#12665 closed enhancement (fixed)

samba-4.11.6

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Change History (14)

comment:1 by Douglas R. Reno, 22 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 22 months ago

Priority: normalhigh
Summary: samba-4.11.1samba-4.11.2
Release Announcements
---------------------

These are security releases in order to address the following defects:

o CVE-2019-10218: Client code can return filenames containing path separators.          
o CVE-2019-14833: Samba AD DC check password script does not receive the full
		  password.
o CVE-2019-14847: User with "get changes" permission can crash AD DC LDAP server
		  via dirsync.

=======
Details
=======

o  CVE-2019-10218:
   Malicious servers can cause Samba client code to return filenames containing
   path separators to calling code.

o  CVE-2019-14833:
   When the password contains multi-byte (non-ASCII) characters, the check
   password script does not receive the full password string.

o  CVE-2019-14847:
   Users with the "get changes" extended access right can crash the AD DC LDAP
   server by requesting an attribute using the range= syntax.

For more details and workarounds, please refer to the security advisories.


Changes:
--------

o  Jeremy Allison <jra@samba.org>
   * BUG 14071: CVE-2019-10218 - s3: libsmb: Protect SMB1 and SMB2 client code
     from evil server returned names.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 12438: CVE-2019-14833: Use utf8 characters in the unacceptable
     password.
   * BUG 14040: CVE-2019-14847 dsdb: Correct behaviour of ranged_results when
     combined with dirsync.

o  Björn Baumbach <bb@sernet.de>
   * BUG 12438: CVE-2019-14833 dsdb: Send full password to check password
     script.

comment:3 by Douglas R. Reno, 21 months ago

Milestone: 9.1hold
Priority: highlow
Summary: samba-4.11.2samba-4.11.2 (hold until next release).

There are some major problems with this one, as I've discovered recently (and reported upstream). Holding until the next release, where I will re-evaluate.

comment:4 by Tim Tassonis, 21 months ago

Could you tell me what those problems are? Because I just upgraded a fileserver with 20 users to 4.11.2 and after reading your comment, I'm suddenly feeling a bit uncomfortable about that now.

comment:5 by Douglas R. Reno, 21 months ago

Hi Tim,

I was having a lot of problems with this one, most of which have been acknowledged upstream as having fixes in 4.11.3 whenever it comes out (I note that Arch is still on 4.10.x in their Extra repo, 4.11.2 hasn't left testing yet).

A majority of my problems are with the stability of the file server. I have Windows-based clients here ranging from XP (although I don't really use those with Samba, I have a 2012r2 machine for that, and they're all on once or twice a month anyway), all the way to Windows 10. My Windows 7, 8.1, and 10 machines would drop connections during large (100+ MB) file transfers, and I'd come over to my samba server to see that it came up with a NT_STATUS_INSUFFICIENT_MEMORY. The Samba process itself is only using 250MB of RAM at this point, out of the 16GB that I have available on this system (not including swap!).

Eventually, smbd crashes with a segmentation fault and a subsequent malloc error. I had a chat with folks on Samba's IRC the other day and they told me to downgrade because it's a problem with 4.11.2, which was carried over from 4.11.1.

Sometimes I cannot get smbd to start at all, hanging after printing some diagnostic messages to the console. I've traced this down to an invalid memory access in smbd itself, based off where it begins parsing the configuration file (sometimes it parses from top to bottom, sometimes it parses based off individual sections (individual sections is where the fault lies)).

comment:6 by Douglas R. Reno, 19 months ago

Summary: samba-4.11.2 (hold until next release).samba-4.11.4 (hold until next release).

Waiting for 4.11.5 (Tuesday potentially) for Python-3.8 fixes and more security fixes.

Now 4.11.4 though

comment:7 by Douglas R. Reno, 19 months ago

Priority: lowhigh
Summary: samba-4.11.4 (hold until next release).samba-4.11.5 (hold until next release).

The situation is a bit more dire now.

Promoting to High, and adding 4.11.5 and it's security fixes into this ticket.

I've begun upgrading a few things needed for testing on my tester system (so that way I can run the devtest suite), and starting my firefox builds on the other.

There are still no Python-3.8 fixes committed from what I can see. I'll give them a spin and put them into the book if they work.

comment:8 by Douglas R. Reno, 19 months ago

CVE-2019-14902

CVE-2019-14902.html

===========================================================
== Subject:     Replication of ACLs set to inherit down a
==              subtree on AD Directory not automatic
==
== CVE ID#:     CVE-2019-14902 
==
== Versions:    Samba 4.0 and later
==
== Summary:     The implementation of ACL inheritance in the
==              Samba AD DC was not complete, and so absent a
==              'full-sync' replication, ACLs could get out of
==              sync between domain controllers.
===========================================================

===========
Description
===========

A newly delegated right, but more importantly the removal of a
delegated right, would not be inherited on any DC other than the one
where the change was made.

For example:
 - if a user or group was previously delegated the right to
create or modify a subtree (say to allow desktop support to reset
passwords and create users)
 - and subsequently this right was taken away

The removal would not automatically be taken away on all domain
controllers.

Because this patch only fixes new replication into the future, it is
vital that a full-sync be done TO each Domain Controller to ensure
each ACL (ntSecurityDescriptor) is re-calculated on the whole set of
DCs.  See the instructions in "workaround and required steps
post-upgrade" below.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)

==========================================
Workaround and required steps post-upgrade
==========================================

Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause
all ACLs to be syncronised from DC2 to DC1, for the given NC (naming
context), eg:

samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync 
samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync 

samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync 
samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync

Internally both in patched and un-patched versions, for every object
replicated with a --full-sync, the inheritance will be correctly
calculated.  This only needs to be done TO each DC, not for each
pair-wise pair.

=======
Credits
=======

Reported by a number of Samba users and sites since 2017, but now
recognised as a security issue after triage.  We apologise for the
delay in dealing with this issue.

Patches provided by Andrew Bartlett of the Samba Team and Catalyst.

Advisory written by Andrew Bartlett of the Samba Team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2019-14907

CVE-2019-14907.html

===========================================================
== Subject:     Crash after failed character conversion at
==              log level 3 or above
==
== CVE ID#:     CVE-2019-14907
==
== Versions:    Samba 4.0 and later versions
==
== Summary:     When processing untrusted string input Samba
==              can read past the end of the allocated buffer
==              when printing a "Conversion error" message
==              to the logs.
==              
===========================================================

===========
Description
===========

If samba is set with "log level = 3" (or above) then the string
obtained from the client, after a failed character conversion, is
printed.  Such strings can be provided during the NTLMSSP
authentication exchange.

In the Samba AD DC in particular, this may cause a long-lived process
(such as the RPC server) to terminate.  (In the file server case, the
most likely target, smbd, operates as process-per-client and so a
crash there is harmless).

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

Do not set a log level of 3 or above in production.

=======
Credits
=======

Originally reported by Robert Święcki using a fuzzer he wrote.

Patches provided by Andrew Bartlett of the Samba team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2019-19344

CVE-2019-19344.html

===========================================================
== Subject:     Use after free during DNS zone scavenging
==              in Samba AD DC
==
== CVE ID#:     CVE-2019-19344
==
== Versions:    Samba 4.9 and later versions
==
== Summary:     During DNS zone scavenging (of expired dynamic
==              entries) there is a read of memory after it has
==              been freed.
===========================================================

===========
Description
===========

Samba 4.9 introduced an off-by-default feature to tombstone
dynamically created DNS records that had reached their expiry time.

This feature is controlled by the smb.conf option:
 dns zone scavenging = yes

There is a use-after-free issue in this code, essentially due to a
call to realloc() while other local variables still point at the
original buffer.

The use is a read, but in quite unlikely conditions (due to NDR
validation unpacking the buffer) that read memory might be saved back
into the DB.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

The code in question is not run in the default configuration, so
the workaround is simply to not set
 dns zone scavenging = yes

=======
Credits
=======

Originally reported by Christian Naumer.

Patches provided by Andrew Bartlett of the Samba team and Catalyst.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

4.11.5 changelog

                   ==============================
                   Release Notes for Samba 4.11.5
                          January 21, 2020
		   ==============================


This is a security release in order to address the following defects:

o CVE-2019-14902: Replication of ACLs set to inherit down a subtree on AD
		  Directory not automatic.
o CVE-2019-14907: Crash after failed character conversion at log level 3 or
		  above.
o CVE-2019-19344: Use after free during DNS zone scavenging in Samba AD DC.


=======
Details
=======

o  CVE-2019-14902:
   The implementation of ACL inheritance in the Samba AD DC was not complete,
   and so absent a 'full-sync' replication, ACLs could get out of sync between
   domain controllers.

o  CVE-2019-14907:
   When processing untrusted string input Samba can read past the end of the
   allocated buffer when printing a "Conversion error" message to the logs.

o  CVE-2019-19344:
   During DNS zone scavenging (of expired dynamic entries) there is a read of
   memory after it has been freed.

For more details and workarounds, please refer to the security advisories.


Changes since 4.11.4:
---------------------

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 12497: CVE-2019-14902: Replication of ACLs down subtree on AD Directory
     not automatic.
   * BUG 14208: CVE-2019-14907: lib/util: Do not print the failed to convert
     string into the logs.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 14050: CVE-2019-19344: kcc dns scavenging: Fix use after free in
     dns_tombstone_records_zone.

Also, here is a link to the Python-3.8 bug report:

https://bugzilla.samba.org/show_bug.cgi?id=14209

The Python-3.8 fixes were submitted to the test branch, but not cut as part of the stable release. My guess is that it's because they wanted the security fixes out faster (although if it doesn't work with Python-3.8, which is also what Arch uses, why release it? :) )

comment:9 by Douglas R. Reno, 19 months ago

Milestone: hold9.1

Now part of 9.1

comment:10 by Douglas R. Reno, 19 months ago

Summary: samba-4.11.5 (hold until next release).samba-4.11.5

Correct title

comment:11 by Douglas R. Reno, 19 months ago

I just caught another release of 4.10.x to fix a few problems with Python-3.8 and samba-tool. I'm hoping that a new one comes out for 4.11 over the next day or so. If it doesn't, I'll probably just patch it to get this in ASAP.

comment:12 by Douglas R. Reno, 18 months ago

Now 4.11.6, containing the Python-3.8 fixes

Changes since 4.11.5:
---------------------

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 14209: pygpo: Use correct method flags.

o  David Disseldorp <ddiss@samba.org>
   * BUG 14216: vfs_ceph_snapshots: Fix root relative path handling.

o  Torsten Fohrer <torsten.fohrer@sbe.de>
   * BUG 14209: Avoiding bad call flags with python 3.8, using METH_NOARGS
     instead of zero.

o  Fabrice Fontaine <fontaine.fabrice@gmail.com>
   * BUG 14218: source4/utils/oLschema2ldif: Include stdint.h before cmocka.h.

o  Björn Jacke <bjacke@samba.org>
   * BUG 14122: docs-xml/winbindnssinfo: Clarify interaction with idmap_ad etc.

o  Volker Lendecke <vl@samba.org>
   * BUG 14251: smbd: Fix the build with clang.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 14199: upgradedns: Ensure lmdb lock files linked.

o  Anoop C S <anoopcs@redhat.com>
   * BUG 14182: s3: VFS: glusterfs: Reset nlinks for symlink entries during
     readdir.

o  Andreas Schneider <asn@samba.org>
   * BUG 14101: smbc_stat() doesn't return the correct st_mode and also the
     uid/gid is not filled (SMBv1) file.
   * BUG 14219: librpc: Fix string length checking in
     ndr_pull_charset_to_null().

o  Martin Schwenke <martin@meltin.net>
   * BUG 14227: ctdb-scripts: Strip square brackets when gathering connection
     info.

comment:13 by Douglas R. Reno, 18 months ago

Summary: samba-4.11.5samba-4.11.6

comment:14 by Douglas R. Reno, 18 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r22641

Note: See TracTickets for help on using tickets.