==================================================================== CERT-Renater Note d'Information No. 2018/VULN263 _____________________________________________________________________ DATE : 31/08/2018 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions since 3.2.0 prior to 4.8.4, 4.7.9, 4.6.16. ===================================================================== https://www.samba.org/samba/security/CVE-2018-10858.html https://www.samba.org/samba/security/CVE-2018-10918.html https://www.samba.org/samba/security/CVE-2018-10919.html https://www.samba.org/samba/security/CVE-2018-1139.html https://www.samba.org/samba/security/CVE-2018-1140.html _____________________________________________________________________ CVE-2018-10858.html =========================================================== == Subject: Insufficient input validation on client directory == listing in libsmbclient. == == CVE ID#: CVE-2018-10858 == == Versions: Samba 3.2.0 - 4.8.3 (inclusive) == == Summary: A malicious server could return a directory entry == that could corrupt libsmbclient memory. == =========================================================== =========== Description =========== Samba releases 3.2.0 to 4.8.3 (inclusive) contain an error in libsmbclient that could allow a malicious server to overwrite client heap memory by returning an extra long filename in a directory listing. ================== Patch Availability ================== Patches addressing this issue have been posted to: http://www.samba.org/samba/security/ Samba versions 4.6.16, 4.7.9 and 4.8.4 have been released with fixes for this issue. ========== Workaround ========== None ======= Credits ======= This vulnerability was found by Svyatoslav Phirsov and was fixed by Jeremy Allison of Google and the Samba team. _____________________________________________________________________ CVE-2018-10918.html ==================================================================== == Subject: Denial of Service Attack on AD DC DRSUAPI server == == CVE ID#: CVE-2018-10918 == == Versions: All versions of Samba from 4.7.0 onwards. == == Summary: Missing null pointer checks may crash the Samba AD == DC, over the authenticated DRSUAPI RPC service. == ==================================================================== =========== Description =========== All versions of Samba from 4.7.0 onwards are vulnerable to a denial of service attack which can crash the "samba" process when Samba is an Active Directory Domain Controller. Missing database output checks on the returned directory attributes from the LDB database layer cause the DsCrackNames call in the DRSUAPI server to crash when following a NULL pointer. This call is only available after authentication. There is no further vulnerability associated with this error, merely a denial of service. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.8.4 and Samba 4.7.9 have been issued as a security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== No workaround is possible while acting as a Samba AD DC. ======= Credits ======= The issue was reported by Volker Mauel. Andrew Bartlett of Catalyst and the Samba Team provided the test and patches. _____________________________________________________________________ CVE-2018-10919.html ==================================================================== == Subject: Confidential attribute disclosure from the AD LDAP == server == == CVE ID#: CVE-2018-10919 == == Versions: All versions of Samba from 4.0.0 onwards. == == Summary: Missing access control checks allow discovery of == confidential attribute values via authenticated == LDAP search expressions == ==================================================================== =========== Description =========== All versions of the Samba Active Directory LDAP server from 4.0.0 onwards are vulnerable to the disclosure of confidential attribute values, both of attributes where the schema SEARCH_FLAG_CONFIDENTIAL (0x80) searchFlags bit and where an explicit Access Control Entry has been specified on the ntSecurityDescriptor. The confidential attribute disclosure is via the search expression and can be seen by the return (or failure to return) matching LDAP objects. This issue does NOT apply to secret attributes such as unicodePwd. These values have always been prohibited in LDAP search expressions. (Additionally since Samba 4.8 they remain encrypted at search expression processing time). The following attributes in the 2008R2 AD schema have SEARCH_FLAG_CONFIDENTIAL set in the searchFlags by default: unixUserPassword, msFVE-KeyPackage, msFVE-RecoveryPassword, msPKIAccountCredentials, msPKIAccountCredentials, msPKI-CredentialRoamingTokens, msPKIDPAPIMasterKeys, msPKIRoamingTimeStamp, msTPM-OwnerInformation For clarity: unixUserPassword is NOT populated by Samba. ================ Remaining issues ================ Samba makes no attempt to address possible timing attacks against the LDAP server. Data (aside from secret attributes, already subject to special processing) of such a sensitivity such that a timing attack would be worthwhile should not be stored in Active Directory. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.8.4, Samba 4.7.9 and 4.6.16 have been issued as a security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========================== Workarounds and Mitigation ========================== The only workaround is not to use the SEARCH_FLAG_CONFIDENTIAL searchFlags bit, not to expect confidentiality of the attribute list above nor to set access control entries of a similar nature on LDAP objects. ======= Credits ======= The issue was reported by Phillip Kuhrt. Tim Beale of Catalyst provided the test and patches. _____________________________________________________________________ CVE-2018-1139.html =========================================================== == Subject: Weak authentication protocol allowed. == == CVE ID#: CVE-2018-1139 == == Versions: Samba 4.7.0 - 4.8.3 (inclusive) == == Summary: Samba 4.7 and 4.8 are affected by a vulnerability == that allows authentication via NTLMv1 even if disabled. == =========================================================== =========== Description =========== Samba releases 4.7.0 to 4.8.3 (inclusive) contain an error which allows authentication using NTLMv1 over an SMB1 transport (either directory or via NETLOGON SamLogon calls from a member server), even when NTLMv1 is explicitly disabled on the server. Normally, the use of NTLMv1 is disabled by default in favor of NTLMv2. This has been the default since Samba 4.5. A code restructuring in the NTLM authentication implementation of Samba in 4.7.0 caused this regression to occur. Additionally, it is the responsbility of the client to send the strongest authentication hash possible. The server-side restrictions primarily aid in ensuring consistent client policy. Because by default clients using SMB2 or SMB1 when SPNEGO or NTLMSSP is in use will chose a more recent authentication dialect (at least so-called NTLM2 session security, and typically NTLMv2), this oversight impacts only extreme mis-configurations or legacy clients on early dialects of SMB1. ================== Patch Availability ================== Patches addressing this issue have been posted to: http://www.samba.org/samba/security/ Samba versions 4.7.9 and 4.8.4 have been released with fixes for this issue. ========== Workaround ========== None ======= Credits ======= This vulnerability was found by Vivek Das from Red Hat and was fixed by Stefan Metzmacher of SerNet and the Samba team and Andrew Bartlett of Catalyst and the Samba team. _____________________________________________________________________ CVE-2018-1140.html ==================================================================== == Subject: Denial of Service Attack on DNS and LDAP server == == CVE ID#: CVE-2018-1140 == == Versions: All versions of Samba from 4.8.0 onwards. == == Summary: Missing null pointer checks may crash the Samba AD == DC, both over DNS and LDAP == ==================================================================== =========== Description =========== All versions of Samba from 4.8.0 onwards are vulnerable to a denial of service attack when Samba is an Active Directory Domain Controller. Missing input sanitization checks on some of the input parameters to LDB database layer cause the LDAP server and DNS server to crash when following a NULL pointer. There is no further vulnerability associated with this error, merely a denial of service. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.8.4, LDB 1.4.1 and 1.3.5 have been issued as a security release to correct the defect. Patches against older Samba versions are available at http://samba.org/samba/patches/. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible. ========== Workaround ========== No workaround is possible while acting as a Samba AD DC. Disabling the 'dns' and 'ldap' services in the smb.conf (eg 'server services = -dns -ldap) would remove essential elements in the AD DC. The use of BIND9_DLZ (loading a DLZ .so for LDB database access into the BIND 9 DNS server) is subject to the same issue. ======= Credits ======= The initial bugs were found by the Laurent Debomy (DNS) and Andrej Gessel (LDB). Kai Blin of the Samba Team, Garming Sam, Douglas Bagnall and Andrew Bartlett of Catalyst and the Samba Team did the investigation and provided the final fix. ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================