02c... https://github.com/samba-team/samba/commit/3e6621fe58014f19477633b1c0b542885... https://github.com/samba-team/samba/commit/9dd7dd9ebba8d449feea66695fab3cbbb... https://github.com/samba-team/samba/commit/766ab4c52b06532f2dd8801ccf5d4aadf... https://github.com/samba-team/samba/commit/0e15ce12e1e9733f1e8eb13e77cbcdd0a... https://github.com/samba-team/samba/commit/39e689aa703536330083bfc4d58d15a25... https://github.com/samba-team/samba/commit/2fea9ee701fed0417d8f681238663b7b0... https://github.com/samba-team/samba/commit/c653e51a3d991e0e08327186881b324b8... https://github.com/samba-team/samba/commit/b23bf04caeb196da9515addbcdf17db07... https://github.com/samba-team/samba/commit/fbd16473ecf073f86e36f9e29a8015127... https://security.archlinux.org/CVE-2018-1050 https://security.archlinux.org/CVE-2018-1057