samba_CVE-2018-1057_helper on older releases

Denis Cardon dcardon at tranquil.it
Tue Mar 13 19:36:30 UTC 2018 

Hi Andrew,
>>
>>> Release Announcements
>>> ---------------------
>>>
>>> These are security release in order to address the following defects:
>>>
>>> o  CVE-2018-1050 (Denial of Service Attack on external print server.)
>>> o  CVE-2018-1057 (Authenticated users can change other users' password.)
>>>
>>>
>>> =======
>>> Details
>>> =======
>>>
>>> o  CVE-2018-1050:
>>>    All versions of Samba from 4.0.0 onwards are vulnerable to a denial of
>>>    service attack when the RPC spoolss service is configured to be run as
>>>    an external daemon. Missing input sanitization checks on some of the
>>>    input parameters to spoolss RPC calls could cause the print spooler
>>>    service to crash.
>>>
>>>    There is no known vulnerability associated with this error, merely a
>>>    denial of service. If the RPC spoolss service is left by default as an
>>>    internal service, all a client can do is crash its own authenticated
>>>    connection.
>>>
>>> o  CVE-2018-1057:
>>>    On a Samba 4 AD DC the LDAP server in all versions of Samba from
>>>    4.0.0 onwards incorrectly validates permissions to modify passwords
>>>    over LDAP allowing authenticated users to change any other users'
>>>    passwords, including administrative users.
>>>
>>>    Possible workarounds are described at a dedicated page in the Samba wiki:
>>>    https://wiki.samba.org/index.php/CVE-2018-1057
>>
>> it seems that there is a bug in the samba_CVE-2018-1057_helper
>> mitigation script for 4.6 and below. It works fine on 4.7 though.
>>
>> It call modify_sd_on_dn() in sd_utils.py with an ldb.DN object (which is
>> ok in 4.7), but in 4.6 this function only accepts DN strings.
>>
>> Adding the support of ldb.DN in modify_sd_on_dn() does the trick (by
>> backporting the "if instance()" check of 4.7.
>>
>> I'll take a look at patching the mitigation helper, which would make
>> more sense.
>
> Yes, that probably makes more sense.  A simple str() around the DN
> parameter is probably the lest disruptive workaround for the older
> versions.

Yes, a simple str() does the trick.

Would it we possible to update the script (with corresponding hash) on 
the official wiki? That way I could forward there those picky security 
officers that are wondering why I send them a different script than the 
official one.

And actually all the sites that I couldn't migrate to latest version are 
all 4.6 and below...

>> By the way, thanks for the nice applying patches, we have had more than
>> 200 DC updates on three dozen domains to latest 4.7.6 without any
>> glitches! Now we have to deal with the domains that we cannot upgrade
>> readily, so we have to get that mitigation script going :-)
>
> That's why I wrote it :-)

Still a few sites to go, but almost finished :-)

Cheers,

Denis


>
> Andrew Bartlett
>

-- 
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it

Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr

More information about the samba-technical mailing list