174 matches found
DelegationNotAllowed not being enforced
Description The S4U MS-SFU Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is...
Client code can return filenames containing
Description Samba client code libsmbclient returns server-supplied filenames to calling code without checking for pathname separators such as "/" or "../" in the server returned names. A malicious server can craft a pathname containing separators and return this to client code, causing the client...
Samba 3.0.x Denial of Service Flaw
ii A DoS bug in nmbd may allow an attacker to remotely crash the nmbd daemon. Patch Availability The patch file for Samba 3.0.5 addressing both bugs samba-3.0.5-DoS.patch can be downloaded from http://www.samba.org/samba/ftp/patches/security/ The patch has been signed with the "Samba Distribution...
"rpcecho" development server allows Denial
Description Samba developers have built a non-Windows RPC server known as "rpcecho" to test elements of the Samba DCE/RPC stack under their full control. One RPC function provided by "rpcecho" can block, essentially indefinitely, and because the "rpcecho" service is provided from the main RPC tas...
Access controlled AD LDAP attributes can be discovered
== Summary: The fix in 4.6.16, 4.7.9, 4.8.4 and 4.9.7 for CVE-2018-10919 Confidential attribute disclosure via LDAP filters was insufficient and an attacker may be able to obtain confidential BitLocker recovery keys from a Samba AD DC. Installations with such secrets in their Samba AD should assu...
Samba buffer overflow vulnerabilities on 32-bit
Description The Kerberos libraries used by Samba provide a mechanism for authenticating a user or service by means of tickets that can contain Privilege Attribute Certificates PACs. Both the Heimdal and MIT Kerberos libraries, and so the embedded Heimdal shipped by Samba suffer from an integer...
Samba AD DC did not correctly sandbox
Description Samba as an Active Directory Domain Controller is able to support an RODC, which is meant to have minimal privileges in a domain. However, in accepting a ticket from a Samba or Windows RODC, Samba was not confirming that the RODC is authorized to print such a ticket, via the...
Potential Denial of Service bug in smbd
Description Internally Samba's file server daemon, smbd, implements support for deferred file open calls in an attempt to serve client requests that would otherwise fail due to a share mode violation. When renaming a file under certain circumstances it is possible that the request is never remove...
Exposed clear text of domain machine
Description The machine trust account password is the secret shared between a domain controller and a specific member server. Access to the member server machine credentials allows an attacker to impersonate the server in the domain and gain access to additional information regarding domain users...
Samba AD DC did not always rely on the SID
Description Samba as an Active Directory Domain Controller is based on Kerberos, which provides name-based authentication. These names are often then used for authorization. However Microsoft Windows and Active Direcory is SID-based. SIDs in Windows, similar to UIDs in Linux/Unix if managed well...
Samba AD DC zone-named record Denial of
Description The poorly named dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used fo...
Wide links protection broken
Description Samba 4.17 introduced following symlinks in user space with the intent to properly check symlink targets to stay within the share that was configured by the administrator. The check does not properly cover a corner case, so that a user can create a symbolic link that will make smbd...
Samba AD DC S4U2Self Crash in experimental
Description A user in a Samba AD domain can crash the KDC when Samba is built in the non-default MIT Kerberos configuration. With this advisory we clarify that the MIT Kerberos build of the Samba AD DC is considered experimental. Therefore the Samba Team will not issue security patches for this...
Orpheus' Lyre mutual authentication validation bypass
Description All versions of Samba from 4.0.0 include an embedded copy of Heimdal Kerberos. Heimdal has made a security release, which disclosed: Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation This is a critical vulnerability. In krb5extractticket the KDC-REP service name must b...
Samba AD DC "dnsHostname" attribute can be
Description In implementing the Validated dnsHostName permission check in Samba's Active Directory DC, and therefore applying correctly constraints on the values of a dnsHostName value for a computer in a Samba domain CVE-2022-32743, the case where the dnsHostName is deleted, rather than modified...
User with "get changes" permission can
Description Since Samba 4.0.0 Samba has implemented, in the AD DC, the "dirsync" LDAP control specified in MS-ADTS "3.1.1.3.4.1.3 LDAPSERVERDIRSYNCOID". However, when combined with the ranged results feature specified in MS-ADTS "3.1.1.3.1.3.3 Range Retrieval of Attribute Values" a NULL pointer i...
auto-enrolment GPO installing CA certificate over http
Description If the certificate auto-enrollment GPO is enabled on domain members both in Samba's smb.conf and using Windows GPME tool, a CA certificate may be fetched using a plain HTTP connection and installed in the member computer's trust store. This may give an attacker a chance to intercept t...
WORM vfs module does not block overwrites
Description The vfsworm module is intended to make files immutable over SMB a short time after they are created. The time window in which they are writable is configurable, defaulting to one hour. The hook that handles renames was checking that the file being renamed was still mutable, but it was...
Denial of service against AD DC WINS server
Description The Windows Internet Naming Service 1 is an unauthenticated service for registering and looking up names in a NetBIOS network running on TCP and UDP 2. The protocol handlers for the RELEASE and MULTIHOMEREG packets in the WINS server running when Samba is configured as an Active...
Unauthenticated Remote Code Execution
Description Samba passes the client-controlled job description string to the command configured with the "print command" setting via the "%J" substitution character without escaping shell meta characters. This leads to a remote code execution vulnerability. Print servers configured with "printing...
Unauthenticated Remote Code Execution
Description Samba file servers and classic non-AD domain controllers offer the SamValidatePasswordChange and SamValidatePasswordReset RPC services on the SAMR DCE/RPC service when running over NCACNIPTCP. Both services pass a username and password to the "check password script" that can be...
Missing access checks on reparse point
Description Starting with Samba 4.21, users can create and delete NTFS-style reparse points https://en.wikipedia.org/wiki/NTFSreparsepoint via the SMB protocol. The Reparse Point Metadata is stored in an extended attribute named "user.SmbReparse" together with the FILEATTRIBUTEREPARSEPOINT bit in...
Command injection via WINS server hook script
Description If a Samba server has WINS support enabled it is off by default, and it has a 'wins hook' parameter specified, the program specified by that parameter will be run whenever a WINS name is changed. The WINS server used by the Samba Active Directory Domain Controller did not validate the...
uninitialized memory disclosure via vfs_streams_xattr
Description An authenticated user can read an unlimited number of samples of discarded heap memory, due to a failure to initialise memory in streamsxattrpwrite in the vfsstreamsxattr file server module. This is achieved by issuing write requests that creates holes in the file. Samba erases known...