Subject: [ASA-201811-22] samba: multiple issues Arch Linux Security Advisory ASA-201811-22 ========================================== Severity: High Date : 2018-11-28 CVE-ID : CVE-2018-14629 CVE-2018-16841 CVE-2018-16851 CVE-2018-16852 CVE-2018-16853 CVE-2018-16857 Package : samba Type : multiple issues Remote : Yes Link : https://security.archlinux.org/AVG-823 Summary ======= The package samba before version 4.9.3-1 is vulnerable to multiple issues including denial of service and access restriction bypass. Resolution ========== Upgrade to 4.9.3-1. # pacman -Syu "samba>=4.9.3-1" The problems have been fixed upstream in version 4.9.3. Workaround ========== None. Description =========== - CVE-2018-14629 (denial of service) A denial of service security issue has been found in samba from 4.0.0 up to and including 4.9.2, where an unprivileged user can use the ldbadd tool to add DNS records to create a CNAME loop, causing infinite query recursion. - CVE-2018-16841 (denial of service) A double-free issue has been found in samba from 4.3.0 up to and including 4.9.2, where a user with a valid certificate or smart card can crash the Samba AD DC's KDC. When configured to accept smart-card authentication, Samba's KDC willcall talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is robust against further corruption from a double-free with talloc_free() and directly calls abort(), terminating the KDC process. There is no further vulnerability associated with this issue, merely a denial of service. - CVE-2018-16851 (denial of service) A NULL pointer de-reference issue has been found in samba from 4.0.0 up to and including 4.9.2, where a user able to read more than 256MB of LDAP entries can crash the Samba AD DC's LDAP server. - CVE-2018-16852 (denial of service) A NULL pointer de-reference issue has been found in samba from 4.9.0 up to and including 4.9.2, where a user able to create or modify dnsZone objects can crash the Samba AD DC's DNS management RPC server, DNS server or BIND9 when using Samba's DLZ plugin - CVE-2018-16853 (denial of service) A denial of service has been found in samba from 4.7.0 up to and including 4.9.2, where a user in a Samba AD domain can crash the MIT KDC by requesting an S4U2Self ticket. This only happens if Samba is build in a experimental and unsupported MIT Kerberos configuration. - CVE-2018-16857 (access restriction bypass) A security issue has been found in samba from 4.9.0 up to and including 4.9.2, where AD DC Configurations watching for bad passwords to restrict brute forcing in a window of more than 3 minutes may not watch for bad passwords at all. Impact ====== A remote authenticated user can crash a vulnerable samba server. A remote attacker can brute-force passwords without triggering the bad password lockout protection. References ========== https://download.samba.org/pub/samba/patches/security/samba-4.9.2-security-2018-11-27.patch https://www.samba.org/samba/security/CVE-2018-14629.html https://bugzilla.samba.org/show_bug.cgi?id=13600 https://github.com/samba-team/samba/commit/bf596c14c2462b9a15ea738ef4f32b3abb8b63d1 https://www.samba.org/samba/security/CVE-2018-16841.html https://bugzilla.samba.org/show_bug.cgi?id=13628 https://github.com/samba-team/samba/commit/6e84215d4aa7ef51096db3b187adbe22cacdd921 https://www.samba.org/samba/security/CVE-2018-16851.html https://bugzilla.samba.org/show_bug.cgi?id=13674 https://github.com/samba-team/samba/commit/f33f52c366f7cf140f470de44579dcb7eb832629 https://www.samba.org/samba/security/CVE-2018-16852.html https://bugzilla.samba.org/show_bug.cgi?id=13669 https://github.com/samba-team/samba/commit/05f867db81f118215445f2c49eda4b9c3451d14a https://github.com/samba-team/samba/commit/c78ca8b9b48a19e71f4d6ddd2e300f282fb0b247 https://www.samba.org/samba/security/CVE-2018-16853.html https://bugzilla.samba.org/show_bug.cgi?id=13571 https://github.com/samba-team/samba/commit/4aabfecd290cd2769376abf7f170e832becc4112 https://www.samba.org/samba/security/CVE-2018-16857.html https://bugzilla.samba.org/show_bug.cgi?id=13683 https://github.com/samba-team/samba/commit/862d4909eccd18942e3de8e8b0dc6e1594ec27f1 https://github.com/samba-team/samba/commit/4f86beeaf3408383385ee99a74520a805dd63c0f https://github.com/samba-team/samba/commit/d12b02c78842786969557b9be7c953e9594d90d https://github.com/samba-team/samba/commit/60b2cd50f4d0554cc5ca8c53b2d1fa89e56a6d06 https://security.archlinux.org/CVE-2018-14629 https://security.archlinux.org/CVE-2018-16841 https://security.archlinux.org/CVE-2018-16851 https://security.archlinux.org/CVE-2018-16852 https://security.archlinux.org/CVE-2018-16853 https://security.archlinux.org/CVE-2018-16857