[v2.2] samba<3.5.15: Incorrect permission checks (CVE-2012-2111) (#1125) · Issues · alpine / aports

[v2.2] samba<3.5.15: Incorrect permission checks (CVE-2012-2111)

Description

Samba versions 3.4.x to 3.6.4 inclusive are affected by a
vulnerability that allows arbitrary users to modify privileges on a
file server.

Security checks were incorrectly applied to the Local Security
Authority (LSA) remote proceedure calls (RPC) CreateAccount,
OpenAccount, AddAccountRights and RemoveAccountRights allowing any
authenticated user to modify the privileges database.

This is a serious error, as it means that authenticated users can
connect to the LSA and grant themselves the “take ownership”
privilege. This privilege is used by the smbd file server to grant the
ability to change ownership of a file or directory which means users
could take ownership of files or directories they do not own.

Patch Availability

Patches addressing this issue have been posted to:

http://www.samba.org/samba/security/

Additionally, Samba 3.6.5, Samba 3.5.15 and 3.4.17 have been issued as
security releases to correct the defect. Patches against older Samba
versions are available at:

http://samba.org/samba/patches/

Samba administrators running affected versions are advised to upgrade
to 3.6.5, 3.5.15, or 3.4.17 or apply these patches as soon as
possible.

Workaround

Immediately set the “enable privileges = no” parameter in the [global]
section of the smb.conf. This will prevent any further use of granted
privileges on the file server and protect from compromise.

To remove any incorrectly granted privileges, remove the file:

account_policy.tdb

from your system, and once the patch is applied re-grant specified
user privileges using the “net rpc rights” command.

Credits

This vulnerability was reported by Ivano Cristofolini. Many thanks to
him for reporting this promptly.

Patches were created by Jeremy Allison of the Samba Team, and reviewed
by Guenther Deschner of the Samba Team, the SUSE Security Team, and
Tyler Hicks of Canonical.

Reference

http://www.samba.org/samba/security/CVE-2012-2111

(from redmine: issue id 1125, created on 2012-05-07, closed on 2012-05-09)

Changesets:
- Revision c63fe772 by Natanael Copa on 2012-05-07T08:26:26Z:

main/samba: security upgrade to 3.5.15 (CVE-2012-2111)

fixes #1125

Description
-----------

Samba versions 3.4.x to 3.6.4 inclusive are affected by a  
vulnerability that allows arbitrary users to modify privileges on a  
file server.

Security checks were incorrectly applied to the Local Security  
Authority (LSA) remote proceedure calls (RPC) CreateAccount,  
OpenAccount, AddAccountRights and RemoveAccountRights allowing any  
authenticated user to modify the privileges database.

This is a serious error, as it means that authenticated users can  
connect to the LSA and grant themselves the “take ownership”  
privilege. This privilege is used by the smbd file server to grant the  
ability to change ownership of a file or directory which means users  
could take ownership of files or directories they do not own.

Patch Availability
------------------

Patches addressing this issue have been posted to:

http://www.samba.org/samba/security/

Additionally, Samba 3.6.5, Samba 3.5.15 and 3.4.17 have been issued as  
security releases to correct the defect. Patches against older Samba  
versions are available at:

http://samba.org/samba/patches/

Samba administrators running affected versions are advised to upgrade  
to 3.6.5, 3.5.15, or 3.4.17 or apply these patches as soon as  
possible.

Workaround
----------

Immediately set the “enable privileges = no” parameter in the
\[global\]  
section of the smb.conf. This will prevent any further use of granted  
privileges on the file server and protect from compromise.

To remove any incorrectly granted privileges, remove the file:

account\_policy.tdb

from your system, and once the patch is applied re-grant specified  
user privileges using the “net rpc rights” command.

Credits
-------

This vulnerability was reported by Ivano Cristofolini. Many thanks to  
him for reporting this promptly.

Patches were created by Jeremy Allison of the Samba Team, and reviewed  
by Guenther Deschner of the Samba Team, the SUSE Security Team, and  
Tyler Hicks of Canonical.

Reference
---------

http://www.samba.org/samba/security/CVE-2012-2111

*(from redmine: issue id 1125, created on 2012-05-07, closed on 2012-05-09)*

* Changesets:
  * Revision c63fe772e33d028e961224e40ec25225858206ba by Natanael Copa on 2012-05-07T08:26:26Z:

```
main/samba: security upgrade to 3.5.15 (CVE-2012-2111)

fixes #1125
```

Discussion
Designs