| 19 | |
| 20 | |
| 21 | {{{ |
| 22 | ============================= |
| 23 | Release Notes for Samba 4.5.3 |
| 24 | December 19, 2016 |
| 25 | ============================= |
| 26 | |
| 27 | |
| 28 | This is a security release in order to address the following defects: |
| 29 | |
| 30 | o CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer |
| 31 | Overflow Remote Code Execution Vulnerability). |
| 32 | o CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in |
| 33 | trusted realms). |
| 34 | o CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege |
| 35 | elevation). |
| 36 | |
| 37 | ======= |
| 38 | Details |
| 39 | ======= |
| 40 | |
| 41 | o CVE-2016-2123: |
| 42 | The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, |
| 43 | leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name |
| 44 | parses data from the Samba Active Directory ldb database. Any user |
| 45 | who can write to the dnsRecord attribute over LDAP can trigger this |
| 46 | memory corruption. |
| 47 | |
| 48 | By default, all authenticated LDAP users can write to the dnsRecord |
| 49 | attribute on new DNS objects. This makes the defect a remote privilege |
| 50 | escalation. |
| 51 | |
| 52 | o CVE-2016-2125 |
| 53 | Samba client code always requests a forwardable ticket |
| 54 | when using Kerberos authentication. This means the |
| 55 | target server, which must be in the current or trusted |
| 56 | domain/realm, is given a valid general purpose Kerberos |
| 57 | "Ticket Granting Ticket" (TGT), which can be used to |
| 58 | fully impersonate the authenticated user or service. |
| 59 | |
| 60 | o CVE-2016-2126 |
| 61 | A remote, authenticated, attacker can cause the winbindd process |
| 62 | to crash using a legitimate Kerberos ticket due to incorrect |
| 63 | handling of the arcfour-hmac-md5 PAC checksum. |
| 64 | |
| 65 | A local service with access to the winbindd privileged pipe can |
| 66 | cause winbindd to cache elevated access permissions. |
| 67 | |
| 68 | |
| 69 | Changes since 4.5.2: |
| 70 | -------------------- |
| 71 | |
| 72 | o Volker Lendecke <vl@samba.org> |
| 73 | * BUG 12409: CVE-2016-2123: Fix DNS vuln ZDI-CAN-3995. |
| 74 | |
| 75 | o Stefan Metzmacher <metze@samba.org> |
| 76 | * BUG 12445: CVE-2016-2125: Don't send delegated credentials to all servers. |
| 77 | * BUG 12446: CVE-2016-2126: auth/kerberos: Only allow known checksum types in |
| 78 | check_pac_checksum(). |
| 79 | |
| 80 | }}} |