SB2018112809 - Multiple vulnerabilities in Samba

Description

This security bulletin contains information about 5 secuirty vulnerabilities.

1) Double-free error (CVE-ID: CVE-2018-16841)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to Samba's KDC will call talloc_free() twice on the same memory if the principal in a validly signed certificate does not match the principal in the AS-REQ when configured to accept smart-card authentication. A remote attacker can trigger double-free with talloc_free() and directly calls abort() and cause the KDC process to crash.

2) NULL pointer dereference (CVE-ID: CVE-2018-16851)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to the entries are cached in a single memory object with a maximum size of 256MB during the processing of an LDAP search before Samba's AD DC returns the LDAP entries to the client. A remote attacker can trigger NULL pointer dereference in the LDAP service when this size is reached and cause the process to crash.

3) Denial of service (CVE-ID: CVE-2018-16853)

The vulnerability allows a remote authenticated attacker to cause DoS condition.

The vulnerability exists due to use of experimental MIT Kerberos build of the Samba AD DC. A remote attacker can crash the KDC when Samba is built in the non-default MIT Kerberos configuration.

4) NULL pointer dereference (CVE-ID: CVE-2018-16852)

The vulnerability allows a remote authenticated high-privileged attacker to cause DoS condition.

The vulnerability exists due to an error in the internal DNS server or the Samba DLZ plugin for BIND9 during the processing of an DNS zone in the DNS management DCE/RPC server if the DSPROPERTY_ZONE_MASTER_SERVERS property or DSPROPERTY_ZONE_SCAVENGING_SERVERS property is set. A remote attacker can NULL pointer dereference and cause the service to crash.

5) Security restrictions bypass (CVE-ID: CVE-2018-16857)

The vulnerability allows a remote attacker to bypass security restrictions.

The vulnerability exists due to AD DC configurations watching for bad passwords (to restrict brute forcing of passwords) in a window of more than 3 minutes may not watch for bad passwords at all. A remote attacker can bypass security restrictions and modify arbitrary data.

Remediation

Install update from vendor's website.

References

• https://www.samba.org/samba/security/CVE-2018-16841.html
• https://www.samba.org/samba/security/CVE-2018-16851.html
• https://www.samba.org/samba/security/CVE-2018-16853.html
• https://www.samba.org/samba/security/CVE-2018-16852.html
• https://www.samba.org/samba/security/CVE-2018-16857.html