[Pkg-samba-maint] Partial mitigations for the Nov Samba CVEs
Andrew Bartlett
abartlet at samba.org
Mon Nov 22 04:28:10 GMT 2021
G'Day Debian Developers and potentially other folks packaging Samba.
A number of distributions have rightly been reluctant, particularly
given my warnings, to backport what patches for our recent issues to
older versions. While a monster patch was generated for Samba 4.10,
Samba 4.9 and earlier only support Python2 and the modern testsuite
validating these changes is written targeting Python 3.6.
Regardless I've put some thought into what would be the barest of
minimal steps to mitigate the worst of the Samba CVEs issued recently
https://bugzilla.samba.org/show_bug.cgi?id=14564#c16
https://bugzilla.samba.org/show_bug.cgi?id=14561#c31
In short, for the cases where a full backport is not possible, it would
be good to at least take these patches from
https://bugzilla.samba.org/show_bug.cgi?id=14725
CVE-2020-25722 Ensure the structural objectclass cannot be changed
CVE-2020-25722 dsdb: Restrict the setting of privileged attributes
during LDAP add/modify
The "CVE-2020-25722 Ensure the structural objectclass cannot be
changed" patch is for the AD DC the bit that changes this from "any
user can become domain admin" (really horrible) to "semi-privileged
users become domain admin" (bad, but not horrible), and is quite
isolated in terms of backport conflicts.
I would note that for CVE-2020-25717 [SECURITY] A user on the domain
can become root on domain members
https://bugzilla.samba.org/show_bug.cgi?id=14556
Backports have been made to many, many versions. This also includes
the patch:
CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or
member)
That is very helpful on the AD DC for CVE-2020-25719, but there is
still much more to fix that issue if unprivileged users can create
other users.
I hope this helps,
Andrew Bartlett
--
Andrew Bartlett (he/him) https://samba.org/~abartlet/
Samba Team Member (since 2001) https://samba.org
Samba Team Lead, Catalyst IT https://catalyst.net.nz/services/samba
Samba Development and Support, Catalyst IT - Expert Open Source
Solutions
More information about the Pkg-samba-maint
mailing list