Arch Linux Security Advisory ASA-201811-22 ========================================== Severity: High Date : 2018-11-28 CVE-ID : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851 CVE-2018-16852 CVE-2018-16853 CVE-2018-16857 Package : samba Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-823 Summary ======= The package samba before version 4.9.3-1 is vulnerable to multiple issues including denial of service and access restriction bypass. Resolution ========== Upgrade to 4.9.3-1. # pacman -Syu "samba>=4.9.3-1" The problems have been fixed upstream in version 4.9.3. Workaround ========== None. Description =========== - CVE-2018-14629 (denial of service) A denial of service security issue has been found in samba from 4.0.0 up to and including 4.9.2, where an unprivileged user can use the ldbadd tool to add DNS records to create a CNAME loop, causing infinite query recursion. - CVE-2018-16841 (denial of service) A double-free issue has been found in samba from 4.3.0 up to and including 4.9.2, where a user with a valid certificate or smart card can crash the Samba AD DC's KDC. When configured to accept smart-card authentication, Samba's KDC willcall talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process. There is no further vulnerability associated with this issue, merely a denial of service. - CVE-2018-16851 (denial of service) A NULL pointer de-reference issue has been found in samba from 4.0.0 up to and including 4.9.2, where a user able to read more than 256MB of LDAP entries can crash the Samba AD DC's LDAP server. - CVE-2018-16852 (denial of service) A NULL pointer de-reference issue has been found in samba from 4.9.0 up to and including 4.9.2, where a user able to create or modify dnsZone objects can crash the Samba AD DC's DNS management RPC server, DNS server or BIND9 when using Samba's DLZ plugin - CVE-2018-16853 (denial of service) A denial of service has been found in samba from 4.7.0 up to and including 4.9.2, where a user in a Samba AD domain can crash the MIT KDC by requesting an S4U2Self ticket. This only happens if Samba is build in a experimental and unsupported MIT Kerberos configuration. - CVE-2018-16857 (access restriction bypass) A security issue has been found in samba from 4.9.0 up to and including 4.9.2, where AD DC Configurations watching for bad passwords to restrict brute forcing in a window of more than 3 minutes may not watch for bad passwords at all. Impact ====== A remote authenticated user can crash a vulnerable samba server. A remote attacker can brute-force passwords without triggering the bad password lockout protection. References ========== https://download.samba.org/pub/samba/patches/security/samba-4.9.2-security-2... https://www.samba.org/samba/security/CVE-2018-14629.html https://bugzilla.samba.org/show_bug.cgi?id=13600 https://github.com/samba-team/samba/commit/bf596c14c2462b9a15ea738ef4f32b3ab... https://www.samba.org/samba/security/CVE-2018-16841.html https://bugzilla.samba.org/show_bug.cgi?id=13628 https://github.com/samba-team/samba/commit/6e84215d4aa7ef51096db3b187adbe22c... https://www.samba.org/samba/security/CVE-2018-16851.html https://bugzilla.samba.org/show_bug.cgi?id=13674 https://github.com/samba-team/samba/commit/f33f52c366f7cf140f470de44579dcb7e... https://www.samba.org/samba/security/CVE-2018-16852.html https://bugzilla.samba.org/show_bug.cgi?id=13669 https://github.com/samba-team/samba/commit/05f867db81f118215445f2c49eda4b9c3... https://github.com/samba-team/samba/commit/c78ca8b9b48a19e71f4d6ddd2e300f282... https://www.samba.org/samba/security/CVE-2018-16853.html https://bugzilla.samba.org/show_bug.cgi?id=13571 https://github.com/samba-team/samba/commit/4aabfecd290cd2769376abf7f170e832b... https://www.samba.org/samba/security/CVE-2018-16857.html https://bugzilla.samba.org/show_bug.cgi?id=13683 https://github.com/samba-team/samba/commit/862d4909eccd18942e3de8e8b0dc6e159... https://github.com/samba-team/samba/commit/4f86beeaf3408383385ee99a74520a805... https://github.com/samba-team/samba/commit/d12b02c78842786969557b9be7c953e95... https://github.com/samba-team/samba/commit/60b2cd50f4d0554cc5ca8c53b2d1fa89e... https://security.archlinux.org/CVE-2018-14629 https://security.archlinux.org/CVE-2018-16841 https://security.archlinux.org/CVE-2018-16851 https://security.archlinux.org/CVE-2018-16852 https://security.archlinux.org/CVE-2018-16853 https://security.archlinux.org/CVE-2018-16857