SB2018112823 - Fedora 28 update for samba

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Infinite loop (CVE-ID: CVE-2018-14629)

The vulnerability allows a local unauthenticated attacker to cause DoS condition.

The vulnerability exists due to infinite query recursion caused by CNAME loops. A local attacker can add any dns record via ldap using the ldbadd tool, trigger infinite loop and cause the server to crash.

2) Double-free error (CVE-ID: CVE-2018-16841)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ when configured to accept smart-card authentication. A remote attacker can trigger double-free with talloc_free() and directly calls abort() and cause the KDC process to crash.

3) NULL pointer dereference (CVE-ID: CVE-2018-16851)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to the entries are cached in a single memory object with a maximum size of 256MB during the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client. A remote attacker can trigger NULL pointer dereference in the LDAP service when this size is reached and cause the process to crash.

4) Denial of service (CVE-ID: CVE-2018-16853)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to use of experimental MIT Kerberos build of the Samba AD DC. A remote attacker can crash the KDC when Samba is built in the non-default MIT Kerberos configuration.

Remediation

Install update from vendor's website.

References

• https://bodhi.fedoraproject.org/updates/FEDORA-2018-c2a93f8e1b