Changes between Version 1 and Version 5 of Ticket #8481


Ignore:
Timestamp:
12/22/2016 02:01:51 PM (7 years ago)
Author:
Douglas R. Reno
Comment:

Updating description. This update is now severe enough to be critical. Expediting.

Legend:

Unmodified
Added
Removed
Modified

  • Ticket #8481

    • Property Owner changed from blfs-book@… to Douglas R. Reno
    • Property Status newassigned
    • Property Summary samba-4.5.1samba-4.5.3 (CVE-2016-2123 CVE-2016-2125 CVE-2016-2126)
    • Property Milestone 7.118.0
    • Property Priority normallowest

  • Ticket #8481 – Description

    v1 v5  
    1717   (BUG #12283).
    1818}}}
     19
     20
     21{{{
     22=============================
     23                   Release Notes for Samba 4.5.3
     24                          December 19, 2016
     25                   =============================
     26
     27
     28This is a security release in order to address the following defects:
     29
     30o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
     31   Overflow Remote Code Execution Vulnerability).
     32o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
     33   trusted realms).
     34o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
     35   elevation).
     36
     37=======
     38Details
     39=======
     40
     41o  CVE-2016-2123:
     42   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
     43   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
     44   parses data from the Samba Active Directory ldb database.  Any user
     45   who can write to the dnsRecord attribute over LDAP can trigger this
     46   memory corruption.
     47
     48   By default, all authenticated LDAP users can write to the dnsRecord
     49   attribute on new DNS objects. This makes the defect a remote privilege
     50   escalation.
     51
     52o  CVE-2016-2125
     53   Samba client code always requests a forwardable ticket
     54   when using Kerberos authentication. This means the
     55   target server, which must be in the current or trusted
     56   domain/realm, is given a valid general purpose Kerberos
     57   "Ticket Granting Ticket" (TGT), which can be used to
     58   fully impersonate the authenticated user or service.
     59
     60o  CVE-2016-2126
     61   A remote, authenticated, attacker can cause the winbindd process
     62   to crash using a legitimate Kerberos ticket due to incorrect
     63   handling of the arcfour-hmac-md5 PAC checksum.
     64
     65   A local service with access to the winbindd privileged pipe can
     66   cause winbindd to cache elevated access permissions.
     67
     68
     69Changes since 4.5.2:
     70--------------------
     71
     72o  Volker Lendecke <vl@samba.org>
     73   * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995.
     74
     75o  Stefan Metzmacher <metze@samba.org>
     76   * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers.
     77   * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in
     78     check_pac_checksum().
     79
     80}}}