Opened 8 years ago

Closed 8 years ago

#7533 closed enhancement (fixed)

samba-4.4,0

Reported by: bdubbs@… Owned by: blfs-book
Priority: high Milestone: 7.10
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Change History (8)

comment:1 by Douglas R. Reno, 8 years ago

Priority: normalhigh

This is a security release in order to address the following CVEs:

o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path) o CVE-2016-0771 (Out-of-bounds read in internal DNS server)

======= Details =======

o CVE-2015-7560:

All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks.

An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to.

o CVE-2016-0771:

All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as an AD DC and choose to run the internal DNS server, are vulnerable to an out-of-bounds read issue during DNS TXT record handling caused by users with permission to modify DNS records.

A malicious client can upload a specially constructed DNS TXT record, resulting in a remote denial-of-service attack. As long as the affected TXT record remains undisturbed in the Samba database, a targeted DNS query may continue to trigger this exploit.

While unlikely, the out-of-bounds read may bypass safety checks and allow leakage of memory from the server in the form of a DNS TXT reply.

By default only authenticated accounts can upload DNS records, as "allow dns updates = secure only" is the default. Any other value would allow anonymous clients to trigger this bug, which is a much higher risk.

in reply to:  1 comment:2 by Douglas R. Reno, 8 years ago

Replying to renodr:

This is a security release in order to address the following CVEs:

o CVE-2015-7560 (Incorrect ACL get/set allowed on symlink path) o CVE-2016-0771 (Out-of-bounds read in internal DNS server)

======= Details =======

o CVE-2015-7560:

All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to a malicious client overwriting the ownership of ACLs using symlinks.

An authenticated malicious client can use SMB1 UNIX extensions to create a symlink to a file or directory, and then use non-UNIX SMB1 calls to overwrite the contents of the ACL on the file or directory linked to.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-7560 SEVERITY: MEDIUM

o CVE-2016-0771:

All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as an AD DC and choose to run the internal DNS server, are vulnerable to an out-of-bounds read issue during DNS TXT record handling caused by users with permission to modify DNS records.

A malicious client can upload a specially constructed DNS TXT record, resulting in a remote denial-of-service attack. As long as the affected TXT record remains undisturbed in the Samba database, a targeted DNS query may continue to trigger this exploit.

While unlikely, the out-of-bounds read may bypass safety checks and allow leakage of memory from the server in the form of a DNS TXT reply.

By default only authenticated accounts can upload DNS records, as "allow dns updates = secure only" is the default. Any other value would allow anonymous clients to trigger this bug, which is a much higher risk.

https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-0771 SEVERITY: MEDIUM

comment:3 by Douglas R. Reno, 8 years ago

Owner: changed from blfs-book@… to Douglas R. Reno
Status: newassigned

After Discussion with Bruce, I have decided to accept the KRB and Samba updates for trunk as well as systemd. Note: even though it is April 1st, this is not an April Fools joke!

comment:4 by Douglas R. Reno, 8 years ago

I should be able to start working on this and KRB5 tomorrow. I also bought a miniature book on Samba to aid me here.

comment:5 by Douglas R. Reno, 8 years ago

Owner: changed from Douglas R. Reno to blfs-book
Status: assignednew

Won't have time to work on it anytime soon.

comment:6 by bdubbs@…, 8 years ago

Summary: samba-4.3.6samba-4.4,0

Now version 4.4.0

comment:7 by bdubbs@…, 8 years ago

There is an interesting line output from configure:

Checking getconf LFS_CFLAGS : not found

I wonder what that is?

comment:8 by bdubbs@…, 8 years ago

Resolution: fixed
Status: newclosed

Fixed at revision 17247.

Note: See TracTickets for help on using tickets.