[SCM] Samba Website Repository - branch master updated

Karolin Seeger kseeger at samba.org
Thu Oct 29 09:09:02 UTC 2020


The branch, master has been updated
       via  ac716e5 Add security advisories.
      from  b287bdd Updated security page.

https://git.samba.org/?p=samba-web.git;a=shortlog;h=master


- Log -----------------------------------------------------------------
commit ac716e5166ee8bb03995323d764b1332d1946be0
Author: Karolin Seeger <kseeger at samba.org>
Date:   Thu Oct 29 10:08:44 2020 +0100

    Add security advisories.
    
    Signed-off-by: Karolin Seeger <kseeger at samba.org>

-----------------------------------------------------------------------

Summary of changes:
 security/CVE-2020-14318.html | 110 +++++++++++++++++++++++++++++++++++++++++++
 security/CVE-2020-14323.html |  94 ++++++++++++++++++++++++++++++++++++
 security/CVE-2020-14383.html |  86 +++++++++++++++++++++++++++++++++
 3 files changed, 290 insertions(+)
 create mode 100644 security/CVE-2020-14318.html
 create mode 100644 security/CVE-2020-14323.html
 create mode 100644 security/CVE-2020-14383.html


Changeset truncated at 500 lines:

diff --git a/security/CVE-2020-14318.html b/security/CVE-2020-14318.html
new file mode 100644
index 0000000..b9a96f2
--- /dev/null
+++ b/security/CVE-2020-14318.html
@@ -0,0 +1,110 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2020-14318.html
+
+<p>
+<pre>
+===========================================================
+== Subject:     Missing handle permissions check in SMB1/2/3
+==              ChangeNotify.
+== 
+== CVE ID#:     CVE-2020-14318
+==              
+==
+== Versions:    All versions of Samba since Samba 3.6.0
+==
+== Summary:     Systems where Windows ACL permissions are
+==              more restrictive than native filesystem
+==              permissions can be made to leak file name
+==              information to unprivileged accounts.
+===========================================================
+
+===========
+Description
+===========
+
+The SMB1/2/3 protocols have a concept of "ChangeNotify", where a
+client can request file name notification on a directory handle when a
+condition such as "new file creation" or "file size change" or "file
+timestamp update" occurs.
+
+A missing permissions check on a directory handle requesting
+ChangeNotify meant that a client with a directory handle open only for
+FILE_READ_ATTRIBUTES (minimal access rights) could be used to obtain
+change notify replies from the server. These replies contain
+information that should not be available to directory handles open for
+FILE_READ_ATTRIBUTE only.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+    https://www.samba.org/samba/security/
+
+Additionally, Samba 4.11.15, 4.12.9 and 4.13.1 have been issued as
+security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon as
+possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/RL:O/RC:C/CR:L/MAV:A/MAC:L/MPR:L/MUI:N/MS:U/MC:L/MI:N/MA:N
+
+base score of 4.3 - medium.
+
+=================================
+Workaround and mitigating factors
+=================================
+
+As Samba internally opens an underlying file system handle on a
+directory when a client requests an open, even for
+FILE_READ_ATTRIBUTES then if the underlying file system permissions
+don't allow "r" (read) access for the connected user, then the handle
+open request will be denied.
+
+"r" access is the normal permission needed to list or otherwise reveal
+the contents of a directory, so if a connected user has "r" access
+then they will be able to list the directory contents normally, and
+the information received by a ChangeNofity request is already
+available to the user.
+
+The security issue occurs if the Administrator or directory owner had
+set more restrictive Windows ACL permissions on the directory to
+disallow read access to the user, and this permissions change was not
+reflected in the underlying file system permissions.
+
+This will only occur if Samba is configured with VFS modules to
+decouple the underlying file system permissions from the Windows ACLs,
+by setting up a share with the settings:
+
+[vulnerable_share]
+        vfs_objects = vfs_acl_xattr
+        acl_xattr:ignore system acls = yes
+
+=======
+Credits
+=======
+
+Reported by Steven French of Microsoft and the Samba Team.
+Advisory written by Jeremy Allison of Google and the Samba Team.
+Patches provided by Jeremy Allison of Google and the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
diff --git a/security/CVE-2020-14323.html b/security/CVE-2020-14323.html
new file mode 100644
index 0000000..c14759f
--- /dev/null
+++ b/security/CVE-2020-14323.html
@@ -0,0 +1,94 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2020-14323.html
+
+<p>
+<pre>
+===========================================================
+== Subject:     Unprivileged user can crash winbind
+== 
+== GitHub Security Lab (GHSL) Vulnerability Report: 'GHSL-2020-134'
+==
+== CVE ID#:     CVE-2020-14323
+==              
+==
+== Versions:    All versions of Samba since Samba 3.6.0
+==
+== Summary:     With a specially crafted winbind request
+==              sent over the non-privileged winbind pipe
+==              winbind can be made to dereference a NULL
+==              pointer
+===========================================================
+
+===========
+Description
+===========
+
+winbind in version 3.6 and later implements a request to
+translate multiple Windows SIDs into names in one request. This
+was done for performance reasons: Active Directory domain
+controllers can do multiple SID to name translations in one RPC
+call. It was an obvious extension to also offer this batch
+operation on the winbind unix domain stream socket that is
+available to local processes on the Samba server to reduce
+network round-trips to the domain controller.
+
+Due to improper input validation a hand-crafted packet can make
+winbind perform a NULL pointer dereference and thus crash.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+    https://www.samba.org/samba/security/
+
+Additionally, Samba 4.11.15, 4.12.9 and 4.13.1 have been issued as
+security releases to correct the defect. Samba administrators are
+advised to upgrade to these releases or apply the patch as soon as
+possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSS 3.1: AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H (5.0)
+
+=================================
+Workaround and mitigating factors
+=================================
+
+Any user with local shell access to the machine running winbind can
+issue the winbind socket request. The only workaround is to disable
+shell access to exposed machines.
+
+Typical file servers don't offer full local access, they are not
+affected.
+
+=======
+Credits
+=======
+
+Originally reported by Bas Alberts of the GitHub Security Lab Team as
+GHSL-2020-134.
+
+Advisory written by Volker Lendecke of SerNet and the Samba Team.
+
+Patches provided by Volker Lendecke of SerNet and the Samba Team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>
diff --git a/security/CVE-2020-14383.html b/security/CVE-2020-14383.html
new file mode 100644
index 0000000..9ee0a80
--- /dev/null
+++ b/security/CVE-2020-14383.html
@@ -0,0 +1,86 @@
+<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html xmlns="http://www.w3.org/1999/xhtml">
+
+<head>
+<title>Samba - Security Announcement Archive</title>
+</head>
+
+<body>
+
+   <H2>CVE-2020-14383.html
+
+<p>
+<pre>
+===========================================================
+== Subject:     An authenticated user can crash the DCE/RPC DNS with
+==              easily crafted records
+==
+== CVE ID#:     CVE-2020-14383
+==
+== Versions:    Samba 4.0 and later
+==
+== Summary:     An authenticated non-admin user can crash the
+==              DNS server by adding invalid records.
+===========================================================
+
+===========
+Description
+===========
+
+Some DNS records (such as MX and NS records) usually contain data in
+the additional section. Samba's dnsserver RPC pipe (which is an
+administrative interface not used in the DNS server itself) made an
+error in handling the case where there are no records present: instead
+of noticing the lack of records, it dereferenced uninitialised memory,
+causing the RPC server to crash. This RPC server, which also serves
+protocols other than dnsserver, will be restarted after a short delay,
+but it is easy for an authenticated non-admin attacker to crash it
+again as soon as it returns. The Samba DNS server itself will continue
+to operate, but many RPC services will not.
+
+==================
+Patch Availability
+==================
+
+Patches addressing both these issues have been posted to:
+
+    https://www.samba.org/samba/security/
+
+Additionally, Samba 4.11.15, 4.12.9 and 4.13.1 have been issued
+as security releases to correct the defect.  Samba administrators are
+advised to upgrade to these releases or apply the patch as soon
+as possible.
+
+==================
+CVSSv3 calculation
+==================
+
+CVSSv3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
+
+==========
+Workaround
+==========
+
+The dnsserver task can be stopped by setting
+
+ 'dcerpc endpoint servers = -dnsserver'
+
+in the smb.conf and restarting Samba.
+
+=======
+Credits
+=======
+
+Originally reported by Francis Brosnan Blázquez of ASPL.es in 2017.
+
+Patches first provided for Samba 4.6 by Francis Brosnan Blázquez, and
+adapted for modern Samba by Douglas Bagnall of the Samba team.
+
+==========================================================
+== Our Code, Our Bugs, Our Responsibility.
+== The Samba Team
+==========================================================
+</pre>
+</body>
+</html>


-- 
Samba Website Repository



More information about the samba-cvs mailing list