[Pkg-samba-maint] Partial mitigations for the Nov Samba CVEs
Salvatore Bonaccorso
carnil at debian.org
Mon Nov 22 14:01:39 GMT 2021
Hi Andrew,
On Mon, Nov 22, 2021 at 05:28:10PM +1300, Andrew Bartlett wrote:
> G'Day Debian Developers and potentially other folks packaging Samba.
>
> A number of distributions have rightly been reluctant, particularly
> given my warnings, to backport what patches for our recent issues to
> older versions. While a monster patch was generated for Samba 4.10,
> Samba 4.9 and earlier only support Python2 and the modern testsuite
> validating these changes is written targeting Python 3.6.
>
> Regardless I've put some thought into what would be the barest of
> minimal steps to mitigate the worst of the Samba CVEs issued recently
>
> https://bugzilla.samba.org/show_bug.cgi?id=14564#c16
> https://bugzilla.samba.org/show_bug.cgi?id=14561#c31
>
> In short, for the cases where a full backport is not possible, it would
> be good to at least take these patches from
> https://bugzilla.samba.org/show_bug.cgi?id=14725
>
>
> CVE-2020-25722 Ensure the structural objectclass cannot be changed
>
> CVE-2020-25722 dsdb: Restrict the setting of privileged attributes
> during LDAP add/modify
>
> The "CVE-2020-25722 Ensure the structural objectclass cannot be
> changed" patch is for the AD DC the bit that changes this from "any
> user can become domain admin" (really horrible) to "semi-privileged
> users become domain admin" (bad, but not horrible), and is quite
> isolated in terms of backport conflicts.
>
> I would note that for CVE-2020-25717 [SECURITY] A user on the domain
> can become root on domain members
> https://bugzilla.samba.org/show_bug.cgi?id=14556
>
> Backports have been made to many, many versions. This also includes
> the patch:
>
> CVE-2020-25717: auth/gensec: always require a PAC in domain mode (DC or
> member)
> That is very helpful on the AD DC for CVE-2020-25719, but there is
> still much more to fix that issue if unprivileged users can create
> other users.
Thank you helping identifying the bare minimum to pick. I'm working on
this for Debian (for buster) and based on the above I have test
packages at:
https://people.debian.org/~carnil/tmp/samba/2021-11-09/
(they are not signed! So anyone reading this, they should not be
considered production ready)
What is missing from here with that: The above referenced update would
still require admins of the setups described in
https://www.samba.org/samba/security/CVE-2020-25717.html to apply the
'username map' and 'username map script'. So a followup in the form of
https://bugzilla.samba.org/show_bug.cgi?id=14901 as well for 4.9 would
be good to have (help on that part as well much appreciated if
possible).
I see there are patches for 4.10, so I will try to take your patches
for 4.9.
Regards,
Salvatore
More information about the Pkg-samba-maint
mailing list