|
|
Subscribe / Log in / New account

Samba 4.15.2, 4.14.10, 4.13.14 security releases available

There is a set of new Samba releases out there. They fix a long and intimidating list of security issues and seem worth upgrading to for any but the most protected of Samba servers.

From:  Stefan Metzmacher via samba <samba-AT-lists.samba.org>
To:  samba-announce-AT-lists.samba.org, samba-AT-lists.samba.org, samba-technical-AT-lists.samba.org
Subject:  [Announce] Samba 4.15.2, 4.14.10, 4.13.14 Security Releases are available for Download
Date:  Tue, 09 Nov 2021 19:26:03 +0100
Message-ID:  <20211109182554.GA3180235@SERNOX19>
Archive-link:  Article



Release Announcements
---------------------

These are security releases in order to address the following defects:

o CVE-2016-2124:  SMB1 client connections can be downgraded to plaintext
                  authentication.
                  https://www.samba.org/samba/security/CVE-2016-2124.html

o CVE-2020-25717: A user on the domain can become root on domain members.
                  https://www.samba.org/samba/security/CVE-2020-25717.html
                  (PLEASE READ! There are important behaviour changes described)

o CVE-2020-25718: Samba AD DC did not correctly sandbox Kerberos tickets issued
                  by an RODC.
                  https://www.samba.org/samba/security/CVE-2020-25718.html

o CVE-2020-25719: Samba AD DC did not always rely on the SID and PAC in Kerberos
                  tickets.
                  https://www.samba.org/samba/security/CVE-2020-25719.html

o CVE-2020-25721: Kerberos acceptors need easy access to stable AD identifiers
                  (eg objectSid).
                  https://www.samba.org/samba/security/CVE-2020-25721.html

o CVE-2020-25722: Samba AD DC did not do suffienct access and conformance
                  checking of data stored.
                  https://www.samba.org/samba/security/CVE-2020-25722.html

o CVE-2021-3738:  Use after free in Samba AD DC RPC server.
                  https://www.samba.org/samba/security/CVE-2021-3738.html

o CVE-2021-23192: Subsequent DCE/RPC fragment injection vulnerability.
                  https://www.samba.org/samba/security/CVE-2021-23192.html

There's sadly a regression that "allow trusted domains = no" prevents winbindd
from starting, we'll try to provide a follow up fix as soon as possible.

Changes:
--------------------

o  Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
   * CVE-2020-25722

o  Andrew Bartlett <abartlet@samba.org>
   * CVE-2020-25718
   * CVE-2020-25719
   * CVE-2020-25721
   * CVE-2020-25722

o  Ralph Boehme <slow@samba.org>
   * CVE-2020-25717

o  Alexander Bokovoy <ab@samba.org>
   * CVE-2020-25717

o  Samuel Cabrero <scabrero@samba.org>
   * CVE-2020-25717

o  Nadezhda Ivanova <nivanova@symas.com>
   * CVE-2020-25722

o  Stefan Metzmacher <metze@samba.org>
   * CVE-2016-2124
   * CVE-2020-25717
   * CVE-2020-25719
   * CVE-2020-25722
   * CVE-2021-23192
   * CVE-2021-3738
   * ldb release 2.3.2 (for Samba 4.14.10)
   * ldb release 2.2.3 (for Samba 4.13.14)

o  Andreas Schneider <asn@samba.org>
   * CVE-2020-25719

o  Joseph Sutton <josephsutton@catalyst.net.nz>
   * CVE-2020-17049
   * CVE-2020-25718
   * CVE-2020-25719
   * CVE-2020-25721
   * CVE-2020-25722
   * MS CVE-2020-17049


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.libera.chat or the
#samba-technical:matrix.org matrix channel.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the Samba 4.1 and newer product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================



================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
from:

        https://download.samba.org/pub/samba/stable/

The release notes are available online at:

        https://www.samba.org/samba/history/samba-4.15.2.html
        https://www.samba.org/samba/history/samba-4.14.10.html
        https://www.samba.org/samba/history/samba-4.13.14.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team
-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba

to post comments

Samba 4.15.2, 4.14.10, 4.13.14 security releases available

Posted Nov 10, 2021 18:25 UTC (Wed) by ccchips (subscriber, #3222) [Link] (1 responses)

Linux Mint 20.2 is showing 4.11.6. Can anyone advise me how I can request this be upgraded, or is it even possible?

Samba 4.15.2, 4.14.10, 4.13.14 security releases available

Posted Nov 11, 2021 22:56 UTC (Thu) by ccchips (subscriber, #3222) [Link]

Updated to 4.13.14.

Thank you!

Samba 4.15.2, 4.14.10, 4.13.14 security releases apply to AD domain scenerios only

Posted Nov 12, 2021 20:21 UTC (Fri) by abartlet (subscriber, #3928) [Link] (3 responses)

To be clear, the situations that are a worry here are those servers in an AD domain or which are an AD DC. A standalone fileserver in particular is not the concern here.

Samba 4.15.2, 4.14.10, 4.13.14 security releases apply to AD domain scenerios only

Posted Nov 14, 2021 7:03 UTC (Sun) by pabs (subscriber, #43278) [Link] (2 responses)

What about Samba based clients of a Windows based AD domain and DC?

Samba 4.15.2, 4.14.10, 4.13.14 security releases apply to AD domain scenerios only

Posted Nov 14, 2021 12:38 UTC (Sun) by docontra (guest, #153758) [Link] (1 responses)

From reading the security advisories, Samba clients joined to AD may be vulnerable to CVE-2016-2124 (IIUC, it's the protocol vulnerability that caused Microsoft to disable SMB1 by default in later Windows 10 releases; requires specific client configuration to trigger), CVE-2020-25717 (second highest CVSSv3 rating, but some vulnerabilities were not rated) and CVE-2021-23192 (lowest CVSSv3 rated vulnerability).

Samba 4.15.2, 4.14.10, 4.13.14 security releases apply to AD domain scenerios only

Posted Nov 15, 2021 7:31 UTC (Mon) by abartlet (subscriber, #3928) [Link]

Firstly, sorry for missing the CVSS score on CVE-2016-2124. My stab at this is:

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N (5.3)

(CVSS scores are meant to assume the worst case)

It isn't ideal that it is possible to disclose the NTLMv2 response, due to 'pass the hash' attacks, but by default the plaintext password isn't shown unless other configuration options were set (client plaintext auth). That would make it a 3.1 if you consider an NTLMv2 response a 'limited breach of confidentiality'.

More broadly, there are a few concerns for Samba clients in Windows domains. It depends on what kind of client and what level of trust there is in the DC, but we issued CVE-2020-25717 because the controls around msDS-MachineAccountQuota were way to weak (and Samba was not strict enough about sandboxing AD accounts to an AD-specific namespace).

My personal view is that CVE-2021-23192 was important to fix but it is a server-side issue and assumes a MITM already and a request with multiple fragments (which is rare, and quite unlikely outside the context of being the DC).


Copyright © 2021, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds