Project

General

Profile

Bug #59958

Fix multiple Samba CVEs

Added by Andrew Walker 5 months ago. Updated 3 months ago.

Status:
Done
Priority:
No priority
Assignee:
Andrew Walker
Category:
Services
Target version:
Seen in:
Severity:
New
Reason for Closing:
Reason for Blocked:
Needs QA:
No
Needs Doc:
No
Needs Merging:
No
Needs Automation:
No
Support Suite Ticket:
n/a
Hardware Configuration:
ChangeLog Required:
No

Description

Release Announcements
---------------------

These are security releases in order to address the following defects:

o  CVE-2018-14629 (Unprivileged adding of CNAME record causing loop in AD
                   Internal DNS server)
o  CVE-2018-16841 (Double-free in Samba AD DC KDC with PKINIT)
o  CVE-2018-16851 (NULL pointer de-reference in Samba AD DC LDAP server)
o  CVE-2018-16852 (NULL pointer de-reference in Samba AD DC DNS servers)
o  CVE-2018-16853 (Samba AD DC S4U2Self crash in experimental MIT Kerberos
                   configuration (unsupported))
o  CVE-2018-16857 (Bad password count in AD DC not always effective)

CVE-2018-16852 and CVE-2018-16857 affect 4.9 only.

=======
Details
=======

o  CVE-2018-14629:
   All versions of Samba from 4.0.0 onwards are vulnerable to infinite
   query recursion caused by CNAME loops. Any dns record can be added via
   ldap by an unprivileged user using the ldbadd tool, so this is a
   security issue.

o  CVE-2018-16841:
   When configured to accept smart-card authentication, Samba's KDC will call
   talloc_free() twice on the same memory if the principal in a validly signed
   certificate does not match the principal in the AS-REQ.

   This is only possible after authentication with a trusted certificate.

   talloc is robust against further corruption from a double-free with
   talloc_free() and directly calls abort(), terminating the KDC process.

   There is no further vulnerability associated with this issue, merely a
   denial of service.

o  CVE-2018-16851:
   During the processing of an LDAP search before Samba's AD DC returns
   the LDAP entries to the client, the entries are cached in a single
   memory object with a maximum size of 256MB.  When this size is
   reached, the Samba process providing the LDAP service will follow the
   NULL pointer, terminating the process.

   There is no further vulnerability associated with this issue, merely a
   denial of service.

o  CVE-2018-16852:
   During the processing of an DNS zone in the DNS management DCE/RPC server,
   the internal DNS server or the Samba DLZ plugin for BIND9, if the
   DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS
   property is set, the server will follow a NULL pointer and terminate.

   There is no further vulnerability associated with this issue, merely a
   denial of service.

o  CVE-2018-16853:
   A user in a Samba AD domain can crash the KDC when Samba is built in the
   non-default MIT Kerberos configuration.

   With this advisory we clarify that the MIT Kerberos build of the Samba
   AD DC is considered experimental.  Therefore the Samba Team will not
   issue security patches for this configuration.

o  CVE-2018-16857:
   AD DC Configurations watching for bad passwords (to restrict brute forcing
   of passwords) in a window of more than 3 minutes may not watch for bad
   passwords at all.

For more details and workarounds, please refer to the security advisories.

Related issues

Copied to FreeNAS - Bug #59985: Fix multiple samba CVEsDone

History

#1 Updated by Andrew Walker 5 months ago

Samba 4.7 - freenas/samba
11.1 PR - https://github.com/freenas/samba/pull/72

Samba 4.7 - freenas/ports
11.1 PR - https://github.com/freenas/ports/pull/171

#2 Updated by Bug Clerk 5 months ago

  • Status changed from In Progress to Ready for Testing

#4 Updated by Bug Clerk 5 months ago

  • Target version changed from Backlog to TrueNAS 11.1-U6.2

#5 Updated by Bug Clerk 5 months ago

  • Status changed from Ready for Testing to In Progress

#6 Updated by Dru Lavigne 5 months ago

  • Copied to Bug #59985: Fix multiple samba CVEs added

#7 Updated by Dru Lavigne 5 months ago

  • Subject changed from Fix multiple samba CVEs to Fix multiple Samba CVEs
  • Status changed from In Progress to Ready for Testing
  • Needs Merging changed from Yes to No

#10 Updated by Bug Clerk 5 months ago

  • Target version changed from TrueNAS 11.1-U6.2 to 11.3

#11 Updated by Dru Lavigne 4 months ago

  • Target version changed from 11.3 to 11.1-U7

#14 Updated by Jeff Ervin 4 months ago

48268
48270

Test Passed FreeNAS-11.1-U7-INTERNAL2 (Chrome)

For test case, used FreeNAS/11.1-Stable for the check

#15 Updated by Dru Lavigne 3 months ago

  • Status changed from Passed Testing to Done
  • Needs Doc changed from Yes to No

Also available in: Atom PDF