samba_CVE-2018-1057_helper on older releases

Andrew Bartlett abartlet at samba.org
Tue Mar 13 17:35:33 UTC 2018 

On Tue, 2018-03-13 at 17:17 +0100, Denis Cardon via samba-technical
wrote:
> Hi everyone,
> 
> > Release Announcements
> > ---------------------
> > 
> > These are security release in order to address the following defects:
> > 
> > o  CVE-2018-1050 (Denial of Service Attack on external print server.)
> > o  CVE-2018-1057 (Authenticated users can change other users' password.)
> > 
> > 
> > =======
> > Details
> > =======
> > 
> > o  CVE-2018-1050:
> >    All versions of Samba from 4.0.0 onwards are vulnerable to a denial of
> >    service attack when the RPC spoolss service is configured to be run as
> >    an external daemon. Missing input sanitization checks on some of the
> >    input parameters to spoolss RPC calls could cause the print spooler
> >    service to crash.
> > 
> >    There is no known vulnerability associated with this error, merely a
> >    denial of service. If the RPC spoolss service is left by default as an
> >    internal service, all a client can do is crash its own authenticated
> >    connection.
> > 
> > o  CVE-2018-1057:
> >    On a Samba 4 AD DC the LDAP server in all versions of Samba from
> >    4.0.0 onwards incorrectly validates permissions to modify passwords
> >    over LDAP allowing authenticated users to change any other users'
> >    passwords, including administrative users.
> > 
> >    Possible workarounds are described at a dedicated page in the Samba wiki:
> >    https://wiki.samba.org/index.php/CVE-2018-1057
> 
> it seems that there is a bug in the samba_CVE-2018-1057_helper 
> mitigation script for 4.6 and below. It works fine on 4.7 though.
> 
> It call modify_sd_on_dn() in sd_utils.py with an ldb.DN object (which is 
> ok in 4.7), but in 4.6 this function only accepts DN strings.
> 
> Adding the support of ldb.DN in modify_sd_on_dn() does the trick (by 
> backporting the "if instance()" check of 4.7.
> 
> I'll take a look at patching the mitigation helper, which would make 
> more sense.

Yes, that probably makes more sense.  A simple str() around the DN
parameter is probably the lest disruptive workaround for the older
versions. 

> By the way, thanks for the nice applying patches, we have had more than 
> 200 DC updates on three dozen domains to latest 4.7.6 without any 
> glitches! Now we have to deal with the domains that we cannot upgrade 
> readily, so we have to get that mitigation script going :-)

That's why I wrote it :-)

Andrew Bartlett

-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

More information about the samba-technical mailing list