SB2020032515 - Gentoo update for Samba

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2020032515

SB2020032515 - Gentoo update for Samba

Published: March 25, 2020 Updated: December 28, 2023

Security Bulletin ID SB2020032515
Severity
High
Patch available
YES
Number of vulnerabilities 20
Exploitation vector Remote access
Highest impact Code execution

Breakdown by Severity

High 5% Medium 20% Low 75%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 20 secuirty vulnerabilities.


1) Heap-based buffer overflow (CVE-ID: CVE-2018-10858)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in libsmbclientwhen processing a list of directory entries, received from the server. A remote attacker can trick the victim to connect to a malicious SMB server, send a long list of directory entries, trigger heap-based buffer overflow and crash the client or execute arbitrary code on the target system.


2) NULL pointer dereference (CVE-ID: CVE-2018-10918)

The vulnerability allows a remote attacker to cause denial of service attack.

The vulnerability exists due to a NULL pointer deference error when processing directory attributes from the LDB database layer within the DsCrackNames() function in DRSUAPI RPC server. A remote authenticated attacker can send a specially crafted request to the vulnerable samba server, trigger NULL pointer dereference error and crash the affected server.

Successful exploitation of the vulnerability requires that the Samba is configured as an Active Directory Domain Controller.


3) Information disclosure (CVE-ID: CVE-2018-10919)

The vulnerability allows a remote attacker to gain access to sensitive information.
The vulnerability exists due to missing access control checks when displaying values of confidential attributes. A remote authenticated attacker can use LDAP search expression to  obtain both of attributes where the schema SEARCH_FLAG_CONFIDENTIAL (0x80) searchFlags bit and where an explicit Access Control Entry has been specified on the ntSecurityDescriptor.

4) Weakn encryption (CVE-ID: CVE-2018-1139)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to an error that allows usage of NTLMv1 encryption protocol over SMB1 transport, even when NTLMv1 is explicitly disabled.


5) Improper input validation (CVE-ID: CVE-2018-11396)

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in ephy-session.c in libephymain.so in GNOME Web (aka Epiphany) due to insufficient validation of user-supplied input. A remote attacker can supply JavaScript code, trigger access to a NULL URL, as demonstrated by a crafted window.open call and cause the service to crash.


6) NULL pointer dereference (CVE-ID: CVE-2018-1140)

The vulnerability allows a remote attacker to cause denial of service attack.
The vulnerability exists due to improper input validation when processing data from the LDB database layer. A remote attacker can trigger NULL pointer dereference error and cause the LDAP server and DNS server to crash.



7) Information disclosure (CVE-ID: CVE-2018-11409)

The vulnerability allows a remote attacker to obtain potentially sensitive information.

The vulnerability exists due to unspecified flaw. A remote attacker can append __raw/services/server/info/server-info?output_mode=json to a query, as demonstrated by discovering a license key and gain access to arbitrary data.


8) Infinite loop (CVE-ID: CVE-2018-14629)

The vulnerability allows a local unauthenticated attacker to cause DoS condition.

The vulnerability exists due to infinite query recursion caused by CNAME loops. A local attacker can add any dns record via ldap using the ldbadd tool, trigger infinite loop and cause the server to crash.


9) Double-free error (CVE-ID: CVE-2018-16841)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ when configured to accept smart-card authentication. A remote attacker can trigger double-free with talloc_free() and directly calls abort() and cause the KDC process to crash.


10) NULL pointer dereference (CVE-ID: CVE-2018-16851)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to the entries are cached in a single memory object with a maximum size of 256MB during the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client. A remote attacker can trigger NULL pointer dereference in the LDAP service when this size is reached and cause the process to crash.


11) NULL pointer dereference (CVE-ID: CVE-2018-16852)

The vulnerability allows a remote authenticated high-privileged attacker to cause DoS condition.

The vulnerability exists due to an error in the internal DNS server or the Samba DLZ plugin for BIND9 during the processing of an DNS zone in the DNS management DCE/RPC server if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set. A remote attacker can NULL pointer dereference and cause the service to crash.


12) Denial of service (CVE-ID: CVE-2018-16853)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to use of experimental MIT Kerberos build of the Samba AD DC. A remote attacker can crash the KDC when Samba is built in the non-default MIT Kerberos configuration.


13) Security restrictions bypass (CVE-ID: CVE-2018-16857)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. A remote attacker can bypass security restrictions and modify arbitrary data.


14) Improper Authentication (CVE-ID: CVE-2018-16860)

The vulnerability allows a remote authenticated user to compromise vulnerable domain.

The vulnerability exists due to an error within the process of obtaining kerberos ticket for a service from the Kerberos Key Distribution Center (KDC) that involves S4U2Self and S4U2Proxy extensions. A remote authenticated user can impersonate another service on the network and obtain elevated privileges within the domain.

Successful exploitation of the vulnerability may allow an attacker to compromise vulnerable Active Directory implementation.


15) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2019-10197)

The vulnerability allows a remote attacker to escalate privileges on the system.

The vulnerability exists due to an error related to caching of responses when the 'wide links' option is explicitly set to 'yes' and either 'unix extensions = no' or 'allow insecure wide links = yes' is set in addition. A remote attacker can that does not have access to a share can send a series of request to an SMB share and gain access to the global root directory on the system.

Successful exploitation of the vulnerability may allow an attacker to read or modify arbitrary files on the system. Note, that unix permissions enforced by kernel will still apply.


16) Use of out-of-range pointer offset (CVE-ID: CVE-2019-14861)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to an error when processing DNS records in ldb_qsort() and dns_name_compare() function within the dnsserver RPC pipe. A remote authenticated user can register a zone with an existing name but in different register and force Samba to read memory prior to the list of DNS entries when responding to DnssrvEnumRecords() or DnssrvEnumRecords2() calls. This will trigger Samba to follow invalid memory as a pointer and lead to DoS of the DNS management server.


17) Improperly implemented security feature (CVE-ID: CVE-2019-14870)

The vulnerability allows a remote attacker to bypass certain security restrictions.

The vulnerability exists due to incorrect implementation of the DelegationNotAllowed Kerberos feature restriction ("delegation_not_allowed" user attribute) that is not applied when processing protocol transmission requests (S4U2Self) in the AD DC KDC. A remote authenticated user can gain access to sensitive information and functionality within the AD domain.


18) Resource management error (CVE-ID: CVE-2019-14902)

The vulnerability allows a remote attacker to bypass implemented security checks.

The vulnerability exists due to absent full-sync replication that did not allow ACL changes to be replicated to all domain controllers. A remote attacker can gain access to sensitive resources.


19) Improper input validation (CVE-ID: CVE-2019-14907)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to incorrect processing of certain user-controlled string, if logging is enabled at level 3 or above. A remote attacker can send specially crafted data to the Samba DC and terminate Samba RPC server.

20) Use-after-free (CVE-ID: CVE-2019-19344)

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to a use-after-free error during DNS zone scavenging. A remote attacker can under rare conditions to query DNS and obtain parts of memory that was written into database during zone scavenging process.


Remediation

Install update from vendor's website.

References