samba_CVE-2018-1057_helper on older releases
Denis Cardon
dcardon at tranquil.it
Tue Mar 13 19:36:30 UTC 2018
Hi Andrew,
>>
>>> Release Announcements
>>> ---------------------
>>>
>>> These are security release in order to address the following defects:
>>>
>>> o CVE-2018-1050 (Denial of Service Attack on external print server.)
>>> o CVE-2018-1057 (Authenticated users can change other users' password.)
>>>
>>>
>>> =======
>>> Details
>>> =======
>>>
>>> o CVE-2018-1050:
>>> All versions of Samba from 4.0.0 onwards are vulnerable to a denial of
>>> service attack when the RPC spoolss service is configured to be run as
>>> an external daemon. Missing input sanitization checks on some of the
>>> input parameters to spoolss RPC calls could cause the print spooler
>>> service to crash.
>>>
>>> There is no known vulnerability associated with this error, merely a
>>> denial of service. If the RPC spoolss service is left by default as an
>>> internal service, all a client can do is crash its own authenticated
>>> connection.
>>>
>>> o CVE-2018-1057:
>>> On a Samba 4 AD DC the LDAP server in all versions of Samba from
>>> 4.0.0 onwards incorrectly validates permissions to modify passwords
>>> over LDAP allowing authenticated users to change any other users'
>>> passwords, including administrative users.
>>>
>>> Possible workarounds are described at a dedicated page in the Samba wiki:
>>> https://wiki.samba.org/index.php/CVE-2018-1057
>>
>> it seems that there is a bug in the samba_CVE-2018-1057_helper
>> mitigation script for 4.6 and below. It works fine on 4.7 though.
>>
>> It call modify_sd_on_dn() in sd_utils.py with an ldb.DN object (which is
>> ok in 4.7), but in 4.6 this function only accepts DN strings.
>>
>> Adding the support of ldb.DN in modify_sd_on_dn() does the trick (by
>> backporting the "if instance()" check of 4.7.
>>
>> I'll take a look at patching the mitigation helper, which would make
>> more sense.
>
> Yes, that probably makes more sense. A simple str() around the DN
> parameter is probably the lest disruptive workaround for the older
> versions.
Yes, a simple str() does the trick.
Would it we possible to update the script (with corresponding hash) on
the official wiki? That way I could forward there those picky security
officers that are wondering why I send them a different script than the
official one.
And actually all the sites that I couldn't migrate to latest version are
all 4.6 and below...
>> By the way, thanks for the nice applying patches, we have had more than
>> 200 DC updates on three dozen domains to latest 4.7.6 without any
>> glitches! Now we have to deal with the domains that we cannot upgrade
>> readily, so we have to get that mitigation script going :-)
>
> That's why I wrote it :-)
Still a few sites to go, but almost finished :-)
Cheers,
Denis
>
> Andrew Bartlett
>
--
Denis Cardon
Tranquil IT Systems
Les Espaces Jules Verne, bâtiment A
12 avenue Jules Verne
44230 Saint SĂ©bastien sur Loire
tel : +33 (0) 2.40.97.57.55
http://www.tranquil.it
Samba install wiki for Frenchies : https://dev.tranquil.it
WAPT, software deployment made easy : https://wapt.fr
More information about the samba-technical
mailing list