Amazon Linux AMI: CVE-2016-2125: Security patch for samba (ALAS-2017-834)

Description

Details for this vulnerability have not been published by NIST at this point. Descriptions from software vendor advisories for this issue are provided below.

From DSA-3740:

Several vulnerabilities have been discovered in Samba, a SMB/CIFS file,

print, and login server for Unix. The Common Vulnerabilities and

Exposures project identifies the following issues:

From USN-3158-1:

Frederic Besler and others discovered that the ndr_pull_dnsp_nam function in Samba contained an integer overflow. An authenticated attacker could use this to gain administrative privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-2123)

Simo Sorce discovered that that Samba clients always requested a forwardable ticket when using Kerberos authentication. An attacker could use this to impersonate an authenticated user or service. (CVE-2016-2125)

Volker Lendecke discovered that Kerberos PAC validation implementation in Samba contained multiple vulnerabilities. An authenticated attacker could use this to cause a denial of service or gain administrative privileges. This issue only affected Ubuntu 14.04 LTS, Ubuntu 16.04 LTS, and Ubuntu 16.10. (CVE-2016-2126)

From VID-E4BC323F-CC73-11E6-B704-000C292E4FD8:

Samba team reports:

[CVE-2016-2123] Authenicated users can supply malicious dnsRecord attributes

on DNS objects and trigger a controlled memory corruption.

[CVE-2016-2125] Samba client code always requests a forwardable ticket

when using Kerberos authentication. This means the target server, which must be in the current or trusted

domain/realm, is given a valid general purpose Kerberos "Ticket Granting Ticket" (TGT), which can be used to

fully impersonate the authenticated user or service.

[CVE-2016-2126] A remote, authenticated, attacker can cause the winbindd process

to crash using a legitimate Kerberos ticket due to incorrect handling of the PAC checksum.

A local service with access to the winbindd privileged pipe can cause winbindd to cache elevated access permissions.

From SUSE_CVE-2016-2125:

This CVE is addressed in the SUSE advisories

From RHSA-2017:0662:

Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.

Security Fix(es):

It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125)A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. (CVE-2016-2126)

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

From RHSA-2017:0744:

Samba is an open-source implementation of the Server Message Block (SMB) or Common Internet File System (CIFS) protocol, which allows PC-compatible machines to share files, printers, and other information.

Security Fix(es):

It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125)A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. (CVE-2016-2126)

Additional Changes:

For detailed information on changes in this release, see the Red Hat Enterprise Linux 6.9 Release Notes and Red Hat Enterprise Linux 6.9 Technical Notes linked from the References section.

From ELSA-2017-0662:

[3.6.23-41.0.1] - Remove use-after-free talloc_tos() inlined function problem (John Haxby) [orabug 18253258] [3.6.23-41] - resolves: #1413672 - Auth regression after secret changed [3.6.23-40] - resolves: #1405356 - CVE-2016-2125 CVE-2016-2126 [3.6.23-39] - resolves: #1297805 - Fix issues with printer unpublishing from AD [3.6.23-38] - resolves: #1347843 - Fix RPC queryUserList returning NO_MEMORY for empty list [3.6.23-37] - resolves: #1380151 - Fix memory leak in idmap_ad module - resolves: #1333561 - Fix smbclient connection issues to DFS shares - resolves: #1372611 - Allow ntlmsssp session key setup without signing (Workaround for broken NetApp and EMC NAS)

From ELSA-2017-0744:

[4.2.10-9] - resolves: #1405358 - CVE-2016-2125 CVE-2016-2126 [4.2.10-8] - Synchronize patches for Samba 4.2.10 with RHEL 7.2.z - Resolves: #1383685 - Update samba4 to be on par with RHEL 7.2.z

From DLA-776-1:

samba - security update

From ELSA-2017-1265:

[4.4.4-13] - resolves: #1437816 - Fix krb5 memory cache in libads sasl code - resolves: #1437741 - Fix CVE-2016-2125, CVE-2016-2126 and CVE-2017-2619

From RHSA-2017:1265:

Samba is an open-source implementation of the Server Message Block (SMB) protocol and the related Common Internet File System (CIFS) protocol, which allow PC-compatible machines to share files, printers, and various information.

Security Fix(es):

It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125)A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. (CVE-2016-2126)A race condition was found in samba server. A malicious samba client could use this flaw to access files and directories, in areas of the server file system not exported under the share definitions. (CVE-2017-2619)

Red Hat would like to thank the Samba project for reporting CVE-2017-2619. Upstream acknowledges Jann Horn (Google) as the original reporter of CVE-2017-2619.

From ALAS-2017-834:

A remote code execution flaw was found in Samba. A malicious authenticated samba client, having write access to the samba share, could use this flaw to execute arbitrary code as root. (CVE-2017-7494)

It was found that Samba always requested forwardable tickets when using Kerberos authentication. A service to which Samba authenticated using Kerberos could subsequently use the ticket to impersonate Samba to other services or domain users. (CVE-2016-2125)

A flaw was found in the way Samba handled PAC (Privilege Attribute Certificate) checksums. A remote, authenticated attacker could use this flaw to crash the winbindd process. (CVE-2016-2126)

A race condition was found in samba server. A malicious samba client could use this flaw to access files and directories, in areas of the server file system not exported under the share definitions. (CVE-2017-2619)