Release Announcements --------------------- This is the latest stable release of the Samba 4.19 release series. It contains the security-relevant bug CVE-2018-14628: ??? Wrong ntSecurityDescriptor values for "CN=Deleted Objects" ??? allow read of object tombstones over LDAP ??? (Administrator action required!) ??? https://www.samba.org/samba/security/CVE-2018-14628.html Description of CVE-2018-14628 ----------------------------- All versions of Samba from 4.0.0 onwards are vulnerable to an information leak (compared with the established behaviour of Microsoft's Active Directory) when Samba is an Active Directory Domain Controller. When a domain was provisioned with an unpatched Samba version, the ntSecurityDescriptor is simply inherited from Domain/Partition-HEAD-Object instead of being very strict (as on a Windows provisioned domain). This means also non privileged users can use the LDAP_SERVER_SHOW_DELETED_OID control in order to view, the names and preserved attributes of deleted objects. No information that was hidden before the deletion is visible, but in with the correct ntSecurityDescriptor value in place the whole object is also not visible without administrative rights. There is no further vulnerability associated with this error, merely an information disclosure. Action required in order to resolve CVE-2018-14628! --------------------------------------------------- The patched Samba does NOT protect existing domains! The administrator needs to run the following command (on only one domain controller) in order to apply the protection to an existing domain: ? samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix The above requires manual interaction in order to review the changes before they are applied. Typicall question look like this: ? Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org back to provision default? ??????? Owner mismatch: SY (in ref) DA(in current) ??????? Group mismatch: SY (in ref) DA(in current) ??????? Part dacl is different between reference and current here is the detail: ??????????????? (A;;LCRPLORC;;;AU) ACE is not present in the reference ??????????????? (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not present in the reference ??????????????? (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not present in the reference ??????????????? (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in the current ??????????????? (A;;LCRP;;;BA) ACE is not present in the current ?? [y/N/all/none] y ? Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted Objects,DC=samba,DC=org' The change should be confirmed with 'y' for all objects starting with 'CN=Deleted Objects'. Changes since 4.19.2 -------------------- o? Douglas Bagnall <douglas.bagnall at catalyst.net.nz> ?? * BUG 15520: sid_strings test broken by unix epoch > 1700000000. o? Ralph Boehme <slow at samba.org> ?? * BUG 15487: smbd crashes if asked to return full information on close of a ???? stream handle with delete on close disposition set. ?? * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in ???? smb_fname_fsp_destructor(). o? Pavel Filipensk? <pfilipensky at samba.org> ?? * BUG 15499: Improve logging for failover scenarios. o? Bj?rn Jacke <bj at sernet.de> ?? * BUG 15093: Files without "read attributes" NFS4 ACL permission are not ???? listed in directories. o? Stefan Metzmacher <metze at samba.org> ?? * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones visible in ???? AD LDAP to normal users. ?? * BUG 15492: Kerberos TGS-REQ with User2User does not work for normal ???? accounts. o? Christof Schmitt <cs at samba.org> ?? * BUG 15507: vfs_gpfs stat calls fail due to file system permissions. o? Andreas Schneider <asn at samba.org> ?? * BUG 15513: Samba doesn't build with Python 3.12. ####################################### Reporting bugs & Development Discussion ####################################### Please discuss this release on the samba-technical mailing list or by joining the #samba-technical:matrix.org matrix room, or #samba-technical IRC channel on irc.libera.chat. If you do report problems then please try to send high quality feedback. If you don't provide vital information to help us track down the problem then you will probably be ignored.? All bug reports should be filed under the Samba 4.1 and newer product in the project's Bugzilla database (https://bugzilla.samba.org/). ======================================================================= Our Code, Our Bugs, Our Responsibility. == The Samba Team ===================================================================== ===============Download Details =============== The uncompressed tarballs and patch files have been signed using GnuPG (ID AA99442FB680B620).? The source code can be downloaded from: ??????? https://download.samba.org/pub/samba/stable/ The release notes are available online at: ??????? https://www.samba.org/samba/history/samba-4.19.3.html Our Code, Our Bugs, Our Responsibility. (https://bugzilla.samba.org/) ??????????????????????? --Enjoy ??????????????????????? The Samba Team
Andrea Venturoli
2023-Nov-27 16:13 UTC
[Samba] [Announce] Samba 4.19.3 Available for Download
On 11/27/23 13:27, Jule Anger via samba wrote: Hello.> All versions of Samba from 4.0.0 onwards are vulnerable to an > ... > When a domain was provisioned with an unpatched Samba version,> ...> The patched Samba does NOT protect existing domains! > > The administrator needs to run the following commandJust a check to see if I understand correctly: _ Samba 4.19.3 is needed to correctly provision new domains; _ old domains must be corrected with the given command; _ that command only works in 4.19.3; it won't fix the problem if launched on an older version (at least it did nothing when I tried it on 4.17.12). If so, are updated 4.17.x and 4.18.x releases planned for those who can't or don't want to move to 4.19? Or is there another (perhaps more manual) way to check if a domain is affected and fix it? Thanks in advance av.
On Mon, 2023-11-27 at 13:27 +0100, Jule Anger via samba wrote:> Release Announcements > --------------------- > > This is the latest stable release of the Samba 4.19 release series. > It contains the security-relevant bug CVE-2018-14628: > > ???? Wrong ntSecurityDescriptor values for "CN=Deleted Objects" > ???? allow read of object tombstones over LDAP > ???? (Administrator action required!) > ???? https://www.samba.org/samba/security/CVE-2018-14628.html > > > Description of CVE-2018-14628 > ----------------------------- > > All versions of Samba from 4.0.0 onwards are vulnerable to an > information leak (compared with the established behaviour of > Microsoft's Active Directory) when Samba is an Active Directory > Domain > Controller. > > When a domain was provisioned with an unpatched Samba version, > the ntSecurityDescriptor is simply inherited from > Domain/Partition-HEAD-Object > instead of being very strict (as on a Windows provisioned domain). > > This means also non privileged users can use the > LDAP_SERVER_SHOW_DELETED_OID control in order to view, > the names and preserved attributes of deleted objects. > > No information that was hidden before the deletion is visible, but in > with the correct ntSecurityDescriptor value in place the whole object > is also not visible without administrative rights. > > There is no further vulnerability associated with this error, merely > an > information disclosure. > > Action required in order to resolve CVE-2018-14628! > --------------------------------------------------- > > The patched Samba does NOT protect existing domains! > > The administrator needs to run the following command > (on only one domain controller) > in order to apply the protection to an existing domain: > > ?? samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix > > The above requires manual interaction in order to review the > changes before they are applied. Typicall question look like this: > > ?? Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org > back > to provision default? > ???????? Owner mismatch: SY (in ref) DA(in current) > ???????? Group mismatch: SY (in ref) DA(in current) > ???????? Part dacl is different between reference and current here is > the detail: > ???????????????? (A;;LCRPLORC;;;AU) ACE is not present in the > reference > ???????????????? (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not > present > in the reference > ???????????????? (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not > present > in the reference > ???????????????? (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in > the current > ???????????????? (A;;LCRP;;;BA) ACE is not present in the current > ??? [y/N/all/none] y > ?? Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted > Objects,DC=samba,DC=org' > > The change should be confirmed with 'y' for all objects starting with > 'CN=Deleted Objects'. > > > Changes since 4.19.2 > -------------------- > > o? Douglas Bagnall <douglas.bagnall at catalyst.net.nz> > ??? * BUG 15520: sid_strings test broken by unix epoch > 1700000000. > > o? Ralph Boehme <slow at samba.org> > ??? * BUG 15487: smbd crashes if asked to return full information on > close of a > ????? stream handle with delete on close disposition set. > ??? * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in > ????? smb_fname_fsp_destructor(). > > o? Pavel Filipensk? <pfilipensky at samba.org> > ??? * BUG 15499: Improve logging for failover scenarios. > > o? Bj?rn Jacke <bj at sernet.de> > ??? * BUG 15093: Files without "read attributes" NFS4 ACL permission > are not > ????? listed in directories. > > o? Stefan Metzmacher <metze at samba.org> > ??? * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones > visible in > ????? AD LDAP to normal users. > ??? * BUG 15492: Kerberos TGS-REQ with User2User does not work for > normal > ????? accounts. > > o? Christof Schmitt <cs at samba.org> > ??? * BUG 15507: vfs_gpfs stat calls fail due to file system > permissions. > > o? Andreas Schneider <asn at samba.org> > ??? * BUG 15513: Samba doesn't build with Python 3.12. > > > ####################################### > Reporting bugs & Development Discussion > ####################################### > > Please discuss this release on the samba-technical mailing list or by > joining the #samba-technical:matrix.org matrix room, or > #samba-technical IRC channel on irc.libera.chat. > > If you do report problems then please try to send high quality > feedback. If you don't provide vital information to help us track > down > the problem then you will probably be ignored.? All bug reports > should > be filed under the Samba 4.1 and newer product in the project's > Bugzilla > database (https://bugzilla.samba.org/). > > > ====================================================================> > == Our Code, Our Bugs, Our Responsibility. > == The Samba Team > ====================================================================> > > > > ===============> Download Details > ===============> > The uncompressed tarballs and patch files have been signed > using GnuPG (ID AA99442FB680B620).? The source code can be downloaded > from: > > ???????? https://download.samba.org/pub/samba/stable/ > > The release notes are available online at: > > ???????? https://www.samba.org/samba/history/samba-4.19.3.html > > Our Code, Our Bugs, Our Responsibility. > (https://bugzilla.samba.org/) > > ???????????????????????? --Enjoy > ???????????????????????? The Samba Team > >Actually the usual? samba-tool dbcheck --cross-ncs --fix --yes which I run after every upgrade on every DC per?https://wiki.samba.org/index.php/Dbcheck found and fixed the permissions in question on the first DC and (as it says above) the error did not reappear on the other one. Just in case I ran the dbcheck with --attrs=nTSecurityDescriptor again as posted and it didn't find anything. FWIW