samba - Dec 2016 - [Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download

Release Announcements
---------------------

This is a security release in order to address the following CVEs:

o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
   Overflow Remote Code Execution Vulnerability).
o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
   trusted realms).
o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
   elevation).

Please note that the patch for CVE-2016-2126 breaks the build with MIT
Kerberos in Samba 4.4.8 and 4.4.13. Samba 4.5.3 is not affected.
A patch for this issue is available for Samba 4.4 and 4.3 here:

  https://bugzilla.samba.org/show_bug.cgi?id=12471

Additionally, you might run into severe issues when running an AD DC with idmap
settings for member servers (by mistake) and you are upgrading from the last
security release. This invalid configuration (e.g. idmap config * : range 100000
- 33554431 and similar lines) was ignored formerly and leads to errors
now. The typical error you see is NT_STATUS_INVALID_SID.
For more details, please see the following bug:

  https://bugzilla.samba.org/show_bug.cgi?id=12410

If you're a vendor and would like to ignore this again
via a source code change, also have a look at:

  https://bugzilla.samba.org/show_bug.cgi?id=12155#c20

======Details
======
o  CVE-2016-2123:
   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
   parses data from the Samba Active Directory ldb database.  Any user
   who can write to the dnsRecord attribute over LDAP can trigger this
   memory corruption.

   By default, all authenticated LDAP users can write to the dnsRecord
   attribute on new DNS objects. This makes the defect a remote privilege
   escalation.

o  CVE-2016-2125
   Samba client code always requests a forwardable ticket
   when using Kerberos authentication. This means the
   target server, which must be in the current or trusted
   domain/realm, is given a valid general purpose Kerberos
   "Ticket Granting Ticket" (TGT), which can be used to
   fully impersonate the authenticated user or service.

o  CVE-2016-2126
   A remote, authenticated, attacker can cause the winbindd process
   to crash using a legitimate Kerberos ticket due to incorrect
   handling of the arcfour-hmac-md5 PAC checksum.

   A local service with access to the winbindd privileged pipe can
   cause winbindd to cache elevated access permissions.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's
Bugzilla
database (https://bugzilla.samba.org/).


======================================================================= Our
Code, Our Bugs, Our Responsibility.
== The Samba Team
=====================================================================

===============Download Details
===============
The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
from:

        https://download.samba.org/pub/samba/stable/

Patches addressing this defect have been posted to

        https://www.samba.org/samba/history/security.html

The release notes are available online at:

        https://www.samba.org/samba/history/samba-4.5.3.html
        https://www.samba.org/samba/history/samba-4.4.8.html
        https://www.samba.org/samba/history/samba-4.3.13.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL:
<http://lists.samba.org/pipermail/samba-announce/attachments/20161219/6b4e9e37/signature.sig>

19.12.2016 13:18, Karolin Seeger via samba пишет:
> 100000 - 33554431 and similar lines) was ignored formerly and leads to
errors
> now. The typical error you see is NT_STATUS_INVALID_SID.
> For more details, please see the following bug:
>
>   https://bugzilla.samba.org/show_bug.cgi?id=12410
What is right configuration in this case?

on DC I have only an
      idmap_ldb:use rfc2307 = yes

string in my smb.conf, and

on member server I have an

     idmap config *:backend = tdb
     idmap config *:range = 30001-40000
     idmap config SAMGES:backend = ad
     idmap config SAMGES:schema_mode = rfc2307
     idmap config SAMGES:range = 10000-20000

     winbind nss info = rfc2307
     winbind trusted domains only = no
     winbind use default domain = yes
     winbind enum users  = yes
     winbind enum groups = yes


Are this is correct?
I have an old 4.1* version and plan to upgrade to 4.5*.

-- 
Mike Lykov, system administrator

On Mon, 19 Dec 2016 13:56:41 +0400
Mike Lykov via samba <samba at lists.samba.org> wrote:
> 19.12.2016 13:18, Karolin Seeger via samba пишет:
> 
> > 100000 - 33554431 and similar lines) was ignored formerly and leads
> > to errors now. The typical error you see is NT_STATUS_INVALID_SID.
> > For more details, please see the following bug:
> >
> >   https://bugzilla.samba.org/show_bug.cgi?id=12410
> 
> What is right configuration in this case?
> 
> on DC I have only an
>       idmap_ldb:use rfc2307 = yes
> 
> string in my smb.conf, and
> 
> on member server I have an
> 
>      idmap config *:backend = tdb
>      idmap config *:range = 30001-40000
>      idmap config SAMGES:backend = ad
>      idmap config SAMGES:schema_mode = rfc2307
>      idmap config SAMGES:range = 10000-20000
> 
>      winbind nss info = rfc2307
>      winbind trusted domains only = no
>      winbind use default domain = yes
>      winbind enum users  = yes
>      winbind enum groups = yes
> 
> 
> Are this is correct?
> I have an old 4.1* version and plan to upgrade to 4.5*.
> 
The only possible problems I can see there are the 'winbind enum' lines,
you should only set these for testing purposes.

The problem was that people have been setting the 'idmap config' lines
meant for a domain member on AD DCs. On versions before 4.5.0, they
were ignored and did nothing. From 4.5.0, they still do not affect the
IDs, but now cause errors, these errors have now been fixed in 4.5.3

Rowland