Opened 9 months ago

Closed 9 months ago

#14185 closed enhancement (fixed)

Samba-4.13.1 (Security Release)

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: high Milestone: 10.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New point version

Release Announcements
---------------------

These are a security releases in order to address the following defects:

o CVE-2020-14318: Missing handle permissions check in SMB1/2/3 ChangeNotify.
o CVE-2020-14323: Unprivileged user can crash winbind.
o CVE-2020-14383: An authenticated user can crash the DCE/RPC DNS with easily
		  crafted records.


=======
Details
=======

o  CVE-2020-14318:
   The SMB1/2/3 protocols have a concept of "ChangeNotify", where a client can
   request file name notification on a directory handle when a condition such as
   "new file creation" or "file size change" or "file timestamp update" occurs.

   A missing permissions check on a directory handle requesting ChangeNotify
   meant that a client with a directory handle open only for
   FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain change
   notify replies from the server. These replies contain information that should
   not be available to directory handles open for FILE_READ_ATTRIBUTE only.

o  CVE-2020-14323:
   winbind in version 3.6 and later implements a request to translate multiple
   Windows SIDs into names in one request. This was done for performance
   reasons: Active Directory domain controllers can do multiple SID to name
   translations in one RPC call. It was an obvious extension to also offer this
   batch operation on the winbind unix domain stream socket that is available to
   local processes on the Samba server to reduce network round-trips to the
   domain controller.

   Due to improper input validation a hand-crafted packet can make winbind
   perform a NULL pointer dereference and thus crash.

o  CVE-2020-14383:
   Some DNS records (such as MX and NS records) usually contain data in the
   additional section. Samba's dnsserver RPC pipe (which is an administrative
   interface not used in the DNS server itself) made an error in handling the
   case where there are no records present: instead of noticing the lack of
   records, it dereferenced uninitialised memory, causing the RPC server to
   crash. This RPC server, which also serves protocols other than dnsserver,
   will be restarted after a short delay, but it is easy for an authenticated
   non-admin attacker to crash it again as soon as it returns. The Samba DNS
   server itself will continue to operate, but many RPC services will not.

For more details, please refer to the security advisories.


Changes:
--------

o  Jeremy Allison <jra@samba.org>
   * BUG 14434: CVE-2020-14318: s3: smbd: Ensure change notifies can't get set
     unless the directory handle is open for SEC_DIR_LIST.

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 12795: CVE-2020-14383: Remote crash after adding NS or MX records using
     'samba-tool'.
   * BUG 14472: CVE-2020-14383: Remote crash after adding MX records.

o  Volker Lendecke <vl@samba.org>
   * BUG 14436: CVE-2020-14323: winbind: Fix invalid lookupsids DoS.

Change History (7)

comment:1 by Douglas R. Reno, 9 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Xi Ruoyao, 9 months ago

A good news is that the sed is no longer needed.

And I think maybe those tirpc LDFLAGS and CFLAGS are also no longer needed. I'll have a try.

in reply to:  2 comment:3 by Xi Ruoyao, 9 months ago

Replying to xry111:

A good news is that the sed is no longer needed.

And I think maybe those tirpc LDFLAGS and CFLAGS are also no longer needed. I'll have a try.

No, the sed is still needed. I just misread the code :(.

Is there someone to complain this to upstream?

comment:4 by Xi Ruoyao, 9 months ago

I can confirm that -ltirpic and -I/usr/include/tirpc are no longer needed.

comment:5 by Douglas R. Reno, 9 months ago

This is a security release, so no fixes other than the ones required for the CVEs are merged. The next version, 4.13.2, will probably have it fixed

comment:6 by Douglas R. Reno, 9 months ago

CVE-2020-14318

CVE-2020-14318.html

===========================================================
== Subject:     Missing handle permissions check in SMB1/2/3
==              ChangeNotify.
== 
== CVE ID#:     CVE-2020-14318
==              
==
== Versions:    All versions of Samba since Samba 3.6.0
==
== Summary:     Systems where Windows ACL permissions are
==              more restrictive than native filesystem
==              permissions can be made to leak file name
==              information to unprivileged accounts.
===========================================================

===========
Description
===========

The SMB1/2/3 protocols have a concept of "ChangeNotify", where a
client can request file name notification on a directory handle when a
condition such as "new file creation" or "file size change" or "file
timestamp update" occurs.

A missing permissions check on a directory handle requesting
ChangeNotify meant that a client with a directory handle open only for
FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain
change notify replies from the server. These replies contain
information that should not be available to directory handles open for
FILE_READ_ATTRIBUTE only.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.15, 4.12.9 and 4.13.1 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/RL:O/RC:C/CR:L/MAV:A/MAC:L/MPR:L/MUI:N/MS:U/MC:L/MI:N/MA:N

base score of 4.3 - medium.

=================================
Workaround and mitigating factors
=================================

As Samba internally opens an underlying file system handle on a
directory when a client requests an open, even for
FILE_READ_ATTRIBUTES then if the underlying file system permissions
don't allow "r" (read) access for the connected user, then the handle
open request will be denied.

"r" access is the normal permission needed to list or otherwise reveal
the contents of a directory, so if a connected user has "r" access
then they will be able to list the directory contents normally, and
the information received by a ChangeNofity request is already
available to the user.

The security issue occurs if the Administrator or directory owner had
set more restrictive Windows ACL permissions on the directory to
disallow read access to the user, and this permissions change was not
reflected in the underlying file system permissions.

This will only occur if Samba is configured with VFS modules to
decouple the underlying file system permissions from the Windows ACLs,
by setting up a share with the settings:

[vulnerable_share]
        vfs_objects = vfs_acl_xattr
        acl_xattr:ignore system acls = yes

=======
Credits
=======

Reported by Steven French of Microsoft and the Samba Team.
Advisory written by Jeremy Allison of Google and the Samba Team.
Patches provided by Jeremy Allison of Google and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2020-14323

CVE-2020-14323.html

===========================================================
== Subject:     Unprivileged user can crash winbind
== 
== GitHub Security Lab (GHSL) Vulnerability Report: 'GHSL-2020-134'
==
== CVE ID#:     CVE-2020-14323
==              
==
== Versions:    All versions of Samba since Samba 3.6.0
==
== Summary:     With a specially crafted winbind request
==              sent over the non-privileged winbind pipe
==              winbind can be made to dereference a NULL
==              pointer
===========================================================

===========
Description
===========

winbind in version 3.6 and later implements a request to
translate multiple Windows SIDs into names in one request. This
was done for performance reasons: Active Directory domain
controllers can do multiple SID to name translations in one RPC
call. It was an obvious extension to also offer this batch
operation on the winbind unix domain stream socket that is
available to local processes on the Samba server to reduce
network round-trips to the domain controller.

Due to improper input validation a hand-crafted packet can make
winbind perform a NULL pointer dereference and thus crash.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.15, 4.12.9 and 4.13.1 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS 3.1: AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H (5.0)

=================================
Workaround and mitigating factors
=================================

Any user with local shell access to the machine running winbind can
issue the winbind socket request. The only workaround is to disable
shell access to exposed machines.

Typical file servers don't offer full local access, they are not
affected.

=======
Credits
=======

Originally reported by Bas Alberts of the GitHub Security Lab Team as
GHSL-2020-134.

Advisory written by Volker Lendecke of SerNet and the Samba Team.

Patches provided by Volker Lendecke of SerNet and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2020-14383

CVE-2020-14383.html

===========================================================
== Subject:     An authenticated user can crash the DCE/RPC DNS with
==              easily crafted records
==
== CVE ID#:     CVE-2020-14383
==
== Versions:    Samba 4.0 and later
==
== Summary:     An authenticated non-admin user can crash the
==              DNS server by adding invalid records.
===========================================================

===========
Description
===========

Some DNS records (such as MX and NS records) usually contain data in
the additional section. Samba's dnsserver RPC pipe (which is an
administrative interface not used in the DNS server itself) made an
error in handling the case where there are no records present: instead
of noticing the lack of records, it dereferenced uninitialised memory,
causing the RPC server to crash. This RPC server, which also serves
protocols other than dnsserver, will be restarted after a short delay,
but it is easy for an authenticated non-admin attacker to crash it
again as soon as it returns. The Samba DNS server itself will continue
to operate, but many RPC services will not.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.11.15, 4.12.9 and 4.13.1 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSSv3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)

==========
Workaround
==========

The dnsserver task can be stopped by setting

 'dcerpc endpoint servers = -dnsserver'

in the smb.conf and restarting Samba.

=======
Credits
=======

Originally reported by Francis Brosnan Blázquez of ASPL.es in 2017.

Patches first provided for Samba 4.6 by Francis Brosnan Blázquez, and
adapted for modern Samba by Douglas Bagnall of the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

comment:7 by Douglas R. Reno, 9 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r23855

Note: See TracTickets for help on using tickets.