[Pkg-samba-maint] Bug#776993: samba: CVE-2014-8143: Elevation of privilege to Active Directory Domain Controller
Salvatore Bonaccorso
carnil at debian.org
Tue Feb 3 21:08:28 UTC 2015
Source: samba
Version: 2:4.1.13+dfsg-2
Severity: important
Tags: security upstream patch fixed-upstream
Hi Samba maintainers,
I know you are aware of the issue, but filling the bug to cross
reference BTS and security-tracker.
the following vulnerability was published for samba.
CVE-2014-8143[0]:
| Samba 4.0.x before 4.0.24, 4.1.x before 4.1.16, and 4.2.x before
| 4.2rc4, when an Active Directory Domain Controller (AD DC) is
| configured, allows remote authenticated users to set the LDB
| userAccountControl UF_SERVER_TRUST_ACCOUNT bit, and consequently gain
| privileges, by leveraging delegation of authority for user-account or
| computer-account creation.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2014-8143
[1] https://www.samba.org/samba/security/CVE-2014-8143
[2] https://download.samba.org/pub/samba/patches/security/samba-4.1.15-CVE-2014-8143.patch
I'm not sure about the severity (if it should be RC), since this
actually (only) affects samba installations running as AD Domain
Controller and delectaion for the creation of users needs to be
configured.
Regards,
Salvatore
More information about the Pkg-samba-maint
mailing list