CVE-2016-2126: Samba - Security Announcement Archive

CVE-2016-2126.html:

================================================================================= == Subject: Flaws in Kerberos PAC validation can trigger privilege elevation. == == CVE ID#: CVE-2016-2126 == == Versions: Samba 4.0.0 to 4.5.2 == == Summary: A remote, authenticated, attacker can cause the winbindd process == to crash using a legitimate Kerberos ticket due to incorrect == handling of the PAC checksum. == == A local service with access to the winbindd privileged pipe can == cause winbindd to cache elevated access permissions. == =================================================================================

=========== Description ===========

The winbindd part of Samba offers verification and unpacking of the PAC (Privilege Attribute Certificate) received via Kerberos. When parsing the PAC, winbindd may write beyond the allocated buffer, however the data involved is from the server private key and so not user-controlled.

Additionally, by selecting an unkeyed checksum, user privileges may be elevated by storage of more privileged SID values into the samlogon_cache.tdb.

There are two methods of remote access to the exploitable code paths:

• An external service using the WBC_AUTH_USER_LEVEL_PAC level of the wbcAuthenticateUserEx() and wbcCtxAuthenticateUserEx() functions of the libwbclient library. NFS Ganesha is one known external consumer.

• Samba itself after releases 4.4.7 and 4.5.1 when not acting as an AD DC.

For the remote attack, the memory overwrite kills the main winbindd process and an authenticated attacker can construct this situation by watching for password changes in Samba.

One specific trigger occurs when winbindd changes its machine account password and the client has still a valid Kerberos ticket (that was encrypted with the old password).

The unkeyed checksum issue is understood not to be remotely exploitable because the libkrb5 library used by Samba and NFS Ganesha will have already checked the PAC checksum, and so will have confirmed that it is 'keyed’. It is also limited to local processes that have access to the winbindd_privileged socket.

================== Patch Availability ==================

A patch addressing this defect has been posted to

https://www.samba.org/samba/security/

Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as security releases to correct the defect. Samba vendors and administrators running affected versions are advised to upgrade or apply the patch as soon as possible.

========== Workaround ==========

None.

Using “machine password timeout = 0” will prevent the bug being triggered accidentally when the machine password is changed.

======= Credits =======

This vulnerability was discovered by Volker Lendecke and researched by Stefan Metzmacher both of SerNet (https://samba.plus) and the Samba Team (https://www.samba.org). Stefan Metzmacher also provides the fixes.