
====================================================================

                                   CERT-Renater

                        Note d'Information No. 2016/VULN099
_____________________________________________________________________

DATE                : 09/03/2016

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running Samba versions 3, 4 prior to
                            4.4.0rc4, 4.3.6, 4.2.9, 4.1.23.

======================================================================
https://www.samba.org/samba/security/CVE-2015-7560.html
https://www.samba.org/samba/security/CVE-2016-0771.html
_____________________________________________________________________

CVE-2015-7560.html:

===========================================================
== Subject:     Incorrect ACL get/set allowed on symlink path.
==
== CVE ID#:     CVE-2015-7560
==
== Versions:    Samba 3.2.0 to 4.4.0rc3
==
== Summary:     Authenticated client could cause Samba to
==              overwrite ACLs with incorrect owner/group.
==
===========================================================

===========
Description
===========

All versions of Samba from 3.2.0 to 4.4.0rc3 inclusive are vulnerable to
a malicious client overwriting the ownership of ACLs using symlinks.

An authenticated malicious client can use SMB1 UNIX extensions to
create a symlink to a file or directory, and then use non-UNIX SMB1
calls to overwrite the contents of the ACL on the file or directory
linked to.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

    https://www.samba.org/samba/security/

Additionally, Samba 4.4.0rc4, 4.3.6, 4.2.9 and 4.1.23 have been issued
as security releases to correct the defect. Patches against older Samba
versions are available at https://www.samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Add the parameter:

unix extensions = no

to the [global] section of your smb.conf and restart smbd.

Alternatively, prohibit the use of SMB1 by setting the parameter:

server min protocol = SMB2

to the [global] section of your smb.conf and restart smbd.

=======
Credits
=======

This problem was found by Jeremy Allison of Google, Inc. and the Samba
Team, who also provided the fix.

_____________________________________________________________________

CVE-2016-0771.html:

===========================================================
== Subject:     Out-of-bounds read in internal DNS server
==
== CVE ID#:     CVE-2016-0771
==
== Versions:    Samba 4.0.0 to 4.4.0rc3
==
== Summary:     Malicious request can cause the Samba internal
==              DNS server to crash or unintentionally return
==              uninitialized memory.
==
===========================================================

===========
Description
===========

All versions of Samba from 4.0.0 to 4.4.0rc3 inclusive, when deployed as
an AD DC and choose to run the internal DNS server, are vulnerable to an
out-of-bounds read issue during DNS TXT record handling caused by users
with permission to modify DNS records.

A malicious client can upload a specially constructed DNS TXT record,
resulting in a remote denial-of-service attack. As long as the affected
TXT record remains undisturbed in the Samba database, a targeted DNS
query may continue to trigger this exploit.

While unlikely, the out-of-bounds read may bypass safety checks and
allow leakage of memory from the server in the form of a DNS TXT reply.

By default only authenticated accounts can upload DNS records,
as "allow dns updates = secure only" is the default.
Any other value would allow anonymous clients to trigger this
bug, which is a much higher risk.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

    https://www.samba.org/samba/security/

Additionally, Samba 4.4.0rc4, 4.3.6, 4.2.9 and 4.1.23 have been issued
as security releases to correct the defect. Samba vendors and
administrators running affected versions are advised to upgrade or
apply the patch as soon as possible.

==========
Workaround
==========

Use of the BIND DNS backend will avoid this issue.

=======
Credits
=======

This problem was found by Garming Sam and Douglas Bagnall of Catalyst IT
(www.catalyst.net.nz), with collaboration from the Samba-Team to provide
the fix.


==========================================================
Serveur de référence du CERT-Renater
https://services.renater.fr/ssi/
==========================================================
+ CERT-RENATER          | tel : 01-53-94-20-44           +
+ 23 - 25 Rue Daviel    | fax : 01-53-94-20-41           +
+ 75013 Paris           | email: cert@support.renater.fr +
==========================================================