samba_CVE-2018-1057_helper on older releases
Andrew Bartlett
abartlet at samba.org
Tue Mar 13 17:35:33 UTC 2018
On Tue, 2018-03-13 at 17:17 +0100, Denis Cardon via samba-technical
wrote:
> Hi everyone,
>
> > Release Announcements
> > ---------------------
> >
> > These are security release in order to address the following defects:
> >
> > o CVE-2018-1050 (Denial of Service Attack on external print server.)
> > o CVE-2018-1057 (Authenticated users can change other users' password.)
> >
> >
> > =======
> > Details
> > =======
> >
> > o CVE-2018-1050:
> > All versions of Samba from 4.0.0 onwards are vulnerable to a denial of
> > service attack when the RPC spoolss service is configured to be run as
> > an external daemon. Missing input sanitization checks on some of the
> > input parameters to spoolss RPC calls could cause the print spooler
> > service to crash.
> >
> > There is no known vulnerability associated with this error, merely a
> > denial of service. If the RPC spoolss service is left by default as an
> > internal service, all a client can do is crash its own authenticated
> > connection.
> >
> > o CVE-2018-1057:
> > On a Samba 4 AD DC the LDAP server in all versions of Samba from
> > 4.0.0 onwards incorrectly validates permissions to modify passwords
> > over LDAP allowing authenticated users to change any other users'
> > passwords, including administrative users.
> >
> > Possible workarounds are described at a dedicated page in the Samba wiki:
> > https://wiki.samba.org/index.php/CVE-2018-1057
>
> it seems that there is a bug in the samba_CVE-2018-1057_helper
> mitigation script for 4.6 and below. It works fine on 4.7 though.
>
> It call modify_sd_on_dn() in sd_utils.py with an ldb.DN object (which is
> ok in 4.7), but in 4.6 this function only accepts DN strings.
>
> Adding the support of ldb.DN in modify_sd_on_dn() does the trick (by
> backporting the "if instance()" check of 4.7.
>
> I'll take a look at patching the mitigation helper, which would make
> more sense.
Yes, that probably makes more sense. A simple str() around the DN
parameter is probably the lest disruptive workaround for the older
versions.
> By the way, thanks for the nice applying patches, we have had more than
> 200 DC updates on three dozen domains to latest 4.7.6 without any
> glitches! Now we have to deal with the domains that we cannot upgrade
> readily, so we have to get that mitigation script going :-)
That's why I wrote it :-)
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba-technical
mailing list