===================================================================== CERT-Renater Note d'Information No. 2013/VULN493 _____________________________________________________________________ DATE : 12/11/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running samba versions 3.2.x, 3.3.x, 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x prior to 3.6.20, 4.0.11, 4.1.1. ====================================================================== http://www.samba.org/samba/security/CVE-2013-4475 http://www.samba.org/samba/security/CVE-2013-4476 ______________________________________________________________________ CVE-2013-4475.html: =========================================================== == Subject: ACLs are not checked on opening an alternate == data stream on a file or directory. == == CVE ID#: CVE-2013-4475 == == Versions: All versions of Samba later than 3.2.0 == == Summary: When opening an alternate data stream on a file == or directory, any Windows ACL present on that == underlying file or directory is not used to == control access to the alternate data stream. == =========================================================== =========== Description =========== Samba versions 3.2.0 and above (all versions of 3.2.x, 3.3.x, 3.4.x, 3.5.x, 3.6.x, 4.0.x and 4.1.x) do not check the underlying file or directory ACL when opening an alternate data stream. According to the SMB1 and SMB2+ protocols the ACL on an underlying file or directory should control what access is allowed to alternate data streams that are associated with the file or directory. By default no version of Samba supports alternate data streams on files or directories. Samba can be configured to support alternate data streams by loading either one of two virtual file system modues (VFS) vfs_streams_depot or vfs_streams_xattr supplied with Samba, so this bug only affects Samba servers configured this way. To determine if your server is vulnerable, check for the strings "streams_depot" or "streams_xattr" inside your smb.conf configuration file. ================== Patch Availability ================== Patches addressing this issue have been posted to: http://www.samba.org/samba/security/ Samba versions 3.6.20, 4.0.11, and 4.1.1 have been released to address this issue. ========== Workaround ========== Remove all uses of: vfs objects = streams_depot and: vfs objects = streams_xattr from the [global] section of your smb.conf file, and from all share definitions in your smb.conf file. ======= Credits ======= This issue was discovered by Hemanth Thummala , and the Samba Team would like to thank Hemanth for bringing this to our attention. Patches provided by Jeremy Allison of the Samba Team. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== __________________________________________________________________ CVE-2013-4476.html: =========================================================== == Subject: Private key in key.pem world readable == == CVE ID#: CVE-2013-4476 == == Versions: Samba 4.0.0 - 4.0.10 (inclusive), == Samba 4.1.0 (inclusive) == == Summary: In setups which provide ldap(s) and/or == https services, the private key for SSL/TLS encryption == might be world readable. This typically happens in == active directory domain controller setups. == =========================================================== =========== Description =========== Due to incorrect directory and file permissions a local attacker might obtain the private key that is used for the SSL/TLS encryption for ldaps (including STARTTLS on ldap) and https network traffic. The attacker is then able to decrypt encrypted network traffic which may contain confidential information like passwords. Note that the http(s) service is not started by default, only if the "server services" option contains "web". The ldap(s) service is only started if Samba is configured as an active directory domain controller. $ samba-tool testparm -v --suppress-prompt | grep 'server role' server role = active directory domain controller $ samba-tool testparm -v --suppress-prompt | grep 'server service' server services = s3fs, rpc, nbt, wrepl, ldap, cldap, kdc, drepl, winbind, ntp_signd, kcc, dnsupdate, dns $ samba-tool testparm -v --suppress-prompt | grep tls tls enabled = Yes tls keyfile = tls/key.pem tls certfile = tls/cert.pem tls cafile = tls/ca.pem tls crlfile = tls dh params file = $ samba-tool testparm -v --suppress-prompt | grep 'private dir' private dir = /var/lib/samba/private The full path to the keyfile is ${private_dir}/${tls_keyfile}, e.g. /var/lib/samba/private/tls/key.pem. The tls certificates are autogenerated and selfsigned on the first start of 'samba'. With the unpatched Samba versions the permissions typically look like this: $ ls -lad /var/lib/samba drwxr-xr-x 7 root root 4096 Feb 13 2013 /var/lib/samba $ ls -lad /var/lib/samba/private drwxr-xr-x 6 root root 4096 Sep 24 04:00 /var/lib/samba/private $ ls -la /var/lib/samba/private/tls/ total 20 drwxr-xr-x 2 root root 4096 Feb 5 2013 . drwxr-xr-x 6 root root 4096 Sep 24 04:00 .. -rw-r--r-- 1 root root 985 Feb 5 2013 ca.pem -rw-r--r-- 1 root root 985 Feb 5 2013 cert.pem -rw-r--r-- 1 root root 883 Feb 5 2013 key.pem Note: Your vendor/packager might have installed the private directory with more restrictive permissions (0750 or 700). In all cases you should change the permissions of the 'tls' directory to 0700. You should remove ca.pem, cert.pem and key.pem and let a (re)start of 'samba' take care of autogenerating a new set of files, if you are not 100% certain that key.pem was protected all the time by parent directory permissions. If you can be 100% certain that key.pem has never been exposed for unauthorized access, you may just change its permission to 0600, if you really have a good reason to keep the existing keys. Note: A patched version of Samba will refuse to start if the permissions of key.pem are not 0600. ========== Workaround ========== Follow the instructions for autoregenerating the related files above and change the permissions of key.pem to 0600 yourself. ================== Patch Availability ================== A patch addressing this defect has been posted to http://www.samba.org/samba/security/ Additionally, Samba 4.0.11 and 4.1.1 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible or manually apply the workaround. In the fixed version, samba refuses to start if the permissions of /var/lib/samba/private/tls/key.pem are not 0600. ======= Credits ======= This problem was found by an internal audit of the Samba code by Stefan Metzmacher and Björn Baumbach of SerNet. Patches provided by Björn Baumbach of SerNet. ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================