First Last Prev Next    This bug is not in your last search results.
Bug 54015 - samba: Multiple issues (5.0)
samba: Multiple issues (5.0)
Status: CLOSED FIXED
Product: UCS
Classification: Unclassified
Component: Security updates
UCS 5.0
Other Linux
: P5 normal (vote)
: UCS 5.0-1-errata
Assigned To: Arvid Requate
Erik Damrose
:
Depends on:
Blocks: 54016
  Show dependency treegraph
 
Reported: 2021-11-01 14:23 CET by Arvid Requate
Modified: 2022-01-24 10:52 CET (History)
3 users (show)

See Also:
What kind of report is it?: Security Issue
What type of bug is this?: ---
Who will be affected by this bug?: ---
How will those affected feel about the bug?: ---
User Pain:
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score: 5.9 (CVSS:7.4/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:N/E:P/RL:O/RC:C/CR:M/IR:M/AR:X/MAV:N/MAC:H/MPR:L/MUI:N/MS:C/MC:H/MI:H/MA:N)

Attachments
0001-s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch (2.64 KB, patch)
2022-01-09 17:02 CET, Arvid Requate 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Arvid Requate univentionstaff 2021-11-01 14:23:05 CET 
Security update scheduled for January 10th 2022.

* https://bugzilla.samba.org/show_bug.cgi?id=13979
* https://bugzilla.samba.org/show_bug.cgi?id=14842
Comment 1 Arvid Requate univentionstaff 2021-11-16 19:29:16 CET 
We should check https://gitlab.com/samba-team/samba/-/merge_requests/2251 which suggests https://gitlab.com/samba-team/samba/-/merge_requests/2253 as a better approach, to see if we should replace 98_CVE-2020-25717-add-local-nt-token-from-nss.quilt to be closer to upstream.
Comment 2 Arvid Requate univentionstaff 2021-11-22 10:43:19 CET 
See https://bugzilla.samba.org/show_bug.cgi?id=14901 for Comment 1
Comment 3 Arvid Requate univentionstaff 2022-01-09 17:02:30 CET 
Created attachment 10899 [details]
0001-s3-smbd-Fix-mkdir-race-condition-allows-share-escape.patch

The general mitigation is

* UCS 5.0 Samba already defaults to SMB2 as minimum,
  but maybe updated systems or custom settings didn't follow that.
  So we should recommend checking
  testparm -sv --parameter-name="server min protocol"
  and if that returns LANMAN1, then recommend adjusting with
  ucr set samba/min/protocol=SMB2_02; /etc/init.d/samba restart
* Don't export a samba share also via smb
* Don't allow user access to share directories on server side

The latter is already standard of UCS/Samba AD DCs.

For CVE-2021-20316 the upstream (4.15) changes are too invasive to backport.
For CVE-2021-43566 there is a patch that applies to 4.13, see attachment.
Comment 4 Erik Damrose univentionstaff 2022-01-10 09:23:53 CET 
(In reply to Arvid Requate from comment #3)
> * Don't export a samba share also via smb

The typo is rather significant, it should be
Don't export a samba share also via _NFS_
Comment 5 Arvid Requate univentionstaff 2022-01-10 18:51:42 CET 
Yes, right, silly annoying typo, sorry.

I've cherry-picked samba from errata5.0-0 to errata5.0-1
and rebuilt it with that patch. Also I added the additional
recommendations https://help.univention.com/t/19188 to the
advisory.

New patch: 98_CVE-2021-43566.quilt

5667a77da9 | Advisory
6e8b3e9dff | Advisory update
Comment 6 Erik Damrose univentionstaff 2022-01-11 12:07:03 CET 
OK: 98_CVE-2021-43566.quilt applied for CVE-2021-43566
OK: CVE-2021-20316 cannot be backported, we will have to update to Samba 4.15 at some point
OK: Help article
OK: yaml
Verified
First Last Prev Next    This bug is not in your last search results.