[Announce] Samba 4.5.3, 4.4.8 and 4.3.13 Security Releases Available for Download

Karolin Seeger kseeger at samba.org
Mon Dec 19 09:18:12 UTC 2016 

Release Announcements
---------------------

This is a security release in order to address the following CVEs:

o  CVE-2016-2123 (Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer
   Overflow Remote Code Execution Vulnerability).
o  CVE-2016-2125 (Unconditional privilege delegation to Kerberos servers in
   trusted realms).
o  CVE-2016-2126 (Flaws in Kerberos PAC validation can trigger privilege
   elevation).

Please note that the patch for CVE-2016-2126 breaks the build with MIT
Kerberos in Samba 4.4.8 and 4.4.13. Samba 4.5.3 is not affected.
A patch for this issue is available for Samba 4.4 and 4.3 here:

  https://bugzilla.samba.org/show_bug.cgi?id=12471

Additionally, you might run into severe issues when running an AD DC with idmap
settings for member servers (by mistake) and you are upgrading from the last
security release. This invalid configuration (e.g. idmap config * : range =
100000 - 33554431 and similar lines) was ignored formerly and leads to errors
now. The typical error you see is NT_STATUS_INVALID_SID.
For more details, please see the following bug:

  https://bugzilla.samba.org/show_bug.cgi?id=12410

If you're a vendor and would like to ignore this again
via a source code change, also have a look at:

  https://bugzilla.samba.org/show_bug.cgi?id=12155#c20

=======
Details
=======

o  CVE-2016-2123:
   The Samba routine ndr_pull_dnsp_name contains an integer wrap problem,
   leading to an attacker-controlled memory overwrite. ndr_pull_dnsp_name
   parses data from the Samba Active Directory ldb database.  Any user
   who can write to the dnsRecord attribute over LDAP can trigger this
   memory corruption.

   By default, all authenticated LDAP users can write to the dnsRecord
   attribute on new DNS objects. This makes the defect a remote privilege
   escalation.

o  CVE-2016-2125
   Samba client code always requests a forwardable ticket
   when using Kerberos authentication. This means the
   target server, which must be in the current or trusted
   domain/realm, is given a valid general purpose Kerberos
   "Ticket Granting Ticket" (TGT), which can be used to
   fully impersonate the authenticated user or service.

o  CVE-2016-2126
   A remote, authenticated, attacker can cause the winbindd process
   to crash using a legitimate Kerberos ticket due to incorrect
   handling of the arcfour-hmac-md5 PAC checksum.

   A local service with access to the winbindd privileged pipe can
   cause winbindd to cache elevated access permissions.


#######################################
Reporting bugs & Development Discussion
#######################################

Please discuss this release on the samba-technical mailing list or by
joining the #samba-technical IRC channel on irc.freenode.net.

If you do report problems then please try to send high quality
feedback. If you don't provide vital information to help us track down
the problem then you will probably be ignored.  All bug reports should
be filed under the "Samba 4.1 and newer" product in the project's Bugzilla
database (https://bugzilla.samba.org/).


======================================================================
== Our Code, Our Bugs, Our Responsibility.
== The Samba Team
======================================================================


================
Download Details
================

The uncompressed tarballs and patch files have been signed
using GnuPG (ID 6F33915B6568B7EA).  The source code can be downloaded
from:

        https://download.samba.org/pub/samba/stable/

Patches addressing this defect have been posted to

        https://www.samba.org/samba/history/security.html

The release notes are available online at:

        https://www.samba.org/samba/history/samba-4.5.3.html
        https://www.samba.org/samba/history/samba-4.4.8.html
        https://www.samba.org/samba/history/samba-4.3.13.html

Our Code, Our Bugs, Our Responsibility.
(https://bugzilla.samba.org/)

                        --Enjoy
                        The Samba Team
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: Digital signature
URL: <http://lists.samba.org/pipermail/samba-announce/attachments/20161219/6b4e9e37/signature.sig>

More information about the samba-announce mailing list