samba-4.17.2

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

Hold until Tuesday:

Hi,

this is a heads-up that there will be Samba security updates for 4.15, 4.16 and 4.17 on Tuesday, October  25 2022. Please make sure that your Samba servers will be updated soon after the release!

Impacted components:
 - AD DC (CVSS 5.9, Medium)
 - Fileserver (CVSS 5.4, Medium)


Cheers,
Jule Anger 

I will attempt to get to this later in the week, once my midterms are complete.

[Douglas R. Reno]

This one *also* contained a security fix - CVE-2021-20251.

[Douglas R. Reno]

4.17.1

                   ==============================
                   Release Notes for Samba 4.17.1
                          October 19, 2022
                   ==============================


This is the latest stable release of the Samba 4.17 release series.


Changes since 4.17.0
--------------------

o  Jeremy Allison <jra@samba.org>
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
     atomically.
   * BUG 15174: smbXsrv_connection_shutdown_send result leaked.
   * BUG 15182: Flush on a named stream never completes.
   * BUG 15195: Permission denied calling SMBC_getatr when file not exists.

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later
     over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.
   * BUG 15191: pytest: add file removal helpers for TestCaseInTempDir.

o  Andrew Bartlett <abartlet@samba.org>
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
     atomically.
   * BUG 15189: Samba 4.5 sometimes cannot be upgraded to Samba 4.6 or later.
     over DRS: WERROR_DS_DRA_MISSING_PARENT due to faulty GET_ANC.

o  Ralph Boehme <slow@samba.org>
   * BUG 15182: Flush on a named stream never completes.

o  Volker Lendecke <vl@samba.org>
   * BUG 15151: vfs_gpfs silently garbles timestamps > year 2106.

o  Gary Lockyer <gary@catalyst.net.nz>
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
     atomically.

o  Stefan Metzmacher <metze@samba.org>
   * BUG 15200: multi-channel socket passing may hit a race if one of the
     involved processes already existed.
   * BUG 15201: memory leak on temporary of struct imessaging_post_state and
     struct tevent_immediate on struct imessaging_context (in
     rpcd_spoolss and maybe others).

o  Noel Power <noel.power@suse.com>
   * BUG 15205: Since popt1.19 various use after free errors using result of
     poptGetArg are now exposed.

o  Anoop C S <anoopcs@samba.org>
   * BUG 15192: Remove special case for O_CREAT in SMB_VFS_OPENAT from
     vfs_glusterfs.

o  Andreas Schneider <asn@samba.org>
   * BUG 15169: GETPWSID in memory cache grows indefinetly with each NTLM auth.

o  Joseph Sutton <josephsutton@catalyst.net.nz>
   * BUG 14611: CVE-2021-20251 [SECURITY] Bad password count not incremented
     atomically.

CVE-2021-20251 took 280 hours to fix and hasn't been officially disclosed yet, but I'll just say that it's a bug with the bad password count not being incremented correctly.

[Douglas R. Reno]

4.17.2

                   ==============================
                   Release Notes for Samba 4.17.2
                          October 25, 2022
                   ==============================


This is a security release in order to address the following defects:

o CVE-2022-3437:  There is a limited write heap buffer overflow in the GSSAPI
                  unwrap_des() and unwrap_des3() routines of Heimdal (included
                  in Samba).
                  https://www.samba.org/samba/security/CVE-2022-3437.html

o CVE-2022-3592:  A malicious client can use a symlink to escape the exported
                  directory.
                  https://www.samba.org/samba/security/CVE-2022-3592.html

Changes since 4.17.1
--------------------

o  Volker Lendecke <vl@samba.org>
   * BUG 15207: CVE-2022-3592.

o  Joseph Sutton <josephsutton@catalyst.net.nz>
   * BUG 15134: CVE-2022-3437.

Advisories

CVE-2022-3592

CVE-2022-3592.html:

===========================================================
== Subject:     Wide links protection broken
==
== CVE ID#:     CVE-2022-3592
==
== Versions:    All versions of Samba since 4.17.0
==
== Summary:     A malicious client can use a symlink to escape
==              the exported directory
===========================================================

===========
Description
===========

Samba 4.17 introduced following symlinks in user space with the intent
to properly check symlink targets to stay within the share that was
configured by the administrator. The check does not properly cover a
corner case, so that a user can create a symbolic link that will make
smbd escape the configured share path.

Clients that have write access to the exported part of the file system
under a share via SMB1 unix extensions or NFS can create symlinks can
use the vulnerability to get access to all of the server's file
system.

==================
Patch Availability
==================

Patches addressing this issue has been posted to:

    https://www.samba.org/samba/security/

Samba 4.17.2 has been issued as a security releases to correct the
defect. Samba administrators are advised to upgrade to this release as
soon as possible.

==================
CVSSv3.1 calculation
==================

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4)

=================================
Workaround and mitigating factors
=================================

Do not enable SMB1 (please note SMB1 is disabled by default in Samba
from version 4.11.0 and onwards). This prevents the creation of
symbolic links via SMB1. If SMB1 must be enabled for backwards
compatibility then add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd. This
prevents SMB1 clients from creating symlinks on the exported file
system.

However, if the same region of the file system is also exported using
NFS, NFS clients can create symlinks that potentially can also hit the
race condition. For non-patched versions of Samba we recommend only
exporting areas of the file system by either SMB2 or NFS, not both.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

CVE-2022-3437

CVE-2022-3437.html:

===========================================================
== Subject:     Buffer overflow in Heimdal unwrap_des3()
==
== CVE ID#:     CVE-2022-3437
==
== Versions:    All versions of Samba since Samba 4.0 compiled
==              with Heimdal Kerberos
==
== Summary:     There is a limited write heap buffer overflow
==              in the GSSAPI unwrap_des() and unwrap_des3()
==              routines of Heimdal (included in Samba).
===========================================================

===========
Description
===========

The DES (for Samba 4.11 and earlier) and Triple-DES decryption
routines in the Heimdal GSSAPI library allow a length-limited write
buffer overflow on malloc() allocated memory when presented with a
maliciously small packet.

Examples of where Samba can use GSSAPI include the client and
fileserver for SMB1 (unix extensions), DCE/RPC in all use cases and
LDAP in the Active Directory Domain Controller.

However not all Samba installations are impacted!  Samba is often
compiled to use the system MIT Kerberos using the
--with-system-mitkrb5 argument and these installations are not
impacted, as the vulnerable code is not compiled into Samba.

However when, as is the default, Samba is compiled to use the internal
Heimdal Kerberos library the vulnerable unwrap_des3() is used.

(The single-DES use case, along with the equally vulnerable
unwrap_des() is only compiled into Samba 4.11 and earlier).

The primary use of Samba's internal Heimdal is for the Samba AD DC,
but this vulnerability does impact fileserver deployments built with
the default build options.

==================
Patch Availability
==================

Patches addressing both these issues have been posted to:

    https://www.samba.org/samba/security/

Additionally, Samba 4.15.11, 4.16.6 and 4.17.2 have been issued
as security releases to correct the defect.  Samba administrators are
advised to upgrade to these releases or apply the patch as soon
as possible.

==================
CVSSv3 calculation
==================

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:L (5.9)

==========
Workaround
==========

Compiling Samba with --with-system-mitkrb5 will avoid this issue.

=======
Credits
=======

Originally reported by Evgeny Legerov of Intevydis.

Patches provided by Joseph Sutton of Catalyst and the Samba Team,
advisory written by Andrew Bartlett of Catalyst and the Samba Team.

==========================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
==========================================================

[Douglas R. Reno]

Fixed at 74c6949cc92608e7d2c82fd3a9857a295f7179ad

[Douglas R. Reno]

Issued SA-11.2-025