Denial of service attack against Windows

Description

Samba, operating as an AD DC, is sometimes operated in a domain with a
mix of Samba and Windows Active Directory Domain Controllers.

All versions of Samba from 4.0.0 to 4.3.2 inclusive, when deployed as
an AD DC in the same domain with Windows DCs, could be used to
override the protection against the MS15-096 / CVE-2015-2535 security
issue in Windows.

Prior to MS16-096 it was possible to bypass the quota of machine
accounts a non-administrative user could create. Pure Samba domains
are not impacted, as Samba does not implement the
SeMachineAccountPrivilege functionality to allow non-administrator
users to create new computer objects.

Patch Availability

Patches addressing this defect have been posted to

https://www.samba.org/samba/history/security.html

Additionally, Samba 4.3.3, 4.2.7 and 4.1.22 have been issued as
security releases to correct the defect.
Samba vendors and administrators running affected versions as
an AD DC in combination with Windows AD DCs are advised to
pgrade or apply the patch as soon as possible.

Workaround

Only users with SeMachineAccountPrivilege can exploit this issue in
Windows, removing this privilege from “Authenticated Users” can provide
a mitigation.

Credits

This problem was found by Andrew Bartlett <[email protected]> of the
Samba Team and Catalyst (www.catalyst.net.nz), who also provided the
fix.