Samba patches for two security vulnerabilities available
Two critical patches for Samba were released. The patches address vulnerabilities that could allow an unprivileged remote hackers to launch a denial of service attack against servers running the software or allow hackers to change user passwords, including the admin's. Samba is a popular free open source software that allows Windows based file and print services to be shared via operating systems such as Windows, Linux and UNIX. The vulnerability allows hackers to launch denial of service attacks on external print servers, according to the Samba security release. According to Samba, the vulnerability impacts all versions of Samba from 4.0.0 and above, and stems from missing null pointer checks that may crash the external print server process.
The software is vulnerable when the Remote Procedure Call, Microsoft Spool Subsystem service is configured to run as an external daemon program, which runs continuously to handle periodic service requests for systems. RPC is a model for programming in a distributed computing environment, which provides transparent communication so that the client appears to be communicating directly with the server. Typically, spoolss uses RPC as its transport protocol. The vulnerability is due to missing input sanitization checks on some input parameters for spoolss RPC calls, when the service is run as an external daemon it could cause the background print spooler program to crash, which impacts the handling the transfer of print files in a printer.
There is no known vulnerability associated with this error, only a denial of service. If the RPC spoolss service is left by default as an internal service, all a client can do is crash its own authenticated connection. Samba has released a patch addressing this issue in versions 4.7.6, 4.6.14 and 4.5.16. The vulnerability was first discovered by Synopsys' Defensics intelligent fuzz testing tool.
The password vulnerability, on the other hand, exists on all versions of Samba from 4.0.0 and above. The vulnerability, allows authenticated users to change other users' passwords. This vulnerability incorrectly validates permissions, allowing users to change other users' passwords, including the passwords of administrative users and privileged service accounts over the Lightweight Directory Access Protocol server on a Samba 4 Samba Active Directory domain controller. LDAP is a directory service protocol that runs on a layer above the TCP/IP stack, providing a mechanism used to connect to, search and modify internet directories. The LDAP server incorrectly validates certain LDAP password modifications against the "Change Password" privilege, but then performs a password reset operation. The change password right in AD is an extended object access right with the GUID ab721a53-1e2f-11d0-9819-00aa0040529b.
According to Samba, the vulnerability only impacts the Samba AD domain controller, not the read-only domain controller or the Samba3/NT4-like/classic domain controller. Samba stated that while organizations prepare the update for this vulnerability, they can monitor their directory by keeping watch on attributes pwdLastSet and msDS-KeyVersionNumber, which will change if a password has been reset. Samba has struggled with an array of vulnerabilities over the past 12 months, including two SMB-related man-in-the-middle bugs enabling attacks to hijack client connections in September, and a vulnerability in May that can be exploited with one line of code and could make way for a wormable exploit that spreads quickly.