Subject: [ASA-201612-19] samba: multiple issues Arch Linux Security Advisory ASA-201612-19 ========================================== Severity: Critical Date : 2016-12-22 CVE-ID : CVE-2016-2123 CVE-2016-2125 CVE-2016-2126 Package : samba Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-111 Summary ======= The package samba before version 4.5.3-1 is vulnerable to multiple issues including arbitrary code execution, authentication bypass and privilege escalation. Resolution ========== Upgrade to 4.5.3-1. # pacman -Syu "samba>=4.5.3-1" The problems have been fixed upstream in version 4.5.3. Workaround ========== None. Description =========== - CVE-2016-2123 (arbitrary code execution) The Samba routine ndr_pull_dnsp_name contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory corruption. By default, all authenticated LDAP users can write to the dnsRecord attribute on new DNS objects, this makes the defect additionally a remote privilege escalation. - CVE-2016-2125 (authentication bypass) Samba client code always requests a forwardable ticket when using Kerberos authentication. This means the target server, which must be in the current or trusted domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to fully impersonate the authenticated user or service. The risks of impersonation of the client are similar to the well known risks from forwarding of NTLM credentials, with two important differences: - NTLM forwarding can and should be mitigated with packet signing - Kerberos forwarding can only be attempted after the trusted destination server decrypts the ticket. - CVE-2016-2126 (privilege escalation) A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions. For the remote attack, the memory overwrite kills the main winbindd process and an authenticated attacker can construct this situation by watching for password changes in Samba. One specific trigger occurs when winbindd changes its machine account password and the client has still a valid Kerberos ticket (that was encrypted with the old password). Impact ====== A remote authenticated attacker is able to execute arbitrary code, bypass authentication via unconditional privilege delegation and escalate privileges via various vectors. References ========== https://bugs.archlinux.org/task/52219 https://www.samba.org/samba/security/CVE-2016-2123.html https://www.samba.org/samba/security/CVE-2016-2125.html https://www.samba.org/samba/security/CVE-2016-2126.html https://security.archlinux.org/CVE-2016-2123 https://security.archlinux.org/CVE-2016-2125 https://security.archlinux.org/CVE-2016-2126