Bug 7367 - [Update Request] samba CVE-2017-2619
: [Update Request] samba CVE-2017-2619
Status: RESOLVED DUPLICATE of bug 7826
Product: Desktop Bugs
Classification: ROSA Desktop
Component: Main Packages
: unspecified
: All Linux
: Normal normal
: ---
Assigned To: ROSA Linux Bugs
: ROSA Linux Bugs
https://www.samba.org/samba/history/s...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2016-09-21 22:05 MSD by Zombie Ryushu
Modified: 2017-09-04 05:20 MSD (History)
2 users (show)

See Also:
RPM Package: samba
ISO-related:
Bad POT generating:
Upstream:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Zombie Ryushu 2016-09-21 22:05:20 MSD
Under Rosa 2016, for purposes of Future Proofing, Samba 4.4 or 4.5 should be packaged. 

Samba 4.5.0 has been released as stable.

NEW FEATURES/CHANGES
====================

Support for LDAP_SERVER_NOTIFICATION_OID
----------------------------------------

The ldap server has support for the LDAP_SERVER_NOTIFICATION_OID
control. This can be used to monitor the Active Directory database
for changes.

KCC improvements for sparse network replication
-----------------------------------------------

The Samba KCC will now be the default knowledge consistency checker in
Samba AD. Instead of using full mesh replication between every DC, the
KCC will set up connections to optimize replication latency and cost
(using site links to calculate the routes). This change should allow
larger domains to function significantly better in terms of replication
traffic and the time spent performing DRS replication.

VLV - Virtual List View
-----------------------

The VLV Control allows applications to page the LDAP directory in the
way you might expect a live phone book application to operate, without
first downloading the entire directory.

DRS Replication for the AD DC
-----------------------------

DRS Replication in Samba 4.5 is now much more efficient in handling
linked attributes, particularly in large domains with over 1000 group
memberships or other links.

Replication is also much more reliable in the handling of tree
renames, such as the rename of an organizational unit containing many
users.  Extensive tests have been added to ensure this code remains
reliable, particularly in the case of conflicts between objects added
with the same name on different servers.

Schema updates are also handled much more reliably.

samba-tool drs replicate with new options
-----------------------------------------

'samba-tool drs replicate' got two new options:

The option '--local-online' will do the DsReplicaSync() via IRPC
to the local dreplsrv service.

The option '--async-op' will add DRSUAPI_DRS_ASYNC_OP to the
DsReplicaSync(), which won't wait for the replication result.

replPropertyMetaData Changes
----------------------------

During the development of the DRS replication, tests showed that Samba
stores the replPropertyMetaData object incorrectly. To address this,
be aware that 'dbcheck' will now detect and offer to fix all objects in
the domain for this error.

For further information and instructions how to fix the problem, see
https://wiki.samba.org/index.php/Updating_Samba#Fixing_replPropertyMetaData_Attributes

Linked attributes on deleted objects
------------------------------------

In Active Directory, an object that has been tombstoned or recycled
has no linked attributes.  However, Samba incorrectly maintained such
links, slowing replication and run-time performance.  'dbcheck' now
offers to remove such links, and they are no longer kept after the
object is tombstoned or recycled.

Improved AD DC performance
--------------------------

Many other improvements have been made to our LDAP database layer in
the AD DC, to improve performance, both during 'samba-tool domain
provision' and at runtime.

Other dbcheck improvements
--------------------------

 - 'samba-tool dbcheck' can now find and fix a missing or corrupted
   'deleted objects' container.
 - BUG 11433: samba-dbcheck no longer offers to resort auxiliary class values
   in objectClass as these were then re-sorted at the next dbcheck indefinitely.

Tombstone Reanimation
---------------------

Samba now supports tombstone reanimation, a feature in the AD DC
allowing tombstones, that is objects which have been deleted, to be
restored with the original SID and GUID still in place.

Multiple DNS Forwarders on the AD DC
------------------------------------

Previously, the Samba internal DNS server supported only one DNS forwarder.
The "dns forwarder" option has been enhanced and now supports a space-separated
list of multiple DNS server IP addresses. As a result, Samba is now able to
fall back to alternative DNS servers. In case that a DNS query to the first
server timed out, it is sent to the next DNS server listed in the option.

Password quality plugin support in the AD DC
--------------------------------------------

The check password script now operates correctly in the AD DC.

pwdLastSet is now correctly honoured
------------------------------------

BUG 9654: The pwdLastSet attribute is now correctly handled (this previously
permitted passwords that expire next).

net ads dns unregister
----------------------

It is now possible to remove the DNS entries created with 'net ads register'
with the matching 'net ads unregister' command.

samba-tool improvements
------------------------

Running 'samba-tool' on the command line should now be a lot snappier. The tool
now only loads the code specific to the subcommand that you wish to run.

SMB 2.1 Leases enabled by default
---------------------------------

Leasing is an SMB 2.1 (and higher) feature which allows clients to
aggressively cache files locally above and beyond the caching allowed
by SMB 1 oplocks. This feature was disabled in previous releases, but
the SMB2 leasing code is now considered mature and stable enough to be
enabled by default.
Comment 1 Zombie Ryushu 2016-11-16 11:06:51 MSK
Samba 4.3.12 has been released and it might be prudent to update Samba 4.3.x on Rosa 2014 to that.
Comment 2 Zombie Ryushu 2016-12-20 21:59:36 MSK
Package        : samba
CVE ID         : CVE-2016-2119 CVE-2016-2123 CVE-2016-2125 CVE-2016-2126
Debian Bug     : 830195

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,
print, and login server for Unix. The Common Vulnerabilities and
Exposures project identifies the following issues:

CVE-2016-2119

    Stefan Metzmacher discovered that client-side SMB2/3 required
    signing can be downgraded, allowing a man-in-the-middle attacker to
    impersonate a server being connected to by Samba, and return
    malicious results.

CVE-2016-2123

    Trend Micro's Zero Day Initiative and Frederic Besler discovered
    that the routine ndr_pull_dnsp_name, used to parse data from the
    Samba Active Directory ldb database, contains an integer overflow
    flaw, leading to an attacker-controlled memory overwrite. An
    authenticated user can take advantage of this flaw for remote
    privilege escalation.

CVE-2016-2125

    Simo Sorce of Red Hat discovered that the Samba client code always
    requests a forwardable ticket when using Kerberos authentication. A
    target server, which must be in the current or trusted domain/realm,
    is given a valid general purpose Kerberos "Ticket Granting Ticket"
    (TGT), which can be used to fully impersonate the authenticated user
    or service.

CVE-2016-2126

    Volker Lendecke discovered several flaws in the Kerberos PAC
    validation. A remote, authenticated, attacker can cause the winbindd
    process to crash using a legitimate Kerberos ticket due to incorrect
    handling of the PAC checksum. A local service with access to the
    winbindd privileged pipe can cause winbindd to cache elevated access
    permissions.

For the stable distribution (jessie), these problems have been fixed in
version 2:4.2.14+dfsg-0+deb8u2. In addition, this update contains
several changes originally targeted for the upcoming jessie point
release.
Comment 3 Zombie Ryushu 2016-12-25 02:35:08 MSK
                   ==============================
                   Release Notes for Samba 4.3.13
                          December 19, 2016
                   ==============================


This is a security release in order to address the following defects:

o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
   Overflow Remote Code Execution Vulnerability).
o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
   trusted realms).
o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
   elevation).

=======
Details
=======

o  CVE-2016-2123:
   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
   parses data from the Samba Active Directory ldb database.  Any user
   who can write to the dnsRecord attribute over LDAP can trigger this
   memory corruption.

   By default, all authenticated LDAP users can write to the dnsRecord
   attribute on new DNS objects. This makes the defect a remote privilege
   escalation.

o  CVE-2016-2125
   Samba client code always requests a forwardable ticket
   when using Kerberos authentication. This means the
   target server, which must be in the current or trusted
   domain/realm, is given a valid general purpose Kerberos
   "Ticket Granting Ticket" (TGT), which can be used to
   fully impersonate the authenticated user or service.

o  CVE-2016-2126
   A remote, authenticated, attacker can cause the winbindd process
   to crash using a legitimate Kerberos ticket due to incorrect
   handling of the arcfour-hmac-md5 PAC checksum.

   A local service with access to the winbindd privileged pipe can
   cause winbindd to cache elevated access permissions.
Comment 4 Zombie Ryushu 2016-12-31 09:41:02 MSK
Samba client code always requests a forwardable ticket when using
Kerberos authentication. This means the target server, which must be in
the current or trusted domain/realm, is given a valid general purpose
Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully
impersonate the authenticated user or service (CVE-2016-2125).

https://advisories.mageia.org/MGASA-2016-0431.html
Comment 5 Zombie Ryushu 2017-03-25 19:39:54 MSK
Package        : samba
CVE ID         : CVE-2017-2619

Jann Horn of Google discovered a time-of-check, time-of-use race
condition in Samba, a SMB/CIFS file, print, and login server for Unix. A
malicious client can take advantage of this flaw by exploting a symlink
race to access areas of the server file system not exported under a
share definition.
Comment 6 Zombie Ryushu 2017-04-07 16:16:16 MSD
ERROR(<type 'exceptions.ValueError'>): uncaught exception - unable to parse dn string
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/__init__.py", line 175, in _run
    return self.run(*args, **kwargs)
  File "/usr/lib64/python2.7/site-packages/samba/netcmd/dbcheck.py", line 136, in run
    controls=controls, attrs=attrs)
  File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 138, in check_database
    error_count += self.check_object(object.dn, attrs=attrs)
  File "/usr/lib64/python2.7/site-packages/samba/dbchecker.py", line 1389, in check_object
    expected_dn = ldb.Dn(self.samdb, "RDN=RDN,%s" % (parent_dn))
Comment 7 Zombie Ryushu 2017-07-15 10:23:32 MSD
Jeffrey Altman, Viktor Duchovni and Nico Williams identified a mutual authentication bypass vulnerability in samba, the SMB/CIFS file, print, and login server. Also known as Orpheus' Lyre, this vulnerability is located in Samba Kerberos Key Distribution Center (KDC-REP) component and could be used by an attacker on the network path to impersonate a server.
Comment 8 Zombie Ryushu 2017-09-04 05:20:19 MSD

*** This bug has been marked as a duplicate of bug 7826 ***