Steve Langasek
2006-Mar-31 05:07 UTC
[Secure-testing-team] CAN-2006-1059 [jerry@samba.org: [SECURITY] Samba 3.0.21-3.0.21c: Exposure of machine account credentials in winbindd log files]
Hey folks, samba 3.0.22 has been released to fix a security hole in samba versions 3.0.21-3.0.21c, CAN-2006-1059, which on Debian systems allows members of the adm group to read the domain member server''s password from /var/log/samba/log.winbindd, a privilege escalation with limited scope. I''m preparing an upload of samba 3.0.22 to unstable, which will be uploaded just as soon as the build finishes here. :) I''ve confirmed that this patch is not applicable to samba 3.0.14a, so sarge is not vulnerable. The original upstream announcement is included below. Cheers, -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. vorlon@debian.org http://www.debian.org/ ----- Forwarded message from "Gerald (Jerry) Carter" <jerry@samba.org> ----- X-Spam-Level: X-Spam-Status: No, score=-1.4 required=3.0 tests=BAYES_00,DATE_IN_PAST_06_12 autolearn=no version=3.1.0 From: "Gerald (Jerry) Carter" <jerry@samba.org> To: samba-technical@samba.org Subject: [SECURITY] Samba 3.0.21-3.0.21c: Exposure of machine account credentials in winbindd log files Date: Wed, 29 Mar 2006 23:21:06 -0600 X-Original-To: vorlon@dodds.net X-Original-To: samba-technical@samba.org X-Enigmail-Version: 0.94.0.0 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ============================================================ Subject: Exposed clear text of domain machine == account password in debug logs (log == level >= 5) == CVE ID#: CAN_2006-1059 === Versions: Samba Samba 3.0.21 - 3.0.21c (inclusive) === Summary: The winbindd daemon writes the clear text == of the machine trust account password to == log files. These log files are world == readable by default. ========================================================== ==========Description ========== The machine trust account password is the secret shared between a domain controller and a specific member server. Access to the member server machine credentials allows an attacker to impersonate the server in the domain and gain access to additional information regarding domain users and groups. The winbindd daemon included in Samba 3.0.21 and subsequent patch releases (3.0.21a-c) writes the clear text of server''s machine credentials to its log file at level 5. The winbindd log files are world readable by default and often log files are requested on open mailing lists as tools used to debug server misconfigurations. This affects servers configured to use domain or ads security and possibly Samba domain controllers as well (if configured to use winbindd). =================Patch Availability ================= Samba 3.0.22 has been released to address this one security defect. A patch for Samba 3.0.21[a-c] has been posted at http://www.samba.org/samba/security/ An unpatched server may be protected by ensuring that non-administrative users are unable to read any winbindd log files generated at level 5 or greater. ======Credits ====== This security issue discovered during an internal security audit of the Samba source code by the Samba Team. =========================================================== Our Code, Our Bugs, Our Responsibility. == The Samba Team =========================================================-----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEK2rCIR7qMdg1EfYRAlW9AKCkacH0u7BrHCihzczj05MpUVCrewCfeYzv UrUwLoJGcsm6DvBlaaJdato=XmXK -----END PGP SIGNATURE----- ----- End forwarded message ----- -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 189 bytes Desc: Digital signature Url : http://lists.alioth.debian.org/pipermail/secure-testing-team/attachments/20060330/2e48e12b/attachment.pgp