Samba 4 Vulnerability

samba

On March 12 th 2018, Samba developers have released a new version that corrects two critical vulnerabilities:

 

  • DOS ATTACK ON EXTERNAL PRINT SERVER
    • Affected Version: >= 4.0.0
    • CVE: CVE-2018-1050
    • Summary: Missing null pointer checks may crash the external print server process

 

All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash.

The vulnerability is of type DoS (Denial of Service) and can not be exploited in other ways.

If the RPC spoolss service is left by default as an internal service, all a client can do is crash its own authenticated connection.

 

  • AUTHENTICATED USER CAN CHANGE OTHER USER’S PASSWORD
    • Affected Version: > 4.0.0
    • CVE: CVE – 2018 – 1057
    • Summary: On a Samba 4 AD DC any authenticated user can change other users’ password, including the passwords of administrative users and service account

 

On Samba 4 AD DC the LDAP server incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users’ passwords, including administrative users and privileged service accounts– Domain Controllers.

 

HOW TO DEFEND YOURSELF

For both vulnerability it has been released an official patch: Security Samba Releases.

Additionally, Samba 4.7.6, 4.6.14 and 4.5.16 have been issued as security releases to correct the defect

For previous versions refer to patch.

 

  • DOS ATTACK ON EXTERNAL PRINT SERVER

Possible workarounds for the DoS attack is ensure this parameter is not set in rpc_server:spoolss = external in the section global of the configuration file smb.conf.

 

  • AUTHENTICATED USER CAN CHANGE OTHER USERS’ PASSWORD

For more information refer to Samba official Wiki

 

REFERENCES