On March 12 th 2018, Samba developers have released a new version that corrects two critical vulnerabilities:
- Denial of Service Attack on external print server
- Authenticated users can change other users’ password
- DOS ATTACK ON EXTERNAL PRINT SERVER
- Affected Version: >= 4.0.0
- CVE: CVE-2018-1050
- Summary: Missing null pointer checks may crash the external print server process
All versions of Samba from 4.0.0 onwards are vulnerable to a denial of service attack when the RPC spoolss service is configured to be run as an external daemon. Missing input sanitization checks on some of the input parameters to spoolss RPC calls could cause the print spooler service to crash.
The vulnerability is of type DoS (Denial of Service) and can not be exploited in other ways.
If the RPC spoolss service is left by default as an internal service, all a client can do is crash its own authenticated connection.
- AUTHENTICATED USER CAN CHANGE OTHER USER’S PASSWORD
- Affected Version: > 4.0.0
- CVE: CVE – 2018 – 1057
- Summary: On a Samba 4 AD DC any authenticated user can change other users’ password, including the passwords of administrative users and service account
On Samba 4 AD DC the LDAP server incorrectly validates permissions to modify passwords over LDAP allowing authenticated users to change any other users’ passwords, including administrative users and privileged service accounts– Domain Controllers.
HOW TO DEFEND YOURSELF
For both vulnerability it has been released an official patch: Security Samba Releases.
Additionally, Samba 4.7.6, 4.6.14 and 4.5.16 have been issued as security releases to correct the defect
For previous versions refer to patch.
- DOS ATTACK ON EXTERNAL PRINT SERVER
Possible workarounds for the DoS attack is ensure this parameter is not set in rpc_server:spoolss = external in the section global of the configuration file smb.conf.
- AUTHENTICATED USER CAN CHANGE OTHER USERS’ PASSWORD
For more information refer to Samba official Wiki
REFERENCES
You must be logged in to post a comment.