==================================================================== CERT-Renater Note d'Information No. 2019/VULN349 _____________________________________________________________________ DATE : 30/10/2019 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions prior to 4.11.2, 4.10.10, 4.9.15. ===================================================================== https://www.samba.org/samba/security/CVE-2019-10218.html https://www.samba.org/samba/security/CVE-2019-14833.html https://www.samba.org/samba/security/CVE-2019-14847.html _____________________________________________________________________ CVE-2019-10218.html =========================================================== == Subject: Client code can return filenames containing == path separators. == == CVE ID#: CVE-2019-10218 == == Versions: All versions of Samba. == == Summary: Malicious servers can cause Samba client code to return filenames containing path separators to calling code. =========================================================== =========== Description =========== Samba client code (libsmbclient) returns server-supplied filenames to calling code without checking for pathname separators (such as "/" or "../") in the server returned names. A malicious server can craft a pathname containing separators and return this to client code, causing the client to use this access local pathnames for reading or writing instead of SMB network pathnames. This access is done using the local privileges of the client. This attack can be achieved using any of SMB1/2/3 as it is not reliant on any specific SMB protocol version. Specifically, samba client tools like smbget and smbclient's mget use the server supplied 'final' name component as a local name when obtaining multiple files. While the design of these tools is that server can always choose the file names, this vulnerability is that it allows a remote server to create local files outside the current working directory. Users of the libsmbclient library external to Samba may also be vulnerable if they use server returned filenames without adequate checking and pass them to functions that do local filesystem access. Note that the Gnome GVFS client library is not believed to be vulnerable, as it always passes server-returned pathnames back to the SMB share they were returned from. Such malformed pathnames are then rejected by the server. ================== Patch Availability ================== Patches addressing both these issues have been posted to: http://www.samba.org/samba/security/ Additionally, Samba 4.11.2, 4.10.10 and 4.9.15 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSSv3: AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N (5.3) ========== Workaround ========== None. ======= Credits ======= Originally reported by Michael Hanselmann. Patches provided by Jeremy Allison of the Samba Team and Google. Advisory by Jeremy Allison of the Samba Team and Google and Andrew Bartlett of the Samba Team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2019-14833.html ===================================================================== == Subject: Samba AD DC check password script does not receive == the full password. == == CVE ID#: CVE-2019-14833 == == Versions: Samba 4.5.0 and later == == Summary: When the password contains multi-byte (non-ASCII) == characters, the check password script does not == receive the full password string. ===================================================================== =========== Description =========== Since Samba Version 4.5.0 a Samba AD DC can use a custom command to verify the password complexity. The command can be specified with the "check password script" smb.conf parameter. This command is called when Samba handles a user password change or a new user password is set. The script receives the new cleartext password string in order to run custom password complexity checks like dictionary checks to avoid weak user passwords. When the password contains multi-byte (non-ASCII) characters, the check password script does not receive the full password string. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.11.2, 4.10.10 and 4.9.15 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (4.2) ========== Workaround ========== If the check password script parameter is not specified, Samba runs the internal password quality checks. The internal check makes sure that a password contains characters from three of five different characters categories. ======= Credits ======= Originally reported by Simon Fonteneau in 2016 and indicated as security issue by Björn Baumbach. Patches provided by Björn Baumbach of the Samba Team and SerNet and Andrew Bartlett of the Samba Team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2019-14847.html =========================================================== == Subject: User with "get changes" permission can == crash AD DC LDAP server via dirsync == == CVE ID#: CVE-2019-14847 == == Versions: Samba 4.0.0 until Samba 4.10.9 == == Summary: Users with the "get changes" extended access == right can crash the AD DC LDAP server by == requesting an attribute using the range= syntax. =========================================================== =========== Description =========== Since Samba 4.0.0 Samba has implemented, in the AD DC, the "dirsync" LDAP control specified in MS-ADTS "3.1.1.3.4.1.3 LDAP_SERVER_DIRSYNC_OID". However, when combined with the ranged results feature specified in MS-ADTS "3.1.1.3.1.3.3 Range Retrieval of Attribute Values" a NULL pointer is can be de-referenced. This is a Denial of Service only, no further escalation of privilege is associated with this issue. Samba 4.11 is not affected as the issue was fixed as a result of Coverity static analysis, before the potential for denial of service became apparent. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.9.15 and 4.10.10 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H (4.9) ========================== Workaround and mitigation. ========================== By default, the supported versions of Samba impacted by this issue run using the "standard" process model, which is unaffected. This is controlled by the -M or --model parameter to the samba binary. Unsupported Samba versions before Samba 4.7 use a single process for the LDAP server, and so are impacted. Samba 4.8, 4.9 and 4.10 are impacted if -M prefork or -M single is used. To mitigate this issue, select -M standard (the default). ======= Credits ======= Originally reported by Adam Xu Patches provided and advisory written by Douglas Bagnall and Andrew Bartlett of the Samba team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================