Karolin Seeger
2016-Dec-19 09:18 UTC
[Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download
Release Announcements --------------------- This is a security release in order to address the following CVEs: o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer Overflow Remote Code Execution Vulnerability). o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in trusted realms). o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege elevation). Please note that the patch for CVE-2016-2126 breaks the build with MIT Kerberos in Samba 4.4.8 and 4.4.13. Samba 4.5.3 is not affected. A patch for this issue is available for Samba 4.4 and 4.3 here: https://bugzilla.samba.org/show_bug.cgi?id=12471 Additionally, you might run into severe issues when running an AD DC with idmap settings for member servers (by mistake) and you are upgrading from the last security release. This invalid configuration (e.g. idmap config * : range 100000 - 33554431 and similar lines) was ignored formerly and leads to errors now. The typical error you see is NT_STATUS_INVALID_SID. For more details, please see the following bug: https://bugzilla.samba.org/show_bug.cgi?id=12410 If you're a vendor and would like to ignore this again via a source code change, also have a look at: https://bugzilla.samba.org/show_bug.cgi?id=12155#c20 ======Details ====== o CVE-2016-2123: The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects. This makes the defect a remote privilege escalation. o CVE-2016-2125 Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service. o CVE-2016-2126 A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the arcfour-hmac-md5 PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical IRC channel on irc.freenode.net. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored. All bug reports should be filed under the "Samba 4.1 and newer" product in the project's Bugzilla database (https://bugzilla.samba.org/). ======================================================================= Our Code, Our Bugs, Our Responsibility. == The Samba Team ===================================================================== ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID 6F33915B6568B7EA). The source code can be downloaded from: https://download.samba.org/pub/samba/stable/ Patches addressing this defect have been posted to https://www.samba.org/samba/history/security.html The release notes are available online at: https://www.samba.org/samba/history/samba-4.5.3.html https://www.samba.org/samba/history/samba-4.4.8.html https://www.samba.org/samba/history/samba-4.3.13.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) --Enjoy The Samba Team -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: <http://lists.samba.org/pipermail/samba-announce/attachments/20161219/6b4e9e37/signature.sig>
Mike Lykov
2016-Dec-19 09:56 UTC
[Samba] [Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download
19.12.2016 13:18, Karolin Seeger via samba пишет:> 100000 - 33554431 and similar lines) was ignored formerly and leads to errors > now. The typical error you see is NT_STATUS_INVALID_SID. > For more details, please see the following bug: > > https://bugzilla.samba.org/show_bug.cgi?id=12410What is right configuration in this case? on DC I have only an idmap_ldb:use rfc2307 = yes string in my smb.conf, and on member server I have an idmap config *:backend = tdb idmap config *:range = 30001-40000 idmap config SAMGES:backend = ad idmap config SAMGES:schema_mode = rfc2307 idmap config SAMGES:range = 10000-20000 winbind nss info = rfc2307 winbind trusted domains only = no winbind use default domain = yes winbind enum users = yes winbind enum groups = yes Are this is correct? I have an old 4.1* version and plan to upgrade to 4.5*. -- Mike Lykov, system administrator
Rowland Penny
2016-Dec-19 10:22 UTC
[Samba] [Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download
On Mon, 19 Dec 2016 13:56:41 +0400 Mike Lykov via samba <samba at lists.samba.org> wrote:> 19.12.2016 13:18, Karolin Seeger via samba пишет: > > > 100000 - 33554431 and similar lines) was ignored formerly and leads > > to errors now. The typical error you see is NT_STATUS_INVALID_SID. > > For more details, please see the following bug: > > > > https://bugzilla.samba.org/show_bug.cgi?id=12410 > > What is right configuration in this case? > > on DC I have only an > idmap_ldb:use rfc2307 = yes > > string in my smb.conf, and > > on member server I have an > > idmap config *:backend = tdb > idmap config *:range = 30001-40000 > idmap config SAMGES:backend = ad > idmap config SAMGES:schema_mode = rfc2307 > idmap config SAMGES:range = 10000-20000 > > winbind nss info = rfc2307 > winbind trusted domains only = no > winbind use default domain = yes > winbind enum users = yes > winbind enum groups = yes > > > Are this is correct? > I have an old 4.1* version and plan to upgrade to 4.5*. >The only possible problems I can see there are the 'winbind enum' lines, you should only set these for testing purposes. The problem was that people have been setting the 'idmap config' lines meant for a domain member on AD DCs. On versions before 4.5.0, they were ignored and did nothing. From 4.5.0, they still do not affect the IDs, but now cause errors, these errors have now been fixed in 4.5.3 Rowland
Reasonably Related Threads
- [Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download
- [Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download
- [Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download
- group policy update fails
- group policy update fails