Samba-4.10.4 (CVE-2019-3870 CVE-2018-14629 CVE-2019-3880 CVE-2018-16860)

[Douglas R. Reno]

Emergency security release, a month early.

                   ==============================
                   Release Notes for Samba 4.10.2
                           April 8, 2019
                   ==============================


This is a security release in order to address the following defects:

o  CVE-2019-3870 (World writable files in Samba AD DC private/ dir)
o  CVE-2019-3880 (Save registry file outside share as unprivileged user)


=======
Details
=======

o  CVE-2019-3870:
   During the provision of a new Active Directory DC, some files in the private/
   directory are created world-writable.

o  CVE-2019-3880:
   Authenticated users with write permission can trigger a symlink traversal to
   write or detect files outside the Samba share.

For more details and workarounds, please refer to the security advisories.


Changes since 4.10.1:
---------------------

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for
     smbd.mkdir().

o  Jeremy Allison <jra@samba.org>
   * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
     SaveKey/RestoreKey.

New versions have been made available for 4.8.x and 4.9.x as well (necessitating errata). Upstream has made it clear to update ASAP in multiple different emails on samba-announce, samba, and samba-technical; so this will be done within the next couple days at most.

[Douglas R. Reno]

Release Announcements
---------------------

These are a security releases in order to address the following defects:

o  CVE-2019-3870 (World writable files in Samba AD DC private/ dir)
o  CVE-2019-3880 (Save registry file outside share as unprivileged user)


=======
Details
=======

o  CVE-2019-3870:
   During the provision of a new Active Directory DC, some files in the private/
   directory are created world-writable.

o  CVE-2019-3880:
   Authenticated users with write permission can trigger a symlink traversal to
   write or detect files outside the Samba share.

For more details and workarounds, please refer to the security advisories.


Changes:
--------

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 13834: CVE-2019-3870: pysmbd: Ensure a zero umask is set for
     smbd.mkdir().

o  Jeremy Allison <jra@samba.org>
   * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
     SaveKey/RestoreKey.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================



================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
from:

        https://download.samba.org/pub/samba/stable/

The release notes are available online at:

        https://www.samba.org/samba/history/samba-4.10.2.html
        https://www.samba.org/samba/history/samba-4.9.6.html
        https://www.samba.org/samba/history/samba-4.8.11.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team

Hi,

This is a heads-up that there will be Samba security updates on
Monday, April 8 2019. Please make sure that your Samba
servers will be updated soon after the release!

Impacted components:
 - AD DC (CVSS 6.1, Medium)
 - File Server (CVSS 6.3, Medium)

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team         https://samba.org
Samba Development and Support, Catalyst IT   
https://catalyst.net.nz/services/samba

[Douglas R. Reno]

Checking my email from this morning:

Hi,

You're receiving this email because you're listed as a distributor of Samba. We are releasing critical security patches in a few hours. Please deploy them to your users as soon as possible for the safety of their data.

Impacted components include the AD DC and File Server components, as well as the python bindings for Samba.

Andrew Bartlett

-- 
Andrew Bartlett
https://samba.org/~abartlet/
Authentication Developer, Samba Team      https://samba.org
Samba Development and Support, Catalyst IT
https://catalyst.net.nz/services/samba

[Douglas R. Reno]

Now 4.10.3

[Douglas R. Reno]

Now 4.10.4

[Douglas R. Reno]

CVE-2018-16860

CVE-2018-16860.html

===========================================================
== Subject:     Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
==
== CVE ID#:     CVE-2018-16860
==
== Versions:    All Samba versions since Samba 4.0
==              All releases of Heimdal from 0.8 including 7.5.0
==		and any products that ship a KDC derived from one of
==              those Heimdal releases.
==
== Summary:     The checksum validation in the S4U2Self handler in
==              the embedded Heimdal KDC did not first confirm that the
==              checksum was keyed, allowing replacement of the
==              requested target (client) principal.
===========================================================

===========
Description
===========

S4U2Self is an extension to Kerberos used in Active Directory to allow
a service to request a kerberos ticket to itself from the Kerberos Key
Distribution Center (KDC) for a non-Kerberos authenticated user
(principal in Kerboros parlance). This is useful to allow internal
code paths to be standardized around Kerberos.

S4U2Proxy (constrained-delegation) is an extension of this mechanism
allowing this impersonation to a second service over the network. It
allows a privileged server that obtained a S4U2Self ticket to itself
to then assert the identity of that principal to a second service and
present itself as that principal to get services from the second
service.

There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
KDC checks the checksum that is placed on the S4U2Self packet by the
server to protect the requested principal against modification, it
does not confirm that the checksum algorithm that protects the user
name (principal) in the request is keyed.  This allows a
man-in-the-middle attacker who can intercept the request to the KDC to
modify the packet by replacing the user name (principal) in the
request with any desired user name (principal) that exists in the KDC
and replace the checksum protecting that name with a CRC32 checksum
(which requires no prior knowledge to compute).

This would allow a S4U2Self ticket requested on behalf of user name
(principal) user@EXAMPLE.COM to any service to be changed to a
S4U2Self ticket with a user name (principal) of
Administrator@EXAMPLE.COM. This ticket would then contain the PAC of
the modified user name (principal).

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    http://www.samba.org/samba/security/

Additionally, Samba 4.8.12, 4.9.8 and 4.10.3 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)

=========================
Workaround and Mitigation
=========================

If server does not take privileged actions based on Kerberos tickets
obtained by S4U2Self nor obtains Kerberos tickets via further
S4U2Proxy requests then this issue cannot be exploited.

Note that the path to an exploit is not generic, the KDC is not harmed
by the malicious checksum, it is the client service requesting the
ticket being mislead, because it trusted the KDC to return the correct
ticket and PAC.

It is out of scope for Samba to describe all of the possible tool
chains that might be vulnerable. Here are two examples of possible
exploits in order to explain the issue more clearly.

1). SFU2Self might be used by a web service authenticating an end user
via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
Kerberos service ticket for use by any Kerberos service principal the
web service has a keytab for.  One example is acquiring an AFS token
by requesting an afs/cell@REALM service ticket for a client via
SFU2Self.  With this exploit an organization that deploys a KDC built
from Heimdal (be it Heimdal directly or vendor versions such as found
in Samba) is vulnerable to privilege escalation attacks.

2). If a server authenticates users using X509 certificates, and then
uses S4U2Self to obtain a Kerberos service ticket on behalf of the
user (principal) in order to authorize access to local resources, a
man-in-the-middle attacker could allow a non-privilaged user to access
privilaged resources being protected by the server, or privilaged
resources being protected by a second server, if the first server uses
the S4U2Proxy extension in order to get a new Kerberos service ticket
to obtain access to the second server.

In both these scenarios under conditions allowing man-in-the-middle
active network protocol manipulation, a malicious user could
authenticate using the non-Kerborized credentials of an unprivileged
user, and then elevate its privileges by intercepting the packet from
the server to the KDC and changing the requested user name (principal).

The only Samba clients that use S4U2Self are:

- the "net ads kerberos pac dump" (debugging) tool.

- the CIFS proxy in the deprecated/developer-only NTVFS file
server. Note this code is not compiled or enabled by default.

In particular, winbindd does *not* use S4U2Self.

Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
for Samba AD is understood not to be impacted.

===============
Further Reading
===============

There is more detail on and a description of the protocols in 

[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol
https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/

=======
Credits
=======

Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
Team and Catalyst.

Patches provided by Isaac Boukris.

Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
Allison.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

Samba 4.10.3 Available for Download

Samba 4.10.3 (gzipped)
Signature

Patch (gzipped) against Samba 4.10.2
Signature

                   ==============================
                   Release Notes for Samba 4.10.3
                            May 14, 2019
                   ==============================


This is a security release in order to address the following defect:

o  CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)


=======
Details
=======

o  CVE-2018-16860:
   The checksum validation in the S4U2Self handler in the embedded Heimdal KDC
   did not first confirm that the checksum was keyed, allowing replacement of
   the requested target (client) principal.

For more details and workarounds, please refer to the security advisory.


Changes since 4.10.2:
---------------------

o  Isaac Boukris <iboukris@gmail.com> 
   * BUG 13685: CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed
     checksum.

Samba 4.10.4 Available for Download

Samba 4.10.4 (gzipped)
Signature

Patch (gzipped) against Samba 4.10.3
Signature

                   ==============================
                   Release Notes for Samba 4.10.4
                            May 22, 2019
                   ==============================


This is the latest stable release of the Samba 4.10 release series.


Changes since 4.10.3:
---------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 13938: s3: SMB1: Don't allow recvfile on stream fsp's.

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 13882: py/provision: Fix for Python 2.6.

o  Tim Beale <timbeale@catalyst.net.nz>
   * BUG 13873: netcmd: Fix 'passwordsettings --max-pwd-age' command.

o  Ralph Boehme <slow@samba.org>
   * BUG 13938: s3:smbd: Don't use recvfile on streams.

o  Günther Deschner <gd@samba.org>
   * BUG 13861: s3-libnet_join: 'net ads join' to child domain fails when using
     "-U admin@forestroot".

o  David Disseldorp <ddiss@samba.org>
   * BUG 13896: vfs_ceph: Explicitly enable libcephfs POSIX ACL support.
   * BUG 13940: vfs_ceph: Fix cephwrap_flistxattr() debug message.

o  Amitay Isaacs <amitay@gmail.com>
   * BUG 13895: ctdb-common: Avoid race between fd and signal events.
   * BUG 13943: ctdb-common: Fix memory leak in run_proc.

o  Volker Lendecke <vl@samba.org>
   * BUG 13892: lib: Initialize getline() arguments.
   * BUG 13903: winbind: Fix overlapping id ranges.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 13902: lib util debug: Increase format buffer to 4KiB.
   * BUG 13927: nsswitch pam_winbind: Fix Asan use after free.
   * BUG 13929: s4 lib socket: Ensure address string owned by parent struct.
   * BUG 13936: s3 rpc_client: Fix Asan stack use after scope.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 10097: s3:smbd: Handle IO_REPARSE_TAG_DFS in
     SMB_FIND_FILE_FULL_DIRECTORY_INFO.
   * BUG 10344: smb2_tcon: Avoid STATUS_PENDING completely on tdis.
   * BUG 12845: smb2_sesssetup: avoid STATUS_PENDING responses for session
     setup.
   * BUG 13698: smb2_tcon: Avoid STATUS_PENDING completely on tdis.
   * BUG 13796: smb2_sesssetup: avoid STATUS_PENDING responses for session
     setup.
   * BUG 13843: dbcheck: Fix the err_empty_attribute() check.
   * BUG 13858: vfs_snapper: Drop unneeded fstat handler.
   * BUG 13862: vfs_default: Fix vfswrap_offload_write_send()
     NT_STATUS_INVALID_VIEW_SIZE check.
   * BUG 13863: smb2_server: Grant all 8192 credits to clients.
   * BUG 13919: smbd: Implement SMB_FILE_NORMALIZED_NAME_INFORMATION handling.

o  Anoop C S <anoopcs@redhat.com>
   * BUG 13872: s3/vfs_glusterfs: Dynamically determine NAME_MAX.

o  Robert Sander <r.sander@heinlein-support.de>
   * BUG 13918: s3: modules: ceph: Use current working directory instead of
     share path.

o  Christof Schmitt <cs@samba.org>
   * BUG 13831: winbind: Use domain name from lsa query for sid_to_name cache
     entry.
   * BUG 13865: memcache: Increase size of default memcache to 512k.

o  Andreas Schneider <asn@samba.org>
   * BUG 13857: docs: Update smbclient manpage for "--max-protocol".
   * BUG 13861: 'net ads join' to child domain fails when using
     "-U admin@forestroot".
   * BUG 13937: s3:utils: If share is NULL in smbcacls, don't print it.
   * BUG 13939: s3:smbspool: Fix regression printing with Kerberos credentials.

o  Martin Schwenke <martin@meltin.net>
   * BUG 13860: ctdb-scripts: CTDB restarts failed NFS RPC services by hand,
     which is incompatible with systemd.
   * BUG 13888: ctdb-daemon: Revert "We can not assume that just because we
     could complete a TCP handshake".
   * BUG 13930: ctdb-daemon: Never use 0 as a client ID.
   * BUG 13943: ctdb-common: Fix memory leak.

o  Ralph Wuerthner <ralph.wuerthner@de.ibm.com>
   * BUG 13904: s3:debug: Enable logging for early startup failures.

[Douglas R. Reno]

For anyone interested in running the developer test suite (make test - I recommend running it before doing a security update to this package), the following new dependencies are needed:

• cmocka (think it's already listed)
• BIND9 (should have it at least installed, but not sure if running it is a requirement)
• cwrap
• dnspython

I don't recommend adding cmocka, cwrap, and dnspython to the book, but instead I think listing them as optional external dependencies is a better idea. I'll probably get this going here in around an hour and let it run for a bit.

[Douglas R. Reno]

Add the vulnerability IDs to the title

[Douglas R. Reno]

Fixed at r21659

[Bruce Dubbs]

Milestone renamed