samba-4.15.5

[Bruce Dubbs]

New point version.

[Xi Ruoyao]

                   ==============================
                   Release Notes for Samba 4.15.4
                          January 19, 2022
                   ==============================


This is the latest stable release of the Samba 4.15 release series.


Changes since 4.15.3
--------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
     poisoning.
   * BUG 14939: smbclient -L doesn't set "client max protocol" to NT1 before
     calling the "Reconnecting with SMB1 for workgroup listing" path.
   * BUG 14944: Missing pop_sec_ctx() in error path inside close_directory().

o  Pavel Filipenský <pfilipen@redhat.com>
   * BUG 14940: Cross device copy of the crossrename module always fails.
   * BUG 14941: symlinkat function from VFS cap module always fails with an
     error.
   * BUG 14942: Fix possible fsp pointer deference.

o  Volker Lendecke <vl@samba.org>
   * BUG 14934: kill_tcp_connections does not work.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 14932: Failed to parse NTLMv2_RESPONSE length 95 - Buffer Size Error -
     NT_STATUS_BUFFER_TOO_SMALL.
   * BUG 14935: Can't connect to Windows shares not requiring authentication
     using KDE/Gnome.

o  Andreas Schneider <asn@samba.org>
   * BUG 14945: "smbd --build-options" no longer works without an smb.conf file.

o  Jones Syue <jonessyue@qnap.com>
   * BUG 14928: Duplicate SMB file_ids leading to Windows client cache
     poisoning.

[Douglas R. Reno]

Now 4.15.5 with security fixes

[Douglas R. Reno]

                   ==============================
                   Release Notes for Samba 4.15.5
                          January 31, 2022
                   ==============================


This is a security release in order to address the following defects:

o CVE-2021-44141: UNIX extensions in SMB1 disclose whether the outside target
                  of a symlink exists.
                  https://www.samba.org/samba/security/CVE-2021-44141.html

o CVE-2021-44142: Out-of-Bound Read/Write on Samba vfs_fruit module.
                  https://www.samba.org/samba/security/CVE-2021-44142.html

o CVE-2022-0336:  Re-adding an SPN skips subsequent SPN conflict checks.
                  https://www.samba.org/samba/security/CVE-2022-0336.html


Changes since 4.15.4
--------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14911: CVE-2021-44141

o  Ralph Boehme <slow@samba.org>
   * BUG 14914: CVE-2021-44142

o  Joseph Sutton <josephsutton@catalyst.net.nz>
   * BUG 14950: CVE-2022-0336

[Douglas R. Reno]

CVE-2021-44141

CVE-2021-44141.html:

===========================================================
== Subject:     Information leak via symlinks of existance of
==		files or directories outside of the exported
==		share.
==
== CVE ID#:     CVE-2021-44141
==
==
== Versions:    All versions of the Samba file server prior to
==              4.15.5.
==
== Summary:     A client can use a symlink to discover if a named
==              or directory exists on the filesystem outside of
==              the exported share. The user must have permissions
==		to query a symlink inside the exported share using
==		SMB1 with unix extensions turned on.
===========================================================

===========
Description
===========

All versions of Samba prior to 4.15.5 are vulnerable to a malicious
client using a server symlink to determine if a file or directory
exists in an area of the server file system not exported under the
share definition. SMB1 with unix extensions has to be enabled in order
for this attack to succeed.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or via NFS can create symlinks
that point to arbitrary files or directories on the server filesystem.

Clients can then use SMB1 unix extension information queries to
determine if the target of the symlink exists or not by examining
error codes returned from the smbd server. There is no ability to
access these files or directories, only to determine if they exist or
not.

If SMB1 is turned off and only SMB2 is used, or unix extensions are
not enabled then there is no way to discover if a symlink points to a
valid target or not via SMB2. For this reason, even if symlinks are
created via NFS, if the Samba server does not allow SMB1 with unix
extensions there is no way to exploit this bug.

Finding out what files or directories exist on a file server can help
attackers guess system user names or the exact operating system
release and applications running on the server hosting Samba which may
help mount further attacks.

SMB1 has been disabled on Samba since version 4.11.0 and
onwards. Exploitation of this bug has not been seen in the wild.

==================
Patch Availability
==================

Patches addressing this issue has been posted to:

    https://www.samba.org/samba/security/

Samba version 4.15.5 has been issued as a security release to correct
the defect. Samba administrators are advised to upgrade to this
release as soon as possible. Due to the complexity of the fixes needed
for this problem, back ports to earlier Samba versions have not been
provided. For users of earlier Samba versions, please see the
"Workaround and mitigating factors" section of this document.

==================
CVSSv3.1 calculation
==================

CVSS:AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N/E:P/RL:O/RC:C/CR:L/IR:L/AR:L/MAV:N/MAC:L/MPR:L/MUI:N/MS:U/MC:H/MI:N/MA:N

base score of 4.2

=================================
Workaround and mitigating factors
=================================

Do not enable SMB1 (please note SMB1 is disabled by default in Samba
from version 4.11.0 and onwards). This prevents the creation or
querying of symbolic links via SMB1. If SMB1 must be enabled for
backwards compatibility then add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating or reading symlinks on the
exported file system.

However, if the same region of the file system is also exported
allowing write access via NFS, NFS clients can create symlinks that
allow SMB1 with unix extensions clients to discover the existance of
the NFS created symlink targets.  For non-patched versions of Samba we
recommend only exporting areas of the file system by either SMB2 or
NFS, not both.

=======
Credits
=======

Reported by Stefan Behrens of 
Jeremy Allison of Google and the Samba Team provided the fix.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

[Douglas R. Reno]

CVE-2021-44142

CVE-2021-44142.html:

=================================================================
== Subject:     Out-of-bounds heap read/write vulnerability
==              in VFS module vfs_fruit allows code execution
==
== CVE ID#:     CVE-2021-44142
==
== Versions:    All versions of Samba prior to 4.13.17
==
== Summary:     This vulnerability allows remote attackers to
==              execute arbitrary code as root on affected Samba
==              installations that use the VFS module vfs_fruit.
=================================================================

===========
Description
===========

All versions of Samba prior to 4.13.17 are vulnerable to an
out-of-bounds heap read write vulnerability that allows remote
attackers to execute arbitrary code as root on affected Samba
installations that use the VFS module vfs_fruit.

The specific flaw exists within the parsing of EA metadata when
opening files in smbd. Access as a user that has write access to a
file's extended attributes is required to exploit this
vulnerability. Note that this could be a guest or unauthenticated user
if such users are allowed write access to file extended attributes.

The problem in vfs_fruit exists in the default configuration of the
fruit VFS module using fruit:metadata=netatalk or fruit:resource=file.
If both options are set to different settings than the default values,
the system is not affected by the security issue.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.13.17, 4.14.12 and 4.15.5 have been issued as
security releases to correct the defect. Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H/E:F/RL:O/RC:C

Base score 9.9.

==========
Workaround
==========

As a workaround remove the "fruit" VFS module from the list of
configured VFS objects in any "vfs objects" line in the Samba
configuration smb.conf.

Note that changing the VFS module settings fruit:metadata or
fruit:resource to use the unaffected setting causes all stored
information to be inaccessible and will make it appear to macOS
clients as if the information is lost.


=======
Credits
=======

Originally reported by Orange Tsai from DEVCORE.
Nguyen Hoang Thach and Billy Jheng Bing-Jhong of STAR Labs working with Trend Micro Zero Day Initiative
Lucas Leong of Trend Micro Zero Day Initiative

Patches provided by Ralph Böhme of the Samba team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

Ouch, that's a 9.9/10. Promoting to High from Elevated.

[Douglas R. Reno]

CVE-2022-0336

CVE-2022-0336.html:

===========================================================
== Subject:     Samba AD users with permission to write to
==              an account can impersonate arbitrary services.
==
== CVE ID#:     CVE-2022-0336
==
== Versions:    Samba 4.0.0 and later
==
== Summary:     Checks in the Samba AD DC to prevent aliased
==              SPNs could be bypassed, giving users who can
==              write to an account's servicePrincipalName
==              attribute the ability to impersonate services.
===========================================================

===========
Description
===========

The Samba AD DC includes checks when adding service principals names
(SPNs) to an account to ensure that SPNs do not alias with those
already in the database. Some of these checks are able to be bypassed
if an account modification re-adds an SPN that was previously present
on that account, such as one added when a computer is joined to a
domain.

An attacker who has the ability to write to an account can exploit
this to perform a denial-of-service attack by adding an SPN that
matches an existing service. Additionally, an attacker who can
intercept traffic can impersonate existing services, resulting in a
loss of confidentiality and integrity.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.13.17, 4.14.12, and 4.15.4 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)

==========
Workaround
==========

None.

=======
Credits
=======

Originally reported by Kees van Vloten.

Analysis, patches, and this advisory by Joseph Sutton of Catalyst
and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

[Douglas R. Reno]

Fixed at 831c4508532e2c01ee9c345887e059b2a951e06a