[ASA-201811-22] samba: multiple issues

Remi Gacogne rgacogne at archlinux.org
Wed Nov 28 12:48:04 UTC 2018


Arch Linux Security Advisory ASA-201811-22
==========================================

Severity: High
Date    : 2018-11-28
CVE-ID  : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851 CVE-2018-16852
          CVE-2018-16853 CVE-2018-16857
Package : samba
Type    : multiple issues
Remote  : Yes
Link    : https://security.archlinux.org/AVG-823

Summary
=======

The package samba before version 4.9.3-1 is vulnerable to multiple
issues including denial of service and access restriction bypass.

Resolution
==========

Upgrade to 4.9.3-1.

# pacman -Syu "samba>=4.9.3-1"

The problems have been fixed upstream in version 4.9.3.

Workaround
==========

None.

Description
===========

- CVE-2018-14629 (denial of service)

A denial of service security issue has been found in samba from 4.0.0
up to and including 4.9.2, where an unprivileged user can use the
ldbadd tool to add DNS records to create a CNAME loop, causing infinite
query recursion.

- CVE-2018-16841 (denial of service)

A double-free issue has been found in samba from 4.3.0 up to and
including 4.9.2, where a user with a valid certificate or smart card
can crash the Samba AD DC's KDC.
When configured to accept smart-card authentication, Samba's KDC
willcall talloc_free() twice on the same memory if the principal in a
validly signed certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.

- CVE-2018-16851 (denial of service)

A NULL pointer de-reference issue has been found in samba from 4.0.0 up
to and including 4.9.2, where a user able to read more than 256MB of
LDAP entries can crash the Samba AD DC's LDAP server.

- CVE-2018-16852 (denial of service)

A NULL pointer de-reference issue has been found in samba from 4.9.0 up
to and including 4.9.2, where a user able to create or modify dnsZone
objects can crash the Samba AD DC's DNS management RPC server, DNS
server or BIND9 when using Samba's DLZ plugin

- CVE-2018-16853 (denial of service)

A denial of service has been found in samba from 4.7.0 up to and
including 4.9.2, where a user in a Samba AD domain can crash the MIT
KDC by requesting an S4U2Self ticket. This only happens if Samba is
build in a experimental and unsupported MIT Kerberos configuration.

- CVE-2018-16857 (access restriction bypass)

A security issue has been found in samba from 4.9.0 up to and including
4.9.2, where AD DC Configurations watching for bad passwords to
restrict brute forcing in a window of more than 3 minutes may not watch
for bad passwords at all.

Impact
======

A remote authenticated user can crash a vulnerable samba server. A
remote attacker can brute-force passwords without triggering the bad
password lockout protection.

References
==========

https://download.samba.org/pub/samba/patches/security/samba-4.9.2-security-2018-11-27.patch
https://www.samba.org/samba/security/CVE-2018-14629.html
https://bugzilla.samba.org/show_bug.cgi?id=13600
https://github.com/samba-team/samba/commit/bf596c14c2462b9a15ea738ef4f32b3abb8b63d1
https://www.samba.org/samba/security/CVE-2018-16841.html
https://bugzilla.samba.org/show_bug.cgi?id=13628
https://github.com/samba-team/samba/commit/6e84215d4aa7ef51096db3b187adbe22cacdd921
https://www.samba.org/samba/security/CVE-2018-16851.html
https://bugzilla.samba.org/show_bug.cgi?id=13674
https://github.com/samba-team/samba/commit/f33f52c366f7cf140f470de44579dcb7eb832629
https://www.samba.org/samba/security/CVE-2018-16852.html
https://bugzilla.samba.org/show_bug.cgi?id=13669
https://github.com/samba-team/samba/commit/05f867db81f118215445f2c49eda4b9c3451d14a
https://github.com/samba-team/samba/commit/c78ca8b9b48a19e71f4d6ddd2e300f282fb0b247
https://www.samba.org/samba/security/CVE-2018-16853.html
https://bugzilla.samba.org/show_bug.cgi?id=13571
https://github.com/samba-team/samba/commit/4aabfecd290cd2769376abf7f170e832becc4112
https://www.samba.org/samba/security/CVE-2018-16857.html
https://bugzilla.samba.org/show_bug.cgi?id=13683
https://github.com/samba-team/samba/commit/862d4909eccd18942e3de8e8b0dc6e1594ec27f1
https://github.com/samba-team/samba/commit/4f86beeaf3408383385ee99a74520a805dd63c0f
https://github.com/samba-team/samba/commit/d12b02c78842786969557b9be7c953e9594d90d
https://github.com/samba-team/samba/commit/60b2cd50f4d0554cc5ca8c53b2d1fa89e56a6d06
https://security.archlinux.org/CVE-2018-14629
https://security.archlinux.org/CVE-2018-16841
https://security.archlinux.org/CVE-2018-16851
https://security.archlinux.org/CVE-2018-16852
https://security.archlinux.org/CVE-2018-16853
https://security.archlinux.org/CVE-2018-16857

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.archlinux.org/pipermail/arch-security/attachments/20181128/f9dde098/attachment.asc>


More information about the arch-security mailing list