Bug 1014442 (CVE-2016-2126)

Summary: VUL-0: CVE-2016-2126: samba: denial of service due to a client triggered crash in the winbindd parent
Product: [Novell Products] SUSE Security Incidents Reporter: Marcus Meissner <meissner>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: jmcdonough, meissner, scabrero
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard: CVSSv2:SUSE:CVE-2016-2126:2.3:(AV:A/AC:M/Au:S/C:N/I:N/A:P) CVSSv2:RedHat:CVE-2016-2126:2.3:(AV:A/AC:M/Au:S/C:N/I:N/A:P) CVSSv3:RedHat:CVE-2016-2126:3.5:(AV:A/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) CVSSv3:NVD:CVE-2016-2126:6.5:(AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H) CVSSv2:NVD:CVE-2016-2126:4.0:(AV:N/AC:L/Au:S/C:N/I:N/A:P) maint:released:sle10-sp3:63872
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Swamp Workflow Management 2016-12-08 23:00:52 UTC
bugbot adjusting priority
Comment 2 Marcus Meissner 2016-12-09 14:25:39 UTC
CRD: 2016-12-19
Comment 5 Marcus Meissner 2016-12-19 10:03:29 UTC
https://www.samba.org/samba/security/CVE-2016-2126.html



=================================================================================
== Subject:     Flaws in Kerberos PAC validation can trigger privilege elevation.
==
== CVE ID#:     CVE-2016-2126
==
== Versions:    Samba 4.0.0 to 4.5.2
==
== Summary:     A remote, authenticated, attacker can cause the winbindd process
==              to crash using a legitimate Kerberos ticket due to incorrect
==              handling of the PAC checksum.
==
==              A local service with access to the winbindd privileged pipe can
==              cause winbindd to cache elevated access permissions.
==
=================================================================================

===========
Description
===========

The winbindd part of Samba offers verification and unpacking of the
PAC (Privilege Attribute Certificate) received via Kerberos. When
parsing the PAC, winbindd may write beyond the allocated buffer,
however the data involved is from the server private key and so not
user-controlled.

Additionally, by selecting an unkeyed checksum, user privileges may be
elevated by storage of more privileged SID values into the
samlogon_cache.tdb.

There are two methods of remote access to the exploitable code paths:

 - An external service using the WBC_AUTH_USER_LEVEL_PAC level of the
   wbcAuthenticateUserEx() and wbcCtxAuthenticateUserEx() functions of
   the libwbclient library. NFS Ganesha is one known external
   consumer.

 - Samba itself after releases 4.4.7 and 4.5.1 when not acting as an
   AD DC.

For the remote attack, the memory overwrite kills the main winbindd
process and an authenticated attacker can construct this situation
by watching for password changes in Samba.

One specific trigger occurs when winbindd changes its machine account
password and the client has still a valid Kerberos ticket (that was
encrypted with the old password).

The unkeyed checksum issue is understood not to be remotely
exploitable because the libkrb5 library used by Samba and NFS Ganesha
will have already checked the PAC checksum, and so will have confirmed
that it is 'keyed'. It is also limited to local processes that have
access to the winbindd_privileged socket.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  https://www.samba.org/samba/security/

Additionally, Samba 4.5.3, 4.4.8 and 4.3.13 have been issued as
security releases to correct the defect. Samba vendors and
administrators running affected versions are advised to upgrade or
apply the patch as soon as possible.

==========
Workaround
==========

None.

Using "machine password timeout = 0" will prevent the bug being
triggered accidentally when the machine password is changed.

=======
Credits
=======

This vulnerability was discovered by Volker Lendecke and researched by
Stefan Metzmacher both of SerNet (https://samba.plus) and the Samba
Team (https://www.samba.org). Stefan Metzmacher also provides the
fixes.
Comment 6 Bernhard Wiedemann 2016-12-19 17:01:00 UTC
This is an autogenerated message for OBS integration:
This bug (1014442) was mentioned in
https://build.opensuse.org/request/show/447040 Factory / samba
Comment 7 Swamp Workflow Management 2016-12-27 16:08:22 UTC
SUSE-SU-2016:3271-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1009085,1014437,1014441,1014442
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.4.2-31.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.4.2-31.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.4.2-31.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    samba-4.4.2-31.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.4.2-31.1
Comment 8 Swamp Workflow Management 2016-12-27 16:09:35 UTC
SUSE-SU-2016:3272-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1001203,1009085,1014437,1014441,1014442,975299,986675,991564,994500,997833
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Software Development Kit 12-SP1 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Server 12-SP1 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.2.4-28.3.1
SUSE Linux Enterprise Desktop 12-SP1 (src):    samba-4.2.4-28.3.1
Comment 9 Swamp Workflow Management 2016-12-29 23:10:50 UTC
SUSE-SU-2016:3298-1: An update that solves two vulnerabilities and has four fixes is now available.

Category: security (moderate)
Bug References: 1003731,1009711,1014441,1014442,993692,997833
CVE References: CVE-2016-2125,CVE-2016-2126
Sources used:
SUSE OpenStack Cloud 5 (src):    samba-3.6.3-84.1, samba-doc-3.6.3-84.1
SUSE Manager Proxy 2.1 (src):    samba-3.6.3-84.1, samba-doc-3.6.3-84.1
SUSE Manager 2.1 (src):    samba-3.6.3-84.1, samba-doc-3.6.3-84.1
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-84.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-84.1, samba-doc-3.6.3-84.1
SUSE Linux Enterprise Server 11-SP3-LTSS (src):    samba-3.6.3-84.1, samba-doc-3.6.3-84.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    samba-3.6.3-84.1, samba-doc-3.6.3-84.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-84.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-84.1
Comment 10 Swamp Workflow Management 2016-12-29 23:12:21 UTC
SUSE-SU-2016:3299-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1001203,1009085,1014437,1014441,1014442,975299,986675,991564,994500,997833
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
SUSE Linux Enterprise Server for SAP 12 (src):    samba-4.2.4-18.30.1
SUSE Linux Enterprise Server 12-LTSS (src):    samba-4.2.4-18.30.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.30.1
Comment 11 Swamp Workflow Management 2016-12-29 23:14:21 UTC
SUSE-SU-2016:3300-1: An update that solves two vulnerabilities and has 6 fixes is now available.

Category: security (moderate)
Bug References: 1003731,1009711,1014441,1014442,975131,978898,993692,997833
CVE References: CVE-2016-2125,CVE-2016-2126
Sources used:
SUSE Linux Enterprise Server 11-SP2-LTSS (src):    samba-3.6.3-56.1, samba-doc-3.6.3-56.1
SUSE Linux Enterprise Debuginfo 11-SP2 (src):    samba-3.6.3-56.1
Comment 12 James McDonough 2017-01-03 21:01:36 UTC
done
Comment 13 Swamp Workflow Management 2017-01-04 16:08:26 UTC
openSUSE-SU-2017:0020-1: An update that solves three vulnerabilities and has 7 fixes is now available.

Category: security (moderate)
Bug References: 1001203,1009085,1014437,1014441,1014442,975299,986675,991564,994500,997833
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
openSUSE Leap 42.1 (src):    samba-4.2.4-24.1
Comment 14 Swamp Workflow Management 2017-01-04 16:10:12 UTC
openSUSE-SU-2017:0021-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1009085,1014437,1014441,1014442
CVE References: CVE-2016-2123,CVE-2016-2125,CVE-2016-2126
Sources used:
openSUSE Leap 42.2 (src):    samba-4.4.2-9.1
Comment 16 Swamp Workflow Management 2017-09-21 14:13:06 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2017-10-05.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/63871
Comment 18 Marcus Meissner 2017-10-18 12:24:06 UTC
all released, thanks!