==================================================================== CERT-Renater Note d'Information No. 2020/VULN032 _____________________________________________________________________ DATE : 21/01/2020 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running Samba versions 4 prior to 4.11.5, 4.10.12, 4.9.18. ===================================================================== https://www.samba.org/samba/security/CVE-2019-14902.html https://www.samba.org/samba/security/CVE-2019-14907.html https://www.samba.org/samba/security/CVE-2019-19344.html _____________________________________________________________________ CVE-2019-14902.html =========================================================== == Subject: Replication of ACLs set to inherit down a == subtree on AD Directory not automatic == == CVE ID#: CVE-2019-14902 == == Versions: Samba 4.0 and later == == Summary: The implementation of ACL inheritance in the == Samba AD DC was not complete, and so absent a == 'full-sync' replication, ACLs could get out of == sync between domain controllers. =========================================================== =========== Description =========== A newly delegated right, but more importantly the removal of a delegated right, would not be inherited on any DC other than the one where the change was made. For example: - if a user or group was previously delegated the right to create or modify a subtree (say to allow desktop support to reset passwords and create users) - and subsequently this right was taken away The removal would not automatically be taken away on all domain controllers. Because this patch only fixes new replication into the future, it is vital that a full-sync be done TO each Domain Controller to ensure each ACL (ntSecurityDescriptor) is re-calculated on the whole set of DCs. See the instructions in "workaround and required steps post-upgrade" below. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N (5.4) ========================================== Workaround and required steps post-upgrade ========================================== Use of 'samba-tool drs replicate $DC1 $DC2 $NC --full-sync' will cause all ACLs to be syncronised from DC2 to DC1, for the given NC (naming context), eg: samba-tool drs replicate my-DC1 my-DC2 DC=samba,DC=example,DC=com --full-sync samba-tool drs replicate my-DC1 my-DC2 CN=Configuration,DC=samba,DC=example,DC=com --full-sync samba-tool drs replicate my-DC2 my-DC1 DC=samba,DC=example,DC=com --full-sync samba-tool drs replicate my-DC2 my-DC1 CN=Configuration,DC=samba,DC=example,DC=com --full-sync Internally both in patched and un-patched versions, for every object replicated with a --full-sync, the inheritance will be correctly calculated. This only needs to be done TO each DC, not for each pair-wise pair. ======= Credits ======= Reported by a number of Samba users and sites since 2017, but now recognised as a security issue after triage. We apologise for the delay in dealing with this issue. Patches provided by Andrew Bartlett of the Samba Team and Catalyst. Advisory written by Andrew Bartlett of the Samba Team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2019-14907.html =========================================================== == Subject: Crash after failed character conversion at == log level 3 or above == == CVE ID#: CVE-2019-14907 == == Versions: Samba 4.0 and later versions == == Summary: When processing untrusted string input Samba == can read past the end of the allocated buffer == when printing a "Conversion error" message == to the logs. == =========================================================== =========== Description =========== If samba is set with "log level = 3" (or above) then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process (such as the RPC server) to terminate. (In the file server case, the most likely target, smbd, operates as process-per-client and so a crash there is harmless). ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H (6.5) ========== Workaround ========== Do not set a log level of 3 or above in production. ======= Credits ======= Originally reported by Robert Święcki using a fuzzer he wrote. Patches provided by Andrew Bartlett of the Samba team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== _____________________________________________________________________ CVE-2019-19344.html =========================================================== == Subject: Use after free during DNS zone scavenging == in Samba AD DC == == CVE ID#: CVE-2019-19344 == == Versions: Samba 4.9 and later versions == == Summary: During DNS zone scavenging (of expired dynamic == entries) there is a read of memory after it has == been freed. =========================================================== =========== Description =========== Samba 4.9 introduced an off-by-default feature to tombstone dynamically created DNS records that had reached their expiry time. This feature is controlled by the smb.conf option: dns zone scavenging = yes There is a use-after-free issue in this code, essentially due to a call to realloc() while other local variables still point at the original buffer. The use is a read, but in quite unlikely conditions (due to NDR validation unpacking the buffer) that read memory might be saved back into the DB. ================== Patch Availability ================== Patches addressing both these issues have been posted to: https://www.samba.org/samba/security/ Additionally, Samba 4.11.5, 4.10.12 and 4.9.18 have been issued as security releases to correct the defect. Samba administrators are advised to upgrade to these releases or apply the patch as soon as possible. ================== CVSSv3 calculation ================== CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5) ========== Workaround ========== The code in question is not run in the default configuration, so the workaround is simply to not set dns zone scavenging = yes ======= Credits ======= Originally reported by Christian Naumer. Patches provided by Andrew Bartlett of the Samba team and Catalyst. ========================================================== == Our Code, Our Bugs, Our Responsibility. == The Samba Team ========================================================== ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================