Opened 7 years ago

Closed 7 years ago

#8481 closed enhancement (fixed)

samba-4.5.3 (CVE-2016-2123 CVE-2016-2125 CVE-2016-2126)

Reported by: bdubbs@… Owned by: Douglas R. Reno
Priority: high Milestone: 8.0
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description (last modified by Douglas R. Reno)

New point version

                   =============================
                   Release Notes for Samba 4.5.1
                          October 26, 2016
                   =============================


This is the latest stable release of the Samba 4.5 release series.

Major enhancements in Samba 4.5.1 include:

o  Let winbindd discard expired kerberos tickets when built against
   (internal) heimdal (BUG #12369).
o  REGRESSION: smbd segfaults on startup, tevent context being freed
   (BUG #12283).
=============================
                   Release Notes for Samba 4.5.3
                          December 19, 2016
                   =============================


This is a security release in order to address the following defects:

o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
   Overflow Remote Code Execution Vulnerability).
o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
   trusted realms).
o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
   elevation).

=======
Details
=======

o  CVE-2016-2123:
   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
   parses data from the Samba Active Directory ldb database.  Any user
   who can write to the dnsRecord attribute over LDAP can trigger this
   memory corruption.

   By default, all authenticated LDAP users can write to the dnsRecord
   attribute on new DNS objects. This makes the defect a remote privilege
   escalation.

o  CVE-2016-2125
   Samba client code always requests a forwardable ticket
   when using Kerberos authentication. This means the
   target server, which must be in the current or trusted
   domain/realm, is given a valid general purpose Kerberos
   "Ticket Granting Ticket" (TGT), which can be used to
   fully impersonate the authenticated user or service.

o  CVE-2016-2126
   A remote, authenticated, attacker can cause the winbindd process
   to crash using a legitimate Kerberos ticket due to incorrect
   handling of the arcfour-hmac-md5 PAC checksum.

   A local service with access to the winbindd privileged pipe can
   cause winbindd to cache elevated access permissions.


Changes since 4.5.2:
--------------------

o  Volker Lendecke <vl@samba.org>
   * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
   * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
     check_pac_checksum().

Change History (7)

comment:1 by Samuel, 7 years ago

Description: modified (diff)

Added changes

comment:2 by Douglas R. Reno, 7 years ago

Owner: changed from blfs-book@… to Douglas R. Reno
Status: newassigned

comment:3 by Douglas R. Reno, 7 years ago

Summary: samba-4.5.1samba-4.5.2

Now version 4.5.2. Lots of important changes, but I can't assign a security issue to them, hence staying normal priority.

comment:4 by bdubbs@…, 7 years ago

Milestone: 7.118.0

Milestone renamed

comment:5 by Douglas R. Reno, 7 years ago

Description: modified (diff)
Priority: normallowest
Summary: samba-4.5.2samba-4.5.3 (CVE-2016-2123 CVE-2016-2125 CVE-2016-2126)

Updating description. This update is now severe enough to be critical. Expediting.

comment:6 by Douglas R. Reno, 7 years ago

Priority: lowesthigh

Bump it properly.

comment:7 by Douglas R. Reno, 7 years ago

Resolution: fixed
Status: assignedclosed

Fixed at r18113

See Ticket #8693 - Python modules still need to be added. Submitted w/out Test Suite instructions.

Note: See TracTickets for help on using tickets.