Unauthenticated domain takeover via netlogon ("ZeroLogon")

Description The following applies to Samba used as domain controller only most seriously the Active Directory DC, but also the classic/NT4-style DC. Installations running Samba as a file server only are not directly affected by this flaw, though they may need configuration changes to continue to...

Empty UDP packet DoS in Samba AD DC nbtd

Description The NetBIOS over TCP/IP name resolution protocol is implemented as a UDP datagram on port 137. The AD DC client and server-side processing code for NBT name resolution will enter a tight loop if a UDP packet with 0 data length is received. The client for this case is only found in the...

LDAP Use-after-free in Samba AD DC Global Catalog with

Description Samba 4.5 and later implements VLV - Virtual List View, and Samba 4.10 and later reimplemented the pagedresults control using similar code. This code is more memory-efficient, storing only a pointer to the object, not the returned object. However this means parts of the original reque...

Parsing and packing of NBT and DNS packets

Description The NetBIOS over TCP/IP name resolution protocol is framed using the same format as DNS, and Samba's packing code for both uses DNS name compression. An attacker can choose a name which, when the name is included in the reply, causes the DNS name compression algorithm to walk a very...

NULL pointer de-reference and use-after-free

Description Samba has, since Samba 4.5, supported the VLV Active Directory LDAP feature, to allow clients to obtain 'virtual list views' of search results against a Samba AD DC using an LDAP control. The combination of this control, and the ASQ control combines to allow an authenticated user to...

LDAP Denial of Service (stack overflow) in

Description LDAP is encoded as ASN.1, and LDAP filters are defined recursively as Filter ::= CHOICE and 0 SET OF Filter, or 1 SET OF Filter, not 2 Filter, This recursion is mirrored in Samba's recursive decent parser, which consumes around 600 bytes of stack per filter sent by the client. In Samb...

Use-after-free in Samba AD DC LDAP Server with ASQ

Description Samba has, since Samba 4.0, supported the Paged Results LDAP feature, to allow clients to obtain pages of search results against a Samba AD DC using an LDAP control. Since Samba 4.7.11 and 4.8.6 a Denial of Service prevention has been in place in this module, to age out old client...

Crash after failed character conversion at

Description If samba is set with "log level = 3" or above then the string obtained from the client, after a failed character conversion, is printed. Such strings can be provided during the NTLMSSP authentication exchange. In the Samba AD DC in particular, this may cause a long-lived process such ...

Replication of ACLs set to inherit down a

Description A newly delegated right, but more importantly the removal of a delegated right, would not be inherited on any DC other than the one where the change was made. For example: - if a user or group was previously delegated the right to create or modify a subtree say to allow desktop suppor...

Use after free during DNS zone scavenging

Description Samba 4.9 introduced an off-by-default feature to tombstone dynamically created DNS records that had reached their expiry time. This feature is controlled by the smb.conf option: dns zone scavenging = yes There is a use-after-free issue in this code, essentially due to a call to reall...

DelegationNotAllowed not being enforced

Description The S4U MS-SFU Kerberos delegation model includes a feature allowing for a subset of clients to be opted out of constrained delegation in any way, either S4U2Self or regular Kerberos authentication, by forcing all tickets for these clients to be non-forwardable. In AD this is...

Samba AD DC zone-named record Denial of

Description The poorly named dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. Samba, when acting as an AD DC, stores DNS records in LDAP. In AD, the default permissions on the DNS partition allow creation of new records by authenticated users. This is used fo...

Client code can return filenames containing

Description Samba client code libsmbclient returns server-supplied filenames to calling code without checking for pathname separators such as "/" or "../" in the server returned names. A malicious server can craft a pathname containing separators and return this to client code, causing the client...

User with "get changes" permission can

Description Since Samba 4.0.0 Samba has implemented, in the AD DC, the "dirsync" LDAP control specified in MS-ADTS "3.1.1.3.4.1.3 LDAPSERVERDIRSYNCOID". However, when combined with the ranged results feature specified in MS-ADTS "3.1.1.3.1.3.3 Range Retrieval of Attribute Values" a NULL pointer i...

Samba AD DC check password script does not receive

Description Since Samba Version 4.5.0 a Samba AD DC can use a custom command to verify the password complexity. The command can be specified with the "check password script" smb.conf parameter. This command is called when Samba handles a user password change or a new user password is set. The...

Combination of parameters and permissions can allow user

Description On a Samba SMB server for all versions of Samba from 4.9.0 clients are able to escape outside the share root directory if certain configuration parameters set in the smb.conf file. The problem is reproducable if the 'wide links' option is explicitly set to 'yes' and either 'unix...

Samba AD DC LDAP server crash (paged searches)

Description A user with read access to the LDAP server can crash the LDAP server process. Depending on the Samba version and the choice of process model, this may crash only the user's own connection. Specifically, while in Samba 4.10 the default is for one process per connected client,...

Samba AD DC Denial of Service in DNS management server (dnsserver)

Description The poorly named dnsserver RPC pipe provides administrative facilities to modify DNS records and zones. An authenticated user can crash the RPC server process via a NULL pointer de-reference. There is no further vulnerability associated with this issue, merely a denial of service. Pat...

Samba AD DC S4U2Self/S4U2Proxy unkeyed checksum

Description S4U2Self is an extension to Kerberos used in Active Directory to allow a service to request a kerberos ticket to itself from the Kerberos Key Distribution Center KDC for a non-Kerberos authenticated user principal in Kerboros parlance. This is useful to allow internal code paths to be...

World writable files in Samba AD DC private/ dir

Description During the creation of a new Samba AD DC, files are created in a the private/ subdirectory of our install location. This directory is typically mode 0700, that is owner root only access. However in some upgraded installations it will have other permissions, such as 0755, because this...

Save registry file outside share as unprivileged user

Description Samba contains an RPC endpoint emulating the Windows registry service API. One of the requests, "winregSaveKey", is susceptible to a path/symlink traversal vulnerability. Unprivileged users can use it to create a new registry hive file anywhere they have unix permissions to create a n...

NULL pointer de-reference in Samba AD DC LDAP server

Description During the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client, the entries are cached in a single memory object with a maximum size of 256MB. When this size is reached, the Samba process providing the LDAP service will follow the NULL pointer,...

Unprivileged adding of CNAME record causing loop

Description All versions of Samba from 4.0.0 onwards are vulnerable to infinite query recursion caused by CNAME loops. Any dns record can be added via ldap by an unprivileged user using the ldbadd tool, so this is a security issue. Patch Availability Patches addressing both these issues have been...

NULL pointer de-reference in Samba AD DC DNS servers

Description During the processing of an DNS zone in the DNS management DCE/RPC server, the internal DNS server or the Samba DLZ plugin for BIND9, if the DSPROPERTYZONEMASTERSERVERS property or DSPROPERTYZONESCAVENGINGSERVERS property is set, the server will follow a NULL pointer and terminate...

Double-free in Samba AD DC KDC with PKINIT

Description When configured to accept smart-card authentication, Samba's KDC will call tallocfree twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ. This is only possible after authentication with a trusted certificate. talloc is...

Samba AD DC S4U2Self Crash in experimental

Description A user in a Samba AD domain can crash the KDC when Samba is built in the non-default MIT Kerberos configuration. With this advisory we clarify that the MIT Kerberos build of the Samba AD DC is considered experimental. Therefore the Samba Team will not issue security patches for this...

Bad password count in AD DC not always effective

Description By default, Samba will remember bad passwords for 30min: eg: $ samba-tool domain passwordsettings show ... Reset account lockout after mins: 30 This is also known as the 'bad password observation window' and is configured in the lockOutObservationWindow attribute on the domain DN or i...

Weak authentication protocol allowed.

Description Samba releases 4.7.0 to 4.8.3 inclusive contain an error which allows authentication using NTLMv1 over an SMB1 transport either directory or via NETLOGON SamLogon calls from a member server, even when NTLMv1 is explicitly disabled on the server. Normally, the use of NTLMv1 is disabled...

Denial of Service Attack on AD DC DRSUAPI server

Description All versions of Samba from 4.7.0 onwards are vulnerable to a denial of service attack which can crash the "samba" process when Samba is an Active Directory Domain Controller. Missing database output checks on the returned directory attributes from the LDB database layer cause the...

Denial of Service Attack on DNS and LDAP server

Description All versions of Samba from 4.8.0 onwards are vulnerable to a denial of service attack when Samba is an Active Directory Domain Controller. Missing input sanitization checks on some of the input parameters to LDB database layer cause the LDAP server and DNS server to crash when followi...

Insufficient input validation on client directory

Description Samba releases 3.2.0 to 4.8.3 inclusive contain an error in libsmbclient that could allow a malicious server to overwrite client heap memory by returning an extra long filename in a directory listing. Patch Availability Patches addressing this issue have been posted to:...

Confidential attribute disclosure from the AD LDAP

Description All versions of the Samba Active Directory LDAP server from 4.0.0 onwards are vulnerable to the disclosure of confidential attribute values, both of attributes where the schema SEARCHFLAGCONFIDENTIAL 0x80 searchFlags bit and where an explicit Access Control Entry has been specified on...

Authenticated users can change other users' password

Description On a Samba 4 AD DC the LDAP server in all versions of Samba from 4.0.0 onwards incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users' passwords, including administrative users and privileged service accounts eg Domain...

Denial of Service Attack on external print server.

Description All versions of Samba from 3.6.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler servic...

Server heap memory information leak.

Description All versions of Samba from 3.6.0 onwards are vulnerable to a heap memory information leak, where server allocated heap memory may be returned to the client without being cleared. There is no known vulnerability associated with this error, but uncleared heap memory may contain previous...

Use-after-free vulnerability.

Description All versions of Samba from 4.0.0 onwards are vulnerable to a use after free vulnerability, where a malicious SMB1 request can be used to control the contents of heap memory via a deallocated heap pointer. It is possible this may be used to compromise the SMB server. Patch Availability...

SMB3 connections don't keep encryption across DFS redirects

Description Client command line tools like 'smbclient' as well as applications using 'libsmbclient' library have support for requiring encryption. This is activated by the '-e|--encrypt' command line option or the smbcsetOptionSmbEncryptionLevel library call. By default, only SMB1 is used in orde...

SMB1/2/3 connections may not require signing where they should

Description There are several code paths where the code doesn't enforce SMB signing: The fixes for CVE-2015-5296 didn't apply the implied signing protection when enforcing encryption for commands like 'smb2mount -e', 'smbcacls -e' and 'smbcquotas -e'. The python binding exported as...

Server memory information leak over SMB1

Description All versions of Samba are vulnerable to a server memory information leak bug over SMB1 if a client can write data to a share. Some SMB1 write requests were not correctly range checked to ensure the client had sent enough data to fulfill the write, allowing server memory contents to be...

Orpheus' Lyre mutual authentication validation bypass

All versions of Samba from 4.0.0 include an embedded copy of Heimdal Kerberos. Heimdal has made a security release, which disclosed: Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation This is a critical vulnerability. In krb5extractticket the KDC-REP service name must be obtained...

Orpheus' Lyre mutual authentication validation bypass

Description All versions of Samba from 4.0.0 include an embedded copy of Heimdal Kerberos. Heimdal has made a security release, which disclosed: Fix CVE-2017-11103: Orpheus' Lyre KDC-REP service name validation This is a critical vulnerability. In krb5extractticket the KDC-REP service name must b...

Remote code execution from a writable share.

Description All versions of Samba from 3.5.0 onwards are vulnerable to a remote code execution vulnerability, allowing a malicious client to upload a shared library to a writable share, and then cause the server to load and execute it. Patch Availability A patch addressing this defect has been...

Symlink race allows access outside share definition.

Description All versions of Samba prior to 4.6.1, 4.5.7, 4.4.12 are vulnerable to a malicious client using a symlink race to allow access to areas of the server file system not exported under the share definition. Samba uses the realpath system call to ensure when a client requests access to a...

Flaws in Kerberos PAC validation can trigger privilege elevation.

Description The winbindd part of Samba offers verification and unpacking of the PAC Privilege Attribute Certificate received via Kerberos. When parsing the PAC, winbindd may write beyond the allocated buffer, however the data involved is from the server private key and so not user-controlled...

Unconditional privilege delegation to Kerberos servers in trusted realms

Description The Samba client code always requests a forwardable Kerberos ticket when performing Kerberos authentication by passing the GSSCDELEGFLAG to the gssinitseccontext GSSAPI function. The use of GSSCDELEGFLAG, if accepted by the Kerberos KDC, results in passing the forwardable TGT to the...

Samba NDR Parsing ndr_pull_dnsp_name Heap-based Buffer

Description The Samba routine ndrpulldnspname contains an integer wrap problem, leading to an attacker-controlled memory overwrite. ndrpulldnspname parses data from the Samba Active Directory ldb database. Any user who can write to the dnsRecord attribute over LDAP can trigger this memory...

Client side SMB2/3 required signing can be downgraded

Description It's possible for an attacker to downgrade the required signing for an SMB2/3 client connection, by injecting the SMB2SESSIONFLAGISGUEST or SMB2SESSIONFLAGISNULL flags. This means that the attacker can impersonate a server being connected to by Samba, and return malicious results. The...

SAMR and LSA man in the middle attacks possible

The Security Account Manager Remote Protocol MS-SAMR and the Local Security Authority Domain Policy Remote Protocol MS-LSAD are both vulnerable to man in the middle attacks. Both are application level protocols based on the generic DCE 1.1 Remote Procedure Call DCERPC protocol. These protocols ar...

NETLOGON Spoofing Vulnerability.

Description It's basically the same as CVE-2015-0005 for Windows: The NETLOGON service in Microsoft Windows Server 2003 SP2, Windows Server 2008 SP2 and R2 SP1, and Windows Server 2012 Gold and R2, when a Domain Controller is configured, allows remote attackers to spoof the computer name of a...

Multiple errors in DCE-RPC code.

Description Versions of Samba from 3.6.0 to 4.4.0 inclusive are vulnerable to denial of service attacks crashes and high cpu consumption in the DCE-RPC client and server implementations. In addition, errors in validation of the DCE-RPC packets can lead to a downgrade of a secure connection to an...