[arch-security] [ASA-201612-19] samba: multiple issues
Levente Polyak
anthraxx at archlinux.org
Thu Dec 22 23:07:43 UTC 2016
Arch Linux Security Advisory ASA-201612-19
==========================================
Severity: Critical
Date : 2016-12-22
CVE-ID : CVE-2016-2123 CVE-2016-2125 CVE-2016-2126
Package : samba
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-111
Summary
=======
The package samba before version 4.5.3-1 is vulnerable to multiple
issues including arbitrary code execution, authentication bypass and
privilege escalation.
Resolution
==========
Upgrade to 4.5.3-1.
# pacman -Syu "samba>=4.5.3-1"
The problems have been fixed upstream in version 4.5.3.
Workaround
==========
None.
Description
===========
- CVE-2016-2123 (arbitrary code execution)
The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
parses data from the Samba Active Directory ldb database. Any user who
can write to the dnsRecord attribute over LDAP can trigger this memory
corruption.
By default, all authenticated LDAP users can write to the dnsRecord
attribute on new DNS objects, this makes the defect additionally a
remote privilege escalation.
- CVE-2016-2125 (authentication bypass)
Samba client code always requests a forwardable ticket when using
Kerberos authentication. This means the target server, which must be in
the current or trusted domain/realm, is given a valid general purpose
Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully
impersonate the authenticated user or service.
The risks of impersonation of the client are similar to the well known
risks from forwarding of NTLM credentials, with two important
differences:
- NTLM forwarding can and should be mitigated with packet signing
- Kerberos forwarding can only be attempted after the trusted
destination server decrypts the ticket.
- CVE-2016-2126 (privilege escalation)
A remote, authenticated, attacker can cause the winbindd process to
crash using a legitimate Kerberos ticket due to incorrect handling of
the PAC checksum. A local service with access to the winbindd
privileged pipe can cause winbindd to cache elevated access
permissions.
For the remote attack, the memory overwrite kills the main winbindd
process and an authenticated attacker can construct this situation by
watching for password changes in Samba.
One specific trigger occurs when winbindd changes its machine account
password and the client has still a valid Kerberos ticket (that was
encrypted with the old password).
Impact
======
A remote authenticated attacker is able to execute arbitrary code,
bypass authentication via unconditional privilege delegation and
escalate privileges via various vectors.
References
==========
https://bugs.archlinux.org/task/52219
https://www.samba.org/samba/security/CVE-2016-2123.html
https://www.samba.org/samba/security/CVE-2016-2125.html
https://www.samba.org/samba/security/CVE-2016-2126.html
https://access.redhat.com/security/cve/CVE-2016-2123
https://access.redhat.com/security/cve/CVE-2016-2125
https://access.redhat.com/security/cve/CVE-2016-2126
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20161223/2e2c2d92/attachment.asc>
More information about the arch-security
mailing list