Opened 3 months ago

Closed 3 months ago

#14928 closed enhancement (fixed)

samba-4.14.4 (CVE-2021-20254)

Reported by: Bruce Dubbs Owned by: Douglas R. Reno
Priority: elevated Milestone: 10.2
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (9)

comment:1 by Douglas R. Reno, 3 months ago

Version: git

Set the "version" field to the correct value

comment:2 by Douglas R. Reno, 3 months ago

Type: taskenhancement

Change "task" to "enhancement" on recent tickets.

comment:3 by Xi Ruoyao, 3 months ago

Priority: normalelevated
Summary: samba-4.14.3samba-4.14.4 (CVE-2021-20254)

Now 4.14.4, with a security fix.

PATH=$PWD/pyvenv/bin:$PATH seems needed for configure and make quicktest.

comment:4 by Douglas R. Reno, 3 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

Grab stuff that needs to be synced to LFS and some other stuff to work on today.

comment:5 by Douglas R. Reno, 3 months ago

samba-4.14.3 Release Notes

                   ==============================
                   Release Notes for Samba 4.14.3
                           April 20, 2021
                   ==============================

This is the latest stable release of the Samba 4.14 release series.


Changes since 4.14.2
--------------------

o  Trever L. Adams <trever.adams@gmail.com>
   * BUG 14671: s3:modules:vfs_virusfilter: Recent New_VFS changes break
     vfs_virusfilter_openat.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14586: build: Notice if flex is missing at configure time.

o  Ralph Boehme <slow@samba.org>
   * BUG 14672: Fix smbd panic when two clients open same file.
   * BUG 14675: Fix memory leak in the RPC server.
   * BUG 14679: s3: smbd: fix deferred renames.

o  Samuel Cabrero <scabrero@samba.org>
   * BUG 14675: s3-iremotewinspool: Set the per-request memory context.

o  Volker Lendecke <vl@samba.org>
   * BUG 14675: Fix memory leak in the RPC server.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 11899: third_party: Update socket_wrapper to version 1.3.2.
   * BUG 14640: third_party: Update socket_wrapper to version 1.3.3.

o  David Mulder <dmulder@suse.com>
   * BUG 14665: samba-gpupdate: Test that sysvol paths download in
     case-insensitive way.

o  Sachin Prabhu <sprabhu@redhat.com>
   * BUG 14662: smbd: Ensure errno is preserved across fsp destructor.

o  Christof Schmitt <cs@samba.org>
   * BUG 14663: idmap_rfc2307 and idmap_nss return wrong mapping for uid/gid
     conflict.

o  Martin Schwenke <martin@meltin.net>
   * BUG 14288: build: Only add -Wl,--as-needed when supported.

comment:6 by Douglas R. Reno, 3 months ago

samba-4.14.4 Release Notes

                   ==============================
                   Release Notes for Samba 4.13.8
                           April 29, 2021
                   ==============================


This is a security release in order to address the following defect:

o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
  in the Samba file server process token.


=======
Details
=======

o  CVE-2021-20254:
   The Samba smbd file server must map Windows group identities (SIDs) into unix
   group ids (gids). The code that performs this had a flaw that could allow it
   to read data beyond the end of the array in the case where a negative cache
   entry had been added to the mapping cache. This could cause the calling code
   to return those values into the process token that stores the group
   membership for a user.

   Most commonly this flaw caused the calling code to crash, but an alert user
   (Peter Eriksson, IT Department, Linköping University) found this flaw by
   noticing an unprivileged user was able to delete a file within a network
   share that they should have been disallowed access to.

   Analysis of the code paths has not allowed us to discover a way for a
   remote user to be able to trigger this flaw reproducibly or on demand,
   but this CVE has been issued out of an abundance of caution.


Changes since 4.13.7
--------------------

o  Volker Lendecke <vl@samba.org>
   * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().

There's one portion of the release notes that sticks out to me here:

Most commonly this flaw caused the calling code to crash, but an alert user
(Peter Eriksson, IT Department, Linköping University) found this flaw by
noticing an unprivileged user was able to delete a file within a network
share that they should have been disallowed access to.

comment:7 by Douglas R. Reno, 3 months ago

More details on CVE-2021-20254

CVE-2021-20254.html

===========================================================
== Subject:     Negative idmap cache entries can cause incorrect
==              group entries in the Samba file server process
==              token.
==
== CVE ID#:     CVE-2021-20254
==
==
== Versions:    All versions of the Samba file server since
==              Samba 3.6.0
==
== Summary:     A coding error converting SIDs to gids could
==              allow unexpected group entries in a process token.
==              This could allow unauthorized access to files.
===========================================================

===========
Description
===========

The Samba smbd file server must map Windows group identities (SIDs)
into unix group ids (gids). The code that performs this had a flaw
that could allow it to read data beyond the end of the array in the
case where a negative cache entry had been added to the mapping
cache. This could cause the calling code to return those values into
the process token that stores the group membership for a user.

Most commonly this flaw caused the calling code to crash, but an alert
user (Peter Eriksson, IT Department, Linköping University) found this
flaw by noticing an unprivileged user was able to delete a file within
a network share that they should have been disallowed access to.

Analysis of the code paths has not allowed us to discover a way for a
remote user to be able to trigger this flaw reproducibly or on demand,
but this CVE has been issued out of an abundance of caution.

==================
Patch Availability
==================

Patches addressing this issue has been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.14.4, 4.13.8 and 4.12.15 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon as
possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N (6.8)

=================================
Workaround and mitigating factors
=================================

None.

=======
Credits
=======

Reported by Peter Eriksson, IT Department, Linköping University.

Volker Lendecke of SerNet and the Samba Team provided the fix.

Patches backported to supported Samba versions and run though the
Samba security process by Noel Power of SuSE and Andrew Bartlett of
Catalyst.

Advisory written by Jeremy Allison of Google.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

comment:8 by Douglas R. Reno, 3 months ago

I came across something interesting while looking through the configure output - it looked for libtracker-sparql-2.0, for a file indexing service.

I'll add that as a optional dependency once it's ported to tracker3.

comment:9 by Douglas R. Reno, 3 months ago

Resolution: fixed
Status: assignedclosed
Note: See TracTickets for help on using tickets.