[ASA-201811-22] samba: multiple issues
rgacogne at archlinux.org
Wed Nov 28 12:48:04 UTC 2018
Arch Linux Security Advisory ASA-201811-22
Date : 2018-11-28
CVE-ID : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851 CVE-2018-16852
Package : samba
Type : multiple issues
Remote : Yes
Link : https://security.archlinux.org/AVG-823
The package samba before version 4.9.3-1 is vulnerable to multiple
issues including denial of service and access restriction bypass.
Upgrade to 4.9.3-1.
# pacman -Syu "samba>=4.9.3-1"
The problems have been fixed upstream in version 4.9.3.
- CVE-2018-14629 (denial of service)
A denial of service security issue has been found in samba from 4.0.0
up to and including 4.9.2, where an unprivileged user can use the
ldbadd tool to add DNS records to create a CNAME loop, causing infinite
- CVE-2018-16841 (denial of service)
A double-free issue has been found in samba from 4.3.0 up to and
including 4.9.2, where a user with a valid certificate or smart card
can crash the Samba AD DC's KDC.
When configured to accept smart-card authentication, Samba's KDC
willcall talloc_free() twice on the same memory if the principal in a
validly signed certificate does not match the principal in the AS-REQ.
This is only possible after authentication with a trusted certificate.
talloc is robust against further corruption from a double-free with
talloc_free() and directly calls abort(), terminating the KDC process.
There is no further vulnerability associated with this issue, merely a
denial of service.
- CVE-2018-16851 (denial of service)
A NULL pointer de-reference issue has been found in samba from 4.0.0 up
to and including 4.9.2, where a user able to read more than 256MB of
LDAP entries can crash the Samba AD DC's LDAP server.
- CVE-2018-16852 (denial of service)
A NULL pointer de-reference issue has been found in samba from 4.9.0 up
to and including 4.9.2, where a user able to create or modify dnsZone
objects can crash the Samba AD DC's DNS management RPC server, DNS
server or BIND9 when using Samba's DLZ plugin
- CVE-2018-16853 (denial of service)
A denial of service has been found in samba from 4.7.0 up to and
including 4.9.2, where a user in a Samba AD domain can crash the MIT
KDC by requesting an S4U2Self ticket. This only happens if Samba is
build in a experimental and unsupported MIT Kerberos configuration.
- CVE-2018-16857 (access restriction bypass)
A security issue has been found in samba from 4.9.0 up to and including
4.9.2, where AD DC Configurations watching for bad passwords to
restrict brute forcing in a window of more than 3 minutes may not watch
for bad passwords at all.
A remote authenticated user can crash a vulnerable samba server. A
remote attacker can brute-force passwords without triggering the bad
password lockout protection.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 833 bytes
Desc: OpenPGP digital signature
More information about the arch-security