CVE-2016-2126

Source
Severity Medium
Remote Yes
Type Privilege escalation
Description
A remote, authenticated, attacker can cause the winbindd process to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum. A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.
For the remote attack, the memory overwrite kills the main winbindd process and an authenticated attacker can construct this situation by watching for password changes in Samba.
One specific trigger occurs when winbindd changes its machine account password and the client has still a valid Kerberos ticket (that was encrypted with the old password).
Group Package Affected Fixed Severity Status Ticket
AVG-111 samba 4.5.2-1 4.5.3-1 Critical Fixed FS#52219
Date Advisory Group Package Severity Description
22 Dec 2016 ASA-201612-19 AVG-111 samba Critical multiple issues
References
https://www.samba.org/samba/security/CVE-2016-2126.html