6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
74.6%
The winbindd part of Samba offers verification and unpacking of the
PAC (Privilege Attribute Certificate) received via Kerberos. When
parsing the PAC, winbindd may write beyond the allocated buffer,
however the data involved is from the server private key and so not
user-controlled.
Additionally, by selecting an unkeyed checksum, user privileges may be
elevated by storage of more privileged SID values into the
samlogon_cache.tdb.
There are two methods of remote access to the exploitable code paths:
An external service using the WBC_AUTH_USER_LEVEL_PAC level of the
wbcAuthenticateUserEx() and wbcCtxAuthenticateUserEx() functions of
the libwbclient library. NFS Ganesha is one known external
consumer.
Samba itself after releases 4.4.7 and 4.5.1 when not acting as an
AD DC.
For the remote attack, the memory overwrite kills the main winbindd
process and an authenticated attacker can construct this situation
by watching for password changes in Samba.
One specific trigger occurs when winbindd changes its machine account
password and the client has still a valid Kerberos ticket (that was
encrypted with the old password).
The unkeyed checksum issue is understood not to be remotely
exploitable because the libkrb5 library used by Samba and NFS Ganesha
will have already checked the PAC checksum, and so will have confirmed
that it is ‘keyed’. It is also limited to local processes that have
access to the winbindd_privileged socket.
A patch addressing this defect has been posted to
https://www.samba.org/samba/security/
Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as
security releases to correct the defect. Samba vendors and
administrators running affected versions are advised to upgrade or
apply the patch as soon as possible.
None.
Using “machine password timeout = 0” will prevent the bug being
triggered accidentally when the machine password is changed.
This vulnerability was discovered by Volker Lendecke and researched by
Stefan Metzmacher both of SerNet (https://samba.plus) and the Samba
Team (https://www.samba.org). Stefan Metzmacher also provides the
fixes.
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
4 Medium
CVSS2
Access Vector
NETWORK
Access Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
PARTIAL
AV:N/AC:L/Au:S/C:N/I:N/A:P
0.004 Low
EPSS
Percentile
74.6%