Bug 1081741 - (CVE-2018-1050) VUL-0: CVE-2018-1050: samba: Codenomicon crashes in spoolss server code.
(CVE-2018-1050)
VUL-0: CVE-2018-1050: samba: Codenomicon crashes in spoolss server code.
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: The 'Opening Windows to a Wider World' guys
Security Team bot
https://smash.suse.de/issue/200472/
CVSSv3:SUSE:CVE-2018-1050:6.5:(AV:A/A...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2018-02-20 12:01 UTC by Marcus Meissner
Modified: 2018-10-18 16:41 UTC (History)
6 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 5 Marcus Meissner 2018-03-05 06:24:11 UTC
CRD: 2018-03-13   was announced in the bug.
Comment 6 James McDonough 2018-03-05 16:18:00 UTC
submissions have been made to SLE12, SLE12SP1, SLE12SP2.

SLE12SP3 is still coming.
Comment 8 James McDonough 2018-03-07 12:26:32 UTC
SLE12SP3 submitted.  Requires tevent and talloc updates, which have also been submitted.
Comment 12 Marcus Meissner 2018-03-13 09:57:45 UTC
is public

https://www.samba.org/samba/security/CVE-2018-1050.html


CVE-2018-1050.html

====================================================================
== Subject:     Denial of Service Attack on external print server.
==
== CVE ID#:     CVE-2018-1050
==
== Versions:    All versions of Samba from 4.0.0 onwards.
==
== Summary:     Missing null pointer checks may crash the external
==		print server process.
==
====================================================================

===========
Description
===========

All versions of Samba from 4.0.0 onwards are vulnerable to a denial of
service attack when the RPC spoolss service is configured to be run as
an external daemon. Missing input sanitization checks on some of the
input parameters to spoolss RPC calls could cause the print spooler
service to crash.

There is no known vulnerability associated with this error, merely a
denial of service. If the RPC spoolss service is left by default as an
internal service, all a client can do is crash its own authenticated
connection.

==================
Patch Availability
==================

A patch addressing this defect has been posted to

  http://www.samba.org/samba/security/

Additionally, Samba 4.7.6, 4.6.14 and 4.5.16 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at http://samba.org/samba/patches/. Samba
vendors and administrators running affected versions are advised to
upgrade or apply the patch as soon as possible.

==========
Workaround
==========

Ensure the parameter:

rpc_server:spoolss = external

is not set in the [global] section of your smb.conf.

=======
Credits
=======

This problem was found by the Synopsys Defensics intelligent fuzz
testing tool.  Jeremy Allison of Google and the Samba Team provided
the fix.
Comment 13 Swamp Workflow Management 2018-03-21 14:09:14 UTC
SUSE-SU-2018:0754-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1069666,1081741,1084191
CVE References: CVE-2018-1050
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    samba-4.6.13+git.72.2a684235f41-3.21.3, talloc-2.1.10-3.3.2, tevent-0.9.34-3.3.2
SUSE Linux Enterprise Server 12-SP3 (src):    samba-4.6.13+git.72.2a684235f41-3.21.3, talloc-2.1.10-3.3.2, tevent-0.9.34-3.3.2
SUSE Linux Enterprise High Availability 12-SP3 (src):    samba-4.6.13+git.72.2a684235f41-3.21.3
SUSE Linux Enterprise Desktop 12-SP3 (src):    samba-4.6.13+git.72.2a684235f41-3.21.3, talloc-2.1.10-3.3.2, tevent-0.9.34-3.3.2
SUSE Enterprise Storage 5 (src):    samba-4.6.13+git.72.2a684235f41-3.21.3
Comment 14 Swamp Workflow Management 2018-03-22 14:10:22 UTC
SUSE-SU-2018:0774-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1081741
CVE References: CVE-2018-1050
Sources used:
SUSE Linux Enterprise Software Development Kit 11-SP4 (src):    samba-3.6.3-94.11.1
SUSE Linux Enterprise Server 11-SP4 (src):    samba-3.6.3-94.11.1, samba-doc-3.6.3-94.11.1
SUSE Linux Enterprise Debuginfo 11-SP4 (src):    samba-3.6.3-94.11.1
Comment 15 Swamp Workflow Management 2018-03-23 23:11:51 UTC
openSUSE-SU-2018:0801-1: An update that solves one vulnerability and has two fixes is now available.

Category: security (moderate)
Bug References: 1069666,1081741,1084191
CVE References: CVE-2018-1050
Sources used:
openSUSE Leap 42.3 (src):    samba-4.6.13+git.72.2a684235f41-12.1, talloc-2.1.10-2.3.1, talloc-man-2.1.10-2.3.1, tevent-0.9.34-2.3.1, tevent-man-0.9.34-2.3.1
Comment 16 Swamp Workflow Management 2018-03-27 19:11:00 UTC
SUSE-SU-2018:0832-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1081741
CVE References: CVE-2018-1050
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP2 (src):    samba-4.4.2-38.17.1
SUSE Linux Enterprise Server for Raspberry Pi 12-SP2 (src):    samba-4.4.2-38.17.1
SUSE Linux Enterprise Server 12-SP2 (src):    samba-4.4.2-38.17.1
SUSE Linux Enterprise High Availability 12-SP2 (src):    samba-4.4.2-38.17.1
SUSE Linux Enterprise Desktop 12-SP2 (src):    samba-4.4.2-38.17.1
Comment 17 James McDonough 2018-03-27 19:56:25 UTC
are we done?
Comment 18 Marcus Meissner 2018-03-28 06:28:25 UTC
yes
Comment 20 Swamp Workflow Management 2018-08-14 16:09:24 UTC
SUSE-SU-2018:2321-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (important)
Bug References: 1027593,1060427,1063008,1081741,1103411
CVE References: CVE-2017-14746,CVE-2017-15275,CVE-2018-1050,CVE-2018-10858
Sources used:
SUSE Linux Enterprise Server 12-LTSS (src):    samba-4.2.4-18.49.1
SUSE Linux Enterprise High Availability 12 (src):    samba-4.2.4-18.49.1
Comment 21 Swamp Workflow Management 2018-08-16 07:12:45 UTC
SUSE-SU-2018:2339-1: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1081741,1103411
CVE References: CVE-2018-1050,CVE-2018-10858
Sources used:
SUSE OpenStack Cloud 7 (src):    samba-4.2.4-28.29.1
SUSE Linux Enterprise Server for SAP 12-SP2 (src):    samba-4.2.4-28.29.1
SUSE Linux Enterprise Server for SAP 12-SP1 (src):    samba-4.2.4-28.29.1
SUSE Linux Enterprise Server 12-SP2-LTSS (src):    samba-4.2.4-28.29.1
SUSE Linux Enterprise Server 12-SP1-LTSS (src):    samba-4.2.4-28.29.1
SUSE Linux Enterprise High Availability 12-SP1 (src):    samba-4.2.4-28.29.1
SUSE Enterprise Storage 4 (src):    samba-4.2.4-28.29.1
Comment 22 Swamp Workflow Management 2018-10-18 16:41:44 UTC
SUSE-SU-2018:2339-2: An update that fixes two vulnerabilities is now available.

Category: security (moderate)
Bug References: 1081741,1103411
CVE References: CVE-2018-1050,CVE-2018-10858
Sources used:
SUSE Linux Enterprise Server 12-SP2-BCL (src):    samba-4.2.4-28.29.1