Security update for samba SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2016:1106-1 Final 1 1 2016-04-20T06:12:18Z current 2016-04-20T06:12:18Z 2016-04-20T06:12:18Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z Security update for samba This update fixes these security vulnerabilities: - CVE-2015-5370: DCERPC server and client were vulnerable to DOS and MITM attacks (bsc#936862). - CVE-2016-2110: A man-in-the-middle could have downgraded NTLMSSP authentication (bsc#973031). - CVE-2016-2111: Domain controller netlogon member computer could have been spoofed (bsc#973032). - CVE-2016-2112: LDAP conenctions were vulnerable to downgrade and MITM attack (bsc#973033). - CVE-2016-2113: TLS certificate validation were missing (bsc#973034). - CVE-2016-2114: 'server signing = mandatory' not enforced (bsc#973035). - CVE-2016-2115: Named pipe IPC were vulnerable to MITM attacks (bsc#973036). - CVE-2016-2118: 'Badlock' DCERPC impersonation of authenticated account were possible (bsc#971965). The openSUSE 13.1 update also upgrades to samba 4.2.4 as 4.1.x versions are no longer supported by upstream. As a side effect, libpdb0 package was replaced by libsamba-passdb0. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html E-Mail link for openSUSE-SU-2016:1106-1 https://www.suse.com/support/security/rating/ SUSE Security Ratings ctdb-4.2.4-3.54.2 ctdb-devel-4.2.4-3.54.2 ctdb-pcp-pmda-4.2.4-3.54.2 ctdb-tests-4.2.4-3.54.2 libdcerpc-atsvc-devel-4.2.4-3.54.2 libdcerpc-atsvc0-4.2.4-3.54.2 libdcerpc-atsvc0-32bit-4.2.4-3.54.2 libdcerpc-binding0-4.2.4-3.54.2 libdcerpc-binding0-32bit-4.2.4-3.54.2 libdcerpc-devel-4.2.4-3.54.2 libdcerpc-samr-devel-4.2.4-3.54.2 libdcerpc-samr0-4.2.4-3.54.2 libdcerpc-samr0-32bit-4.2.4-3.54.2 libdcerpc0-4.2.4-3.54.2 libdcerpc0-32bit-4.2.4-3.54.2 libgensec-devel-4.2.4-3.54.2 libgensec0-4.2.4-3.54.2 libgensec0-32bit-4.2.4-3.54.2 libndr-devel-4.2.4-3.54.2 libndr-krb5pac-devel-4.2.4-3.54.2 libndr-krb5pac0-4.2.4-3.54.2 libndr-krb5pac0-32bit-4.2.4-3.54.2 libndr-nbt-devel-4.2.4-3.54.2 libndr-nbt0-4.2.4-3.54.2 libndr-nbt0-32bit-4.2.4-3.54.2 libndr-standard-devel-4.2.4-3.54.2 libndr-standard0-4.2.4-3.54.2 libndr-standard0-32bit-4.2.4-3.54.2 libndr0-4.2.4-3.54.2 libndr0-32bit-4.2.4-3.54.2 libnetapi-devel-4.2.4-3.54.2 libnetapi0-4.2.4-3.54.2 libnetapi0-32bit-4.2.4-3.54.2 libregistry-devel-4.2.4-3.54.2 libregistry0-4.2.4-3.54.2 libregistry0-32bit-4.2.4-3.54.2 libsamba-credentials-devel-4.2.4-3.54.2 libsamba-credentials0-4.2.4-3.54.2 libsamba-credentials0-32bit-4.2.4-3.54.2 libsamba-hostconfig-devel-4.2.4-3.54.2 libsamba-hostconfig0-4.2.4-3.54.2 libsamba-hostconfig0-32bit-4.2.4-3.54.2 libsamba-passdb-devel-4.2.4-3.54.2 libsamba-passdb0-4.2.4-3.54.2 libsamba-passdb0-32bit-4.2.4-3.54.2 libsamba-policy-devel-4.2.4-3.54.2 libsamba-policy0-4.2.4-3.54.2 libsamba-policy0-32bit-4.2.4-3.54.2 libsamba-util-devel-4.2.4-3.54.2 libsamba-util0-4.2.4-3.54.2 libsamba-util0-32bit-4.2.4-3.54.2 libsamdb-devel-4.2.4-3.54.2 libsamdb0-4.2.4-3.54.2 libsamdb0-32bit-4.2.4-3.54.2 libsmbclient-devel-4.2.4-3.54.2 libsmbclient-raw-devel-4.2.4-3.54.2 libsmbclient-raw0-4.2.4-3.54.2 libsmbclient-raw0-32bit-4.2.4-3.54.2 libsmbclient0-4.2.4-3.54.2 libsmbclient0-32bit-4.2.4-3.54.2 libsmbconf-devel-4.2.4-3.54.2 libsmbconf0-4.2.4-3.54.2 libsmbconf0-32bit-4.2.4-3.54.2 libsmbldap-devel-4.2.4-3.54.2 libsmbldap0-4.2.4-3.54.2 libsmbldap0-32bit-4.2.4-3.54.2 libtevent-util-devel-4.2.4-3.54.2 libtevent-util0-4.2.4-3.54.2 libtevent-util0-32bit-4.2.4-3.54.2 libwbclient-devel-4.2.4-3.54.2 libwbclient0-4.2.4-3.54.2 libwbclient0-32bit-4.2.4-3.54.2 samba-4.2.4-3.54.2 samba-32bit-4.2.4-3.54.2 samba-client-4.2.4-3.54.2 samba-client-32bit-4.2.4-3.54.2 samba-core-devel-4.2.4-3.54.2 samba-doc-4.2.4-3.54.2 samba-libs-4.2.4-3.54.2 samba-libs-32bit-4.2.4-3.54.2 samba-pidl-4.2.4-3.54.2 samba-python-4.2.4-3.54.2 samba-test-4.2.4-3.54.2 samba-test-devel-4.2.4-3.54.2 samba-winbind-4.2.4-3.54.2 samba-winbind-32bit-4.2.4-3.54.2 The winbind_name_list_to_sid_string_list function in nsswitch/pam_winbind.c in Samba through 4.1.2 handles invalid require_membership_of group names by accepting authentication by any user, which allows remote authenticated users to bypass intended access restrictions in opportunistic circumstances by leveraging an administrator's pam_winbind configuration-file mistake. CVE-2012-6150 low Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2012-6150.html CVE-2012-6150 https://bugzilla.suse.com/844720 SUSE Bug 844720 https://bugzilla.suse.com/853347 SUSE Bug 853347 Heap-based buffer overflow in the dcerpc_read_ncacn_packet_done function in librpc/rpc/dcerpc_util.c in winbindd in Samba 3.x before 3.6.22, 4.0.x before 4.0.13, and 4.1.x before 4.1.3 allows remote AD domain controllers to execute arbitrary code via an invalid fragment length in a DCE-RPC packet. CVE-2013-4408 important 6.8 AV:A/AC:H/Au:N/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2013-4408.html CVE-2013-4408 https://bugzilla.suse.com/844720 SUSE Bug 844720 https://bugzilla.suse.com/848101 SUSE Bug 848101 https://bugzilla.suse.com/882906 SUSE Bug 882906 Samba 3.x before 3.6.23, 4.0.x before 4.0.16, and 4.1.x before 4.1.6 does not enforce the password-guessing protection mechanism for all interfaces, which makes it easier for remote attackers to obtain access via brute-force ChangePasswordUser2 (1) SAMR or (2) RAP attempts. CVE-2013-4496 moderate Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2013-4496.html CVE-2013-4496 https://bugzilla.suse.com/849224 SUSE Bug 849224 https://bugzilla.suse.com/866844 SUSE Bug 866844 The Netlogon server implementation in smbd in Samba 3.5.x and 3.6.x before 3.6.25, 4.0.x before 4.0.25, 4.1.x before 4.1.17, and 4.2.x before 4.2.0rc5 performs a free operation on an uninitialized stack pointer, which allows remote attackers to execute arbitrary code via crafted Netlogon packets that use the ServerPasswordSet RPC API, as demonstrated by packets reaching the _netr_ServerPasswordSet function in rpc_server/netlogon/srv_netlog_nt.c. CVE-2015-0240 important Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2015-0240.html CVE-2015-0240 https://bugzilla.suse.com/917376 SUSE Bug 917376 vfs.c in smbd in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, when share names with certain substring relationships exist, allows remote attackers to bypass intended file-access restrictions via a symlink that points outside of a share. CVE-2015-5252 moderate 6.8 AV:N/AC:L/Au:S/C:C/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2015-5252.html CVE-2015-5252 https://bugzilla.suse.com/958582 SUSE Bug 958582 Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 supports connections that are encrypted but unsigned, which allows man-in-the-middle attackers to conduct encrypted-to-unencrypted downgrade attacks by modifying the client-server data stream, related to clidfs.c, libsmb_server.c, and smbXcli_base.c. CVE-2015-5296 moderate 3.2 AV:A/AC:H/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2015-5296.html CVE-2015-5296 https://bugzilla.suse.com/1058622 SUSE Bug 1058622 https://bugzilla.suse.com/958584 SUSE Bug 958584 https://bugzilla.suse.com/973031 SUSE Bug 973031 The shadow_copy2_get_shadow_copy_data function in modules/vfs_shadow_copy2.c in Samba 3.x and 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3 does not verify that the DIRECTORY_LIST access right has been granted, which allows remote attackers to access snapshots by visiting a shadow copy directory. CVE-2015-5299 moderate 3.5 AV:N/AC:M/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2015-5299.html CVE-2015-5299 https://bugzilla.suse.com/958583 SUSE Bug 958583 ldb before 1.1.24, as used in the AD LDAP server in Samba 4.x before 4.1.22, 4.2.x before 4.2.7, and 4.3.x before 4.3.3, mishandles string lengths, which allows remote attackers to obtain sensitive information from daemon heap memory by sending crafted packets and then reading (1) an error message or (2) a database value. CVE-2015-5330 moderate 4 AV:N/AC:L/Au:S/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2015-5330.html CVE-2015-5330 https://bugzilla.suse.com/958581 SUSE Bug 958581 https://bugzilla.suse.com/958586 SUSE Bug 958586 Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not properly implement the DCE-RPC layer, which allows remote attackers to perform protocol-downgrade attacks, cause a denial of service (application crash or CPU consumption), or possibly execute arbitrary code on a client system via unspecified vectors. CVE-2015-5370 important 8.5 AV:N/AC:M/Au:S/C:C/I:C/A:C Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2015-5370.html CVE-2015-5370 https://bugzilla.suse.com/936862 SUSE Bug 936862 https://bugzilla.suse.com/975276 SUSE Bug 975276 The SMB1 implementation in smbd in Samba 3.x and 4.x before 4.1.23, 4.2.x before 4.2.9, 4.3.x before 4.3.6, and 4.4.x before 4.4.0rc4 allows remote authenticated users to modify arbitrary ACLs by using a UNIX SMB1 call to create a symlink, and then using a non-UNIX SMB1 call to write to the ACL content. CVE-2015-7560 moderate 4.9 AV:A/AC:M/Au:S/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2015-7560.html CVE-2015-7560 https://bugzilla.suse.com/968222 SUSE Bug 968222 The NTLMSSP authentication implementation in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 allows man-in-the-middle attackers to perform protocol-downgrade attacks by modifying the client-server data stream to remove application-layer flags or encryption settings, as demonstrated by clearing the NTLMSSP_NEGOTIATE_SEAL or NTLMSSP_NEGOTIATE_SIGN option to disrupt LDAP security. CVE-2016-2110 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2016-2110.html CVE-2016-2110 https://bugzilla.suse.com/1009711 SUSE Bug 1009711 https://bugzilla.suse.com/973031 SUSE Bug 973031 https://bugzilla.suse.com/973033 SUSE Bug 973033 https://bugzilla.suse.com/973036 SUSE Bug 973036 https://bugzilla.suse.com/975276 SUSE Bug 975276 The NETLOGON service in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2, when a domain controller is configured, allows remote attackers to spoof the computer name of a secure channel's endpoint, and obtain sensitive session information, by running a crafted application and leveraging the ability to sniff network traffic, a related issue to CVE-2015-0005. CVE-2016-2111 moderate 4.3 AV:N/AC:M/Au:N/C:P/I:N/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2016-2111.html CVE-2016-2111 https://bugzilla.suse.com/973032 SUSE Bug 973032 https://bugzilla.suse.com/975276 SUSE Bug 975276 The bundled LDAP client library in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "client ldap sasl wrapping" setting, which allows man-in-the-middle attackers to perform LDAP protocol-downgrade attacks by modifying the client-server data stream. CVE-2016-2112 moderate 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2016-2112.html CVE-2016-2112 https://bugzilla.suse.com/973031 SUSE Bug 973031 https://bugzilla.suse.com/973033 SUSE Bug 973033 https://bugzilla.suse.com/975276 SUSE Bug 975276 Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not verify X.509 certificates from TLS servers, which allows man-in-the-middle attackers to spoof LDAPS and HTTPS servers and obtain sensitive information via a crafted certificate. CVE-2016-2113 moderate 4.3 AV:A/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2016-2113.html CVE-2016-2113 https://bugzilla.suse.com/973031 SUSE Bug 973031 https://bugzilla.suse.com/973033 SUSE Bug 973033 https://bugzilla.suse.com/973034 SUSE Bug 973034 https://bugzilla.suse.com/975276 SUSE Bug 975276 The SMB1 protocol implementation in Samba 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not recognize the "server signing = mandatory" setting, which allows man-in-the-middle attackers to spoof SMB servers by modifying the client-server data stream. CVE-2016-2114 moderate 5.8 AV:N/AC:M/Au:N/C:P/I:P/A:N Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2016-2114.html CVE-2016-2114 https://bugzilla.suse.com/973035 SUSE Bug 973035 Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 does not require SMB signing within a DCERPC session over ncacn_np, which allows man-in-the-middle attackers to spoof SMB clients by modifying the client-server data stream. CVE-2016-2115 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2016-2115.html CVE-2016-2115 https://bugzilla.suse.com/973036 SUSE Bug 973036 https://bugzilla.suse.com/975276 SUSE Bug 975276 The MS-SAMR and MS-LSAD protocol implementations in Samba 3.x and 4.x before 4.2.11, 4.3.x before 4.3.8, and 4.4.x before 4.4.2 mishandle DCERPC connections, which allows man-in-the-middle attackers to perform protocol-downgrade attacks and impersonate users by modifying the client-server data stream, aka "BADLOCK." CVE-2016-2118 moderate 6.8 AV:N/AC:M/Au:N/C:P/I:P/A:P Please Install the update. https://lists.opensuse.org/opensuse-security-announce/2016-04/msg00047.html https://www.suse.com/security/cve/CVE-2016-2118.html CVE-2016-2118 https://bugzilla.suse.com/971965 SUSE Bug 971965 https://bugzilla.suse.com/975276 SUSE Bug 975276