Bug 1184677 (CVE-2021-20254)

Summary: VUL-0: CVE-2021-20254: samba: Negative idmap cache entries can cause incorrect group entries in the Samba file server process token
Product: [Novell Products] SUSE Security Incidents Reporter: Robert Frohl <rfrohl>
Component: IncidentsAssignee: Novell Samba Team <samba>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: nopower
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/281719
Whiteboard: CVSSv3.1:SUSE:CVE-2021-20254:7.1:(AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 19 Robert Frohl 2021-04-29 10:20:07 UTC
public:

                   ==============================
                   Release Notes for Samba 4.14.4
                           April 29, 2021
                   ==============================


This is a security release in order to address the following defect:

o CVE-2021-20254: Negative idmap cache entries can cause incorrect group entries
  in the Samba file server process token.


=======
Details
=======

o  CVE-2021-20254:
   The Samba smbd file server must map Windows group identities (SIDs) into unix
   group ids (gids). The code that performs this had a flaw that could allow it
   to read data beyond the end of the array in the case where a negative cache
   entry had been added to the mapping cache. This could cause the calling code
   to return those values into the process token that stores the group
   membership for a user.

   Most commonly this flaw caused the calling code to crash, but an alert user
   (Peter Eriksson, IT Department, Linköping University) found this flaw by
   noticing an unprivileged user was able to delete a file within a network
   share that they should have been disallowed access to.

   Analysis of the code paths has not allowed us to discover a way for a
   remote user to be able to trigger this flaw reproducibly or on demand,
   but this CVE has been issued out of an abundance of caution.


Changes since 4.14.3
--------------------

o  Volker Lendecke <vl@samba.org>
   * BUG 14571: CVE-2021-20254: Fix buffer overrun in sids_to_unixids().


https://www.samba.org/samba/history/samba-4.14.4.html
Comment 20 Swamp Workflow Management 2021-04-29 16:15:44 UTC
SUSE-SU-2021:14709-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1178469,1184677
CVE References: CVE-2021-20254
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 11-SP4-LTSS (src):    samba-3.6.3-94.34.1, samba-doc-3.6.3-94.34.1
SUSE Linux Enterprise Point of Sale 11-SP3 (src):    samba-3.6.3-94.34.1, samba-doc-3.6.3-94.34.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-94.34.1
SUSE Linux Enterprise Debuginfo 11-SP3 (src):    samba-3.6.3-94.34.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 21 Swamp Workflow Management 2021-04-29 16:16:57 UTC
SUSE-SU-2021:1438-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1178469,1179156,1184677
CVE References: CVE-2021-20254
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    samba-4.10.18+git.269.dd608524c88-3.27.1
SUSE Linux Enterprise Server 12-SP5 (src):    samba-4.10.18+git.269.dd608524c88-3.27.1
SUSE Linux Enterprise High Availability 12-SP5 (src):    samba-4.10.18+git.269.dd608524c88-3.27.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 22 Swamp Workflow Management 2021-04-29 16:18:02 UTC
SUSE-SU-2021:1439-1: An update that solves one vulnerability and has one errata is now available.

Category: security (important)
Bug References: 1178469,1184677
CVE References: CVE-2021-20254
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (src):    samba-4.4.2-38.42.1
SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (src):    samba-4.4.2-38.42.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    samba-4.4.2-38.42.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 23 Swamp Workflow Management 2021-04-29 16:19:18 UTC
SUSE-SU-2021:1440-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1182830,1183572,1183574,1184677,14571
CVE References: CVE-2020-27840,CVE-2021-20254,CVE-2021-20277
JIRA References: 
Sources used:
SUSE Enterprise Storage 7 (src):    ldb-2.2.1-4.3.1, samba-4.13.6+git.211.555d60b24ba-3.9.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 24 Swamp Workflow Management 2021-04-29 16:20:20 UTC
SUSE-SU-2021:1442-1: An update that fixes one vulnerability is now available.

Category: security (important)
Bug References: 1184677
CVE References: CVE-2021-20254
JIRA References: 
Sources used:
SUSE Linux Enterprise Server 12-SP2-LTSS-SAP (src):    samba-4.2.4-28.39.1
SUSE Linux Enterprise Server 12-SP2-LTSS-ERICSSON (src):    samba-4.2.4-28.39.1
SUSE Linux Enterprise Server 12-SP2-BCL (src):    samba-4.2.4-28.39.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 25 Swamp Workflow Management 2021-04-29 19:16:02 UTC
SUSE-SU-2021:1444-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1178469,1179156,1183572,1183574,1184310,1184677
CVE References: CVE-2020-27840,CVE-2021-20254,CVE-2021-20277
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP2 (src):    samba-4.11.14+git.247.8c858f7ee14-4.19.1
SUSE Linux Enterprise Module for Basesystem 15-SP2 (src):    samba-4.11.14+git.247.8c858f7ee14-4.19.1
SUSE Linux Enterprise High Availability 15-SP2 (src):    samba-4.11.14+git.247.8c858f7ee14-4.19.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 26 Swamp Workflow Management 2021-04-29 19:18:19 UTC
SUSE-SU-2021:1445-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1178469,1179156,1184677
CVE References: CVE-2021-20254
JIRA References: 
Sources used:
SUSE Linux Enterprise Server for SAP 15 (src):    samba-4.7.11+git.316.432f0218290-4.54.1
SUSE Linux Enterprise Server 15-LTSS (src):    samba-4.7.11+git.316.432f0218290-4.54.1
SUSE Linux Enterprise High Performance Computing 15-LTSS (src):    samba-4.7.11+git.316.432f0218290-4.54.1
SUSE Linux Enterprise High Performance Computing 15-ESPOS (src):    samba-4.7.11+git.316.432f0218290-4.54.1
SUSE Linux Enterprise High Availability 15 (src):    samba-4.7.11+git.316.432f0218290-4.54.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 27 Swamp Workflow Management 2021-05-01 01:29:50 UTC
openSUSE-SU-2021:0636-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1178469,1179156,1183572,1183574,1184310,1184677
CVE References: CVE-2020-27840,CVE-2021-20254,CVE-2021-20277
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    samba-4.11.14+git.247.8c858f7ee14-lp152.3.19.1
Comment 28 Swamp Workflow Management 2021-05-04 19:18:11 UTC
SUSE-SU-2021:1492-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (important)
Bug References: 1178469,1179156,1184677
CVE References: CVE-2021-20254
JIRA References: 
Sources used:
SUSE OpenStack Cloud Crowbar 9 (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE OpenStack Cloud Crowbar 8 (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE OpenStack Cloud 9 (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE OpenStack Cloud 8 (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE Linux Enterprise Server for SAP 12-SP4 (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE Linux Enterprise Server for SAP 12-SP3 (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE Linux Enterprise Server 12-SP4-LTSS (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE Linux Enterprise Server 12-SP3-LTSS (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE Linux Enterprise Server 12-SP3-BCL (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE Linux Enterprise High Availability 12-SP4 (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1
HPE Helion Openstack 8 (src):    samba-4.6.16+git.282.cfafed5922a-3.61.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 29 Swamp Workflow Management 2021-05-04 19:19:47 UTC
SUSE-SU-2021:1498-1: An update that solves three vulnerabilities and has three fixes is now available.

Category: security (important)
Bug References: 1178469,1179156,1183572,1183574,1184310,1184677
CVE References: CVE-2020-27840,CVE-2021-20254,CVE-2021-20277
JIRA References: 
Sources used:
SUSE Manager Server 4.0 (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE Manager Retail Branch Server 4.0 (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE Manager Proxy 4.0 (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE Linux Enterprise Server for SAP 15-SP1 (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE Linux Enterprise Server 15-SP1-LTSS (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE Linux Enterprise Server 15-SP1-BCL (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE Linux Enterprise High Performance Computing 15-SP1-LTSS (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE Linux Enterprise High Performance Computing 15-SP1-ESPOS (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE Linux Enterprise High Availability 15-SP1 (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE Enterprise Storage 6 (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1
SUSE CaaS Platform 4.0 (src):    samba-4.9.5+git.432.d9b18c4f390-3.50.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 30 Marcus Meissner 2021-08-09 15:22:02 UTC
released
Comment 34 Swamp Workflow Management 2021-09-22 16:17:31 UTC
SUSE-SU-2021:3187-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1182830,1183572,1183574,1184677,1189875
CVE References: CVE-2020-27840,CVE-2021-20254,CVE-2021-20277
JIRA References: 
Sources used:
SUSE Linux Enterprise Module for Python2 15-SP3 (src):    samba-4.13.6+git.211.555d60b24ba-3.7.1
SUSE Linux Enterprise Module for Basesystem 15-SP3 (src):    samba-4.13.6+git.211.555d60b24ba-3.7.1
SUSE Linux Enterprise High Availability 15-SP3 (src):    samba-4.13.6+git.211.555d60b24ba-3.7.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 35 Swamp Workflow Management 2021-09-22 16:25:22 UTC
openSUSE-SU-2021:3187-1: An update that solves three vulnerabilities and has two fixes is now available.

Category: security (important)
Bug References: 1182830,1183572,1183574,1184677,1189875
CVE References: CVE-2020-27840,CVE-2021-20254,CVE-2021-20277
JIRA References: 
Sources used:
openSUSE Leap 15.3 (src):    samba-4.13.6+git.211.555d60b24ba-3.7.1