[Samba] [Announce] Samba 4.19.3 Available for Download

Ray Klassen ray.klassen at icloud.com
Mon Nov 27 20:05:19 UTC 2023 


On Mon, 2023-11-27 at 13:27 +0100, Jule Anger via samba wrote:
> Release Announcements
> ---------------------
> 
> This is the latest stable release of the Samba 4.19 release series.
> It contains the security-relevant bug CVE-2018-14628:
> 
>      Wrong ntSecurityDescriptor values for "CN=Deleted Objects"
>      allow read of object tombstones over LDAP
>      (Administrator action required!)
>      https://www.samba.org/samba/security/CVE-2018-14628.html
> 
> 
> Description of CVE-2018-14628
> -----------------------------
> 
> All versions of Samba from 4.0.0 onwards are vulnerable to an
> information leak (compared with the established behaviour of
> Microsoft's Active Directory) when Samba is an Active Directory
> Domain
> Controller.
> 
> When a domain was provisioned with an unpatched Samba version,
> the ntSecurityDescriptor is simply inherited from 
> Domain/Partition-HEAD-Object
> instead of being very strict (as on a Windows provisioned domain).
> 
> This means also non privileged users can use the
> LDAP_SERVER_SHOW_DELETED_OID control in order to view,
> the names and preserved attributes of deleted objects.
> 
> No information that was hidden before the deletion is visible, but in
> with the correct ntSecurityDescriptor value in place the whole object
> is also not visible without administrative rights.
> 
> There is no further vulnerability associated with this error, merely
> an
> information disclosure.
> 
> Action required in order to resolve CVE-2018-14628!
> ---------------------------------------------------
> 
> The patched Samba does NOT protect existing domains!
> 
> The administrator needs to run the following command
> (on only one domain controller)
> in order to apply the protection to an existing domain:
> 
>    samba-tool dbcheck --cross-ncs --attrs=nTSecurityDescriptor --fix
> 
> The above requires manual interaction in order to review the
> changes before they are applied. Typicall question look like this:
> 
>    Reset nTSecurityDescriptor on CN=Deleted Objects,DC=samba,DC=org
> back 
> to provision default?
>          Owner mismatch: SY (in ref) DA(in current)
>          Group mismatch: SY (in ref) DA(in current)
>          Part dacl is different between reference and current here is
> the detail:
>                  (A;;LCRPLORC;;;AU) ACE is not present in the
> reference
>                  (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;SY) ACE is not
> present 
> in the reference
>                  (A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;DA) ACE is not
> present 
> in the reference
>                  (A;;CCDCLCSWRPWPSDRCWDWO;;;SY) ACE is not present in
> the current
>                  (A;;LCRP;;;BA) ACE is not present in the current
>     [y/N/all/none] y
>    Fixed attribute 'nTSecurityDescriptor' of 'CN=Deleted 
> Objects,DC=samba,DC=org'
> 
> The change should be confirmed with 'y' for all objects starting with
> 'CN=Deleted Objects'.
> 
> 
> Changes since 4.19.2
> --------------------
> 
> o  Douglas Bagnall <douglas.bagnall at catalyst.net.nz>
>     * BUG 15520: sid_strings test broken by unix epoch > 1700000000.
> 
> o  Ralph Boehme <slow at samba.org>
>     * BUG 15487: smbd crashes if asked to return full information on 
> close of a
>       stream handle with delete on close disposition set.
>     * BUG 15521: smbd: fix close order of base_fsp and stream_fsp in
>       smb_fname_fsp_destructor().
> 
> o  Pavel Filipenský <pfilipensky at samba.org>
>     * BUG 15499: Improve logging for failover scenarios.
> 
> o  Björn Jacke <bj at sernet.de>
>     * BUG 15093: Files without "read attributes" NFS4 ACL permission
> are not
>       listed in directories.
> 
> o  Stefan Metzmacher <metze at samba.org>
>     * BUG 13595: CVE-2018-14628 [SECURITY] Deleted Object tombstones 
> visible in
>       AD LDAP to normal users.
>     * BUG 15492: Kerberos TGS-REQ with User2User does not work for
> normal
>       accounts.
> 
> o  Christof Schmitt <cs at samba.org>
>     * BUG 15507: vfs_gpfs stat calls fail due to file system
> permissions.
> 
> o  Andreas Schneider <asn at samba.org>
>     * BUG 15513: Samba doesn't build with Python 3.12.
> 
> 
> #######################################
> Reporting bugs & Development Discussion
> #######################################
> 
> Please discuss this release on the samba-technical mailing list or by
> joining the #samba-technical:matrix.org matrix room, or
> #samba-technical IRC channel on irc.libera.chat.
> 
> If you do report problems then please try to send high quality
> feedback. If you don't provide vital information to help us track
> down
> the problem then you will probably be ignored.  All bug reports
> should
> be filed under the Samba 4.1 and newer product in the project's
> Bugzilla
> database (https://bugzilla.samba.org/).
> 
> 
> =====================================================================
> =
> == Our Code, Our Bugs, Our Responsibility.
> == The Samba Team
> =====================================================================
> =
> 
> 
> 
> ================
> Download Details
> ================
> 
> The uncompressed tarballs and patch files have been signed
> using GnuPG (ID AA99442FB680B620).  The source code can be downloaded
> from:
> 
>          https://download.samba.org/pub/samba/stable/
> 
> The release notes are available online at:
> 
>          https://www.samba.org/samba/history/samba-4.19.3.html
> 
> Our Code, Our Bugs, Our Responsibility.
> (https://bugzilla.samba.org/)
> 
>                          --Enjoy
>                          The Samba Team
> 
> 

Actually the usual 

samba-tool dbcheck --cross-ncs --fix --yes

which I run after every upgrade on every DC
per https://wiki.samba.org/index.php/Dbcheck

found and fixed the permissions in question on the first DC and (as it
says above) the error did not reappear on the other one.

Just in case I ran the dbcheck with --attrs=nTSecurityDescriptor again
as posted and it didn't find anything.

FWIW

More information about the samba mailing list