[arch-security] [ASA-201501-10] samba: privilege elevation

Levente Polyak anthraxx at archlinux.org
Mon Jan 19 11:29:12 UTC 2015 

Arch Linux Security Advisory ASA-201501-10
==========================================

Severity: High
Date    : 2015-01-19
CVE-ID  : CVE-2014-8143
Package : samba
Type    : privilege elevation
Remote  : Yes
Link    : https://wiki.archlinux.org/index.php/CVE

Summary
=======

The package samba before version 4.1.16-1 is vulnerable to privilege
elevation when an Active Directory Domain Controller is configured.

Resolution
==========

Upgrade to 4.1.16-1.

# pacman -Syu "samba>=4.1.16-1"

The problem has been fixed upstream in version 4.1.16.

Workaround
==========

Do not delegate permission to create users or computers beyond the
default of Domain Administrators.

Description
===========

Samba's Active Directory Domain Controller (AD DC) allows the
administrator to delegate creation of user or computer accounts to
specific users or groups.

Samba's AD DC did not implement the additional required check on the
UF_SERVER_TRUST_ACCOUNT bit in the userAccountControl attributes.

Most Samba deployments are not of the AD Domain Controller, but are of
the classic domain controller, the file server or print server. Only the
AD DC is affected by this issue.

Additionally, most sites running the AD Domain Controller do not
configure delegation for the creation of user or computer accounts, and
so are not vulnerable to this issue, as no writes are permitted to the
userAccountControl attribute, no matter what the value.

Impact
======

Remote authenticated users are able to set the LDB userAccountControl
UF_SERVER_TRUST_ACCOUNT bit, and consequently gain privileges, by
leveraging delegation of authority for user-account or computer-account
creation when an Active Directory Domain Controller (AD DC) is configured.

References
==========

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-8143
https://www.samba.org/samba/security/CVE-2014-8143

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20150119/1265ba64/attachment.asc>

More information about the arch-security mailing list