[SCM] Samba Website Repository - branch master updated
Karolin Seeger
kseeger at samba.org
Tue May 14 06:15:14 UTC 2019
The branch, master has been updated
via af4ea9b NEWS[4.10.3]: Samba 4.10.3, 4.9.8 and 4.8.12 Security Releases Available
from 60eab79 Add Samba 4.9.7 to the list.
https://git.samba.org/?p=samba-web.git;a=shortlog;h=master
- Log -----------------------------------------------------------------
commit af4ea9b9d702945c2f4583be5d71933635a6b519
Author: Karolin Seeger <kseeger at samba.org>
Date: Tue May 7 11:12:08 2019 +0200
NEWS[4.10.3]: Samba 4.10.3, 4.9.8 and 4.8.12 Security Releases Available
Signed-off-by: Karolin Seeger <kseeger at samba.org>
-----------------------------------------------------------------------
Summary of changes:
history/header_history.html | 3 +
history/samba-4.10.3.html | 53 ++++++++
history/{samba-4.8.11.html => samba-4.8.12.html} | 34 ++---
history/samba-4.9.8.html | 53 ++++++++
history/security.html | 18 +++
posted_news/20190510-082106.4.10.3.body.html | 23 ++++
posted_news/20190510-082106.4.10.3.headline.html | 4 +
security/CVE-2018-16860.html | 165 +++++++++++++++++++++++
8 files changed, 336 insertions(+), 17 deletions(-)
create mode 100644 history/samba-4.10.3.html
copy history/{samba-4.8.11.html => samba-4.8.12.html} (50%)
create mode 100644 history/samba-4.9.8.html
create mode 100644 posted_news/20190510-082106.4.10.3.body.html
create mode 100644 posted_news/20190510-082106.4.10.3.headline.html
create mode 100644 security/CVE-2018-16860.html
Changeset truncated at 500 lines:
diff --git a/history/header_history.html b/history/header_history.html
index 7d361df..229a679 100755
--- a/history/header_history.html
+++ b/history/header_history.html
@@ -9,9 +9,11 @@
<li><a href="/samba/history/">Release Notes</a>
<li class="navSub">
<ul>
+ <li><a href="samba-4.10.3.html">samba-4.10.3</a></li>
<li><a href="samba-4.10.2.html">samba-4.10.2</a></li>
<li><a href="samba-4.10.1.html">samba-4.10.1</a></li>
<li><a href="samba-4.10.0.html">samba-4.10.0</a></li>
+ <li><a href="samba-4.9.8.html">samba-4.9.8</a></li>
<li><a href="samba-4.9.7.html">samba-4.9.7</a></li>
<li><a href="samba-4.9.6.html">samba-4.9.6</a></li>
<li><a href="samba-4.9.5.html">samba-4.9.5</a></li>
@@ -20,6 +22,7 @@
<li><a href="samba-4.9.2.html">samba-4.9.2</a></li>
<li><a href="samba-4.9.1.html">samba-4.9.1</a></li>
<li><a href="samba-4.9.0.html">samba-4.9.0</a></li>
+ <li><a href="samba-4.8.12.html">samba-4.8.12</a></li>
<li><a href="samba-4.8.11.html">samba-4.8.11</a></li>
<li><a href="samba-4.8.10.html">samba-4.8.10</a></li>
<li><a href="samba-4.8.9.html">samba-4.8.9</a></li>
diff --git a/history/samba-4.10.3.html b/history/samba-4.10.3.html
new file mode 100644
index 0000000..bc5148e
--- /dev/null
+++ b/history/samba-4.10.3.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.10.3 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.10.3 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.3.tar.gz">Samba 4.10.3 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.10.3.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.2-4.10.3.diffs.gz">Patch (gzipped) against Samba 4.10.2</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.10.2-4.10.3.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ ==============================
+ Release Notes for Samba 4.10.3
+ May 14, 2019
+ ==============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)
+
+
+=======
+Details
+=======
+
+o CVE-2018-16860:
+ The checksum validation in the S4U2Self handler in the embedded Heimdal KDC
+ did not first confirm that the checksum was keyed, allowing replacement of
+ the requested target (client) principal.
+
+For more details and workarounds, please refer to the security advisory.
+
+
+Changes since 4.10.2:
+---------------------
+
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 13685: CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed
+ checksum.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/samba-4.8.11.html b/history/samba-4.8.12.html
similarity index 50%
copy from history/samba-4.8.11.html
copy to history/samba-4.8.12.html
index 5be432b..ad104eb 100644
--- a/history/samba-4.8.11.html
+++ b/history/samba-4.8.12.html
@@ -2,49 +2,49 @@
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
-<title>Samba 4.8.11 - Release Notes</title>
+<title>Samba 4.8.12 - Release Notes</title>
</head>
<body>
-<H2>Samba 4.8.11 Available for Download</H2>
+<H2>Samba 4.8.12 Available for Download</H2>
<p>
-<a href="https://download.samba.org/pub/samba/stable/samba-4.8.11.tar.gz">Samba 4.8.11 (gzipped)</a><br>
-<a href="https://download.samba.org/pub/samba/stable/samba-4.8.11.tar.asc">Signature</a>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.8.12.tar.gz">Samba 4.8.12 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.8.12.tar.asc">Signature</a>
</p>
<p>
-<a href="https://download.samba.org/pub/samba/patches/samba-4.8.10-4.8.11.diffs.gz">Patch (gzipped) against Samba 4.8.10</a><br>
-<a href="https://download.samba.org/pub/samba/patches/samba-4.8.10-4.8.11.diffs.asc">Signature</a>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.8.11-4.8.12.diffs.gz">Patch (gzipped) against Samba 4.8.11</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.8.11-4.8.12.diffs.asc">Signature</a>
</p>
<p>
<pre>
==============================
- Release Notes for Samba 4.8.11
- April 8, 2019
+ Release Notes for Samba 4.8.12
+ May 14, 2019
==============================
This is a security release in order to address the following defect:
-o CVE-2019-3880 (Save registry file outside share as unprivileged user)
+o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)
=======
Details
=======
-o CVE-2018-14629:
- Authenticated users with write permission
- can trigger a symlink traversal to write
- or detect files outside the Samba share.
+o CVE-2018-16860:
+ The checksum validation in the S4U2Self handler in the embedded Heimdal KDC
+ did not first confirm that the checksum was keyed, allowing replacement of
+ the requested target (client) principal.
For more details and workarounds, please refer to the security advisory.
-Changes since 4.8.10:
+Changes since 4.8.11:
---------------------
-o Jeremy Allison <jra at samba.org>
- * BUG 13851: CVE-2018-14629: rpc: winreg: Remove implementations of
- SaveKey/RestoreKey.
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 13685: CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed
+ checksum.
</pre>
diff --git a/history/samba-4.9.8.html b/history/samba-4.9.8.html
new file mode 100644
index 0000000..42af2b3
--- /dev/null
+++ b/history/samba-4.9.8.html
@@ -0,0 +1,53 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+<head>
+<title>Samba 4.9.8 - Release Notes</title>
+</head>
+<body>
+<H2>Samba 4.9.8 Available for Download</H2>
+<p>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.8.tar.gz">Samba 4.9.8 (gzipped)</a><br>
+<a href="https://download.samba.org/pub/samba/stable/samba-4.9.8.tar.asc">Signature</a>
+</p>
+<p>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.9.7-4.9.8.diffs.gz">Patch (gzipped) against Samba 4.9.7</a><br>
+<a href="https://download.samba.org/pub/samba/patches/samba-4.9.7-4.9.8.diffs.asc">Signature</a>
+</p>
+<p>
+<pre>
+ =============================
+ Release Notes for Samba 4.9.8
+ May 14, 2019
+ =============================
+
+
+This is a security release in order to address the following defect:
+
+o CVE-2018-16860 (Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum)
+
+
+=======
+Details
+=======
+
+o CVE-2018-16860:
+ The checksum validation in the S4U2Self handler in the embedded Heimdal KDC
+ did not first confirm that the checksum was keyed, allowing replacement of
+ the requested target (client) principal.
+
+For more details and workarounds, please refer to the security advisory.
+
+
+Changes since 4.9.7:
+--------------------
+
+o Isaac Boukris <iboukris at gmail.com>
+ * BUG 13685: CVE-2018-16860: Heimdal KDC: Reject PA-S4U2Self with unkeyed
+ checksum.
+
+
+</pre>
+</p>
+</body>
+</html>
diff --git a/history/security.html b/history/security.html
index 8a422f5..8a78b35 100755
--- a/history/security.html
+++ b/history/security.html
@@ -21,6 +21,24 @@ link to full release notes for each release.</p>
<td><em>Details</em></td>
</tr>
+ <tr>
+ <td>14 May 2019</td>
+ <td><a href="/samba/ftp/patches/security/samba-4.10.2-security-2019-05-14.patch">
+ patch for Samba 4.10.2</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.9.7-security-2019-05-14.patch">
+ patch for Samba 4.9.7</a><br />
+ <a href="/samba/ftp/patches/security/samba-4.8.11-security-2019-05-14.patch">
+ patch for Samba 4.8.11</a><br />
+ </td>
+ <td>CVE-2018-16860. Please see the announcements for details.
+ </td>
+ <td>All versions of Samba prior to 4.10.3, 4.9.8, 4.8.12.</td>
+ <td><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16860">CVE-2018-16860</a>
+ </td>
+ <td><a href="/samba/security/CVE-2018-16860.html">Announcement</a>
+ </td>
+ </tr>
+
<tr>
<td>08 Apr 2019</td>
<td><a href="/samba/ftp/patches/security/samba-4.10.1-security-2019-04-08.patch">
diff --git a/posted_news/20190510-082106.4.10.3.body.html b/posted_news/20190510-082106.4.10.3.body.html
new file mode 100644
index 0000000..9861ae1
--- /dev/null
+++ b/posted_news/20190510-082106.4.10.3.body.html
@@ -0,0 +1,23 @@
+<!-- BEGIN: posted_news/20190510-082106.4.10.3.body.html -->
+<h5><a name="4.10.3">14 May 2019</a></h5>
+<p class=headline>Samba 4.10.3, 4.9.8 and 4.8.12 Security Releases Available</p>
+<p>
+These are security releases in order to address
+<a href="/samba/security/CVE-2018-16860.html">CVE-2018-16860</a>
+(Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum).
+</p>
+<p>
+The uncompressed tarballs have been signed using GnuPG (ID 6F33915B6568B7EA).
+The 4.10.3 source code can be <a
+href="https://download.samba.org/pub/samba/stable/samba-4.10.3.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.10.2-4.10.3.diffs.gz">patch against Samba 4.10.2</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.10.3.html">the release notes for more info</a>.
+The 4.9.8 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.9.8.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.9.7-4.9.8.diffs.gz">patch against Samba 4.9.7</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.9.8.html">the release notes for more info</a>.
+The 4.8.12 source code can be <a href="https://download.samba.org/pub/samba/stable/samba-4.8.12.tar.gz">downloaded now</a>.
+A <a href="https://download.samba.org/pub/samba/patches/samba-4.8.11-4.8.12.diffs.gz">patch
+against Samba 4.8.11</a> is also available.
+See <a href="https://www.samba.org/samba/history/samba-4.8.12.html">the release notes for more info</a>.
+</p>
+<!-- END: posted_news/20190510-082106.4.10.3.body.html -->
diff --git a/posted_news/20190510-082106.4.10.3.headline.html b/posted_news/20190510-082106.4.10.3.headline.html
new file mode 100644
index 0000000..7d9dbfd
--- /dev/null
+++ b/posted_news/20190510-082106.4.10.3.headline.html
@@ -0,0 +1,4 @@
+<!-- BEGIN: posted_news/20190510-082106.4.10.3.headline.html -->
+<li> 14 May 2019 <a href="#4.10.3">Samba 4.10.3, 4.9.7 and 4.8.12 Security
+Releases Available</a></li>
+<!-- END: posted_news/20190510-082106.4.10.3.headline.html -->
diff --git a/security/CVE-2018-16860.html b/security/CVE-2018-16860.html
new file mode 100644
index 0000000..80c21b9
--- /dev/null
+++ b/security/CVE-2018-16860.html
@@ -0,0 +1,165 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+ <H2>CVE-2018-16860.html
+
+<p>
+<pre>
+===========================================================
+== Subject: Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum
+==
+== CVE ID#: CVE-2018-16860
+==
+== Versions: All Samba versions since Samba 4.0
+== All releases of Heimdal from 0.8 including 7.5.0
+== and any products that ship a KDC derived from one of
+== those Heimdal releases.
+==
+== Summary: The checksum validation in the S4U2Self handler in
+== the embedded Heimdal KDC did not first confirm that the
+== checksum was keyed, allowing replacement of the
+== requested target (client) principal.
+===========================================================
+
+===========
+Description
+===========
+
+S4U2Self is an extension to Kerberos used in Active Directory to allow
+a service to request a kerberos ticket to itself from the Kerberos Key
+Distribution Center (KDC) for a non-Kerberos authenticated user
+(principal in Kerboros parlance). This is useful to allow internal
+code paths to be standardized around Kerberos.
+
+S4U2Proxy (constrained-delegation) is an extension of this mechanism
+allowing this impersonation to a second service over the network. It
+allows a privileged server that obtained a S4U2Self ticket to itself
+to then assert the identity of that principal to a second service and
+present itself as that principal to get services from the second
+service.
+
+There is a flaw in Samba's AD DC in the Heimdal KDC. When the Heimdal
+KDC checks the checksum that is placed on the S4U2Self packet by the
+server to protect the requested principal against modification, it
+does not confirm that the checksum algorithm that protects the user
+name (principal) in the request is keyed. This allows a
+man-in-the-middle attacker who can intercept the request to the KDC to
+modify the packet by replacing the user name (principal) in the
+request with any desired user name (principal) that exists in the KDC
+and replace the checksum protecting that name with a CRC32 checksum
+(which requires no prior knowledge to compute).
+
+This would allow a S4U2Self ticket requested on behalf of user name
+(principal) user at EXAMPLE.COM to any service to be changed to a
+S4U2Self ticket with a user name (principal) of
+Administrator at EXAMPLE.COM. This ticket would then contain the PAC of
+the modified user name (principal).
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+ http://www.samba.org/samba/security/
+
+Additionally, Samba 4.8.12, 4.9.8 and 4.10.3 have been issued
+as security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
+
+=========================
+Workaround and Mitigation
+=========================
+
+If server does not take privileged actions based on Kerberos tickets
+obtained by S4U2Self nor obtains Kerberos tickets via further
+S4U2Proxy requests then this issue cannot be exploited.
+
+Note that the path to an exploit is not generic, the KDC is not harmed
+by the malicious checksum, it is the client service requesting the
+ticket being mislead, because it trusted the KDC to return the correct
+ticket and PAC.
+
+It is out of scope for Samba to describe all of the possible tool
+chains that might be vulnerable. Here are two examples of possible
+exploits in order to explain the issue more clearly.
+
+1). SFU2Self might be used by a web service authenticating an end user
+via OAuth, Shibboleth, or other protocols to obtain a S4U2Self
+Kerberos service ticket for use by any Kerberos service principal the
+web service has a keytab for. One example is acquiring an AFS token
+by requesting an afs/cell at REALM service ticket for a client via
+SFU2Self. With this exploit an organization that deploys a KDC built
+from Heimdal (be it Heimdal directly or vendor versions such as found
+in Samba) is vulnerable to privilege escalation attacks.
+
+2). If a server authenticates users using X509 certificates, and then
+uses S4U2Self to obtain a Kerberos service ticket on behalf of the
+user (principal) in order to authorize access to local resources, a
+man-in-the-middle attacker could allow a non-privilaged user to access
+privilaged resources being protected by the server, or privilaged
+resources being protected by a second server, if the first server uses
+the S4U2Proxy extension in order to get a new Kerberos service ticket
+to obtain access to the second server.
+
+In both these scenarios under conditions allowing man-in-the-middle
+active network protocol manipulation, a malicious user could
+authenticate using the non-Kerborized credentials of an unprivileged
+user, and then elevate its privileges by intercepting the packet from
+the server to the KDC and changing the requested user name (principal).
+
+The only Samba clients that use S4U2Self are:
+
+- the "net ads kerberos pac dump" (debugging) tool.
+
+- the CIFS proxy in the deprecated/developer-only NTVFS file
+server. Note this code is not compiled or enabled by default.
+
+In particular, winbindd does *not* use S4U2Self.
+
+Finally, MIT Kerberos and so therefore the experimental MIT KDC backend
+for Samba AD is understood not to be impacted.
+
+===============
+Further Reading
+===============
+
+There is more detail on and a description of the protocols in
+
+[MS-SFU]: Kerberos Protocol Extensions: Service for User and Constrained Delegation Protocol
+https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-sfu/
+
+=======
+Credits
+=======
+
+Originally reported by Isaac Boukris and Andrew Bartlett of the Samba
+Team and Catalyst.
+
+Patches provided by Isaac Boukris.
+
+Advisory written by Andrew Bartlett of the Samba Team and Catalyst,
+with contributions from Isaac Boukris, Jeffrey Altman and Jeremy
+Allison.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
--
Samba Website Repository
More information about the samba-cvs
mailing list